Screen OS

last person joined: 7 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  Juniper to Zyxel VPN issue

    Posted 05-04-2015 16:33

    Hi

    I am trying to setup a VPN between our Juniper SSG20-WLAN and a client's Zyxel VMG8324-B10A. I have used the following settings on both ends:

     

    IKEv1

    Preshared Key

    Local ID = IP of local router

    Remote ID = IP of remote router

    ESP, 3DES, SHA1

    Replay Protection enabled - Juniper end

    Rekey enabled - Juniper end

     

    At one point I was getting this error but it went away after I made sure the Local and Remote IDs matched on both ends:

    2015-05-05 11:09:08 info IKE ZyxelExternalIP Phase 2 msg ID eea253a3: Negotiations have failed.
    2015-05-05 11:09:08 info Rejected an IKE packet on ethernet0/0.1 from JuniperExternalIP:500 to ZyxelExternalIP:500 with cookies d0f7ce782ad4137d and cc36db7ceaad572e because The peer sent a proxy ID that did not match the one in the SA config.
    2015-05-05 11:09:08 info IKE ZyxelExternalIP Phase 2: No policy exists for the proxy ID received: local ID (192.168.4.0/255.255.255.0, 0, 0) remote ID (10.1.1.0/255.255.255.0, 0, 0).
    2015-05-05 11:09:08 info IKE ZyxelExternalIP Phase 2 msg ID eea253a3: Responded to the peer's first message.
    2015-05-05 11:09:01 info IKE ZyxelExternalIP Phase 2: Initiated negotiations.
    2015-05-05 11:09:01 info IKE ZyxelExternalIP Phase 1: Completed Main mode negotiations with a 28800-second lifetime.
    2015-05-05 11:09:01 info IKE ZyxelExternalIP phase 1:The symmetric crypto key has been generated successfully.
    2015-05-05 11:09:01 info IKEJuniperExternalIP ZyxelExternalIP Phase 1: Initiated negotiations in main mode.

     

    I have been through a variety of different errors in the Juniper log, but the current one is:

    2015-05-05 11:21:41 info IKEJuniperExternalIP ZyxelExternalIP Phase 1: Initiated negotiations in main mode.
    2015-05-05 11:20:59 info IKE ZyxelExternalIP Phase 1: Retransmission limit has been reached.

     

    Note I have replaced the external IPs with JuniperExternalIP and ZyxelExternalIP for clarity. Does anyone have any tips to get this VPN tunnel up?



  • 2.  RE: Juniper to Zyxel VPN issue

    Posted 05-04-2015 16:40

    Are you using a policy based VPN or route based?

     

    2015-05-05 11:21:41 info IKEJuniperExternalIP ZyxelExternalIP Phase 1: Initiated negotiations in main mode.
    2015-05-05 11:20:59 info IKE ZyxelExternalIP Phase 1: Retransmission limit has been reached.

     

    This indicates that the Juniper is the initiator, but there is no response from the Zyxel, which is normal if something doesn't match.  You would need to check the responder logs.

     

    015-05-05 11:09:08 info Rejected an IKE packet on ethernet0/0.1 from JuniperExternalIP:500 to ZyxelExternalIP:500 with cookies d0f7ce782ad4137d and cc36db7ceaad572e because The peer sent a proxy ID that did not match the one in the SA config.
    2015-05-05 11:09:08 info IKE ZyxelExternalIP Phase 2: No policy exists for the proxy ID received: local ID (192.168.4.0/255.255.255.0, 0, 0) remote ID (10.1.1.0/255.255.255.0, 0, 0).

     

    This indicates that the Phase 2 proxy IDs are not matching, which is different than the Local ID and Remote ID.  What do you have set for proxy ID/policy?



  • 3.  RE: Juniper to Zyxel VPN issue

    Posted 05-05-2015 19:35

    Hi Rseibert

     

    Thanks for the response. I am not an expert but the purpose of the VPN is to link our subnet with the remote subnet through a router to router VPN. I assume that means I am using a Route based VPN.

     

    I have included the logs on the Zyxel router below. Note that I disabled the VPN and re-enabled it to force it to re-establish the connection and generate some logs.

     

    On the Juniper, I went to VPNs - AutoKey IKE - selected "Proxy ID" next to the VPN. There is one rule which is Local IP 192.168.4.0/24 and Remote IP 10.1.1.0/24 with service SMB. On the Zyxel, I selected Local ID Type = IP: 10.1.1.0/24 and selected Remote ID Type = IP: 192.168.4.0/24

     

    8 2015 May 6 14:26:04 IPSec notice IPSec connection VPN_Connection is modified to connection VPN_Connection. IPSec connection VPN_Connection is active
    9 2015 May 6 14:26:04 IPSec err fatal parse failure (1 errors)
    10 2015 May 6 14:26:04 IPSec err /var/racoon.conf:8: "24" syntax error
    11 2015 May 6 14:25:59 IPSec info Reading configuration from "/var/racoon.conf"
    12 2015 May 6 14:25:59 IPSec info @(#)This product linked OpenSSL 0.9.7f 22 Mar 2005 (http://www.openssl.org/)
    13 2015 May 6 14:25:59 IPSec info @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
    16 2015 May 6 14:25:51 IPSec notice IPSec connection VPN_Connection is modified to connection VPN_Connection. IPSec connection VPN_Connection is not active
    17 2015 May 6 14:25:51 IPSec info unsupported PF_KEY message REGISTER
    18 2015 May 6 14:25:50 IPSec info 127.0.0.0[4500] used as isakmp port (fd=15)
    19 2015 May 6 14:25:50 IPSec info 127.0.0.0[4500] used for NAT-T (fd=15)
    20 2015 May 6 14:25:50 IPSec info 127.0.0.0[500] used as isakmp port (fd=14)
    21 2015 May 6 14:25:50 IPSec info 127.0.0.0[500] used for NAT-T (fd=14)
    22 2015 May 6 14:25:50 IPSec info 127.0.0.1[4500] used as isakmp port (fd=13)
    23 2015 May 6 14:25:50 IPSec info 127.0.0.1[4500] used for NAT-T (fd=13)
    24 2015 May 6 14:25:50 IPSec info 127.0.0.1[500] used as isakmp port (fd=12)
    25 2015 May 6 14:25:50 IPSec info 127.0.0.1[500] used for NAT-T (fd=12)
    26 2015 May 6 14:25:50 IPSec info ZyxelLANIP[4500] used as isakmp port (fd=11)
    27 2015 May 6 14:25:50 IPSec info ZyxelLANIP[4500] used for NAT-T (fd=11)
    28 2015 May 6 14:25:50 IPSec info ZyxelLANIP[500] used as isakmp port (fd=10)
    29 2015 May 6 14:25:50 IPSec info ZyxelLANIP[500] used for NAT-T (fd=10)
    30 2015 May 6 14:25:50 IPSec info ZyxelExternalIP[4500] used as isakmp port (fd=9)
    31 2015 May 6 14:25:50 IPSec info ZyxelExternalIP[4500] used for NAT-T (fd=9)
    32 2015 May 6 14:25:50 IPSec info ZyxelExternalIP[500] used as isakmp port (fd=8)
    33 2015 May 6 14:25:50 IPSec info ZyxelExternalIP[500] used for NAT-T (fd=8)
    34 2015 May 6 14:25:46 IPSec info Reading configuration from "/var/racoon.conf"
    35 2015 May 6 14:25:46 IPSec info @(#)This product linked OpenSSL 0.9.7f 22 Mar 2005 (http://www.openssl.org/)
    36 2015 May 6 14:25:46 IPSec info @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)



  • 4.  RE: Juniper to Zyxel VPN issue
    Best Answer

     
    Posted 05-05-2015 21:10

    Hi,

     

    You probably modified the P1 configuration, when trying to fix the proxy ID issue. Because, I see that Phase-1 was getting established fine to begin with:

    2015-05-05 11:09:01 info IKE ZyxelExternalIP Phase 1: Completed Main mode negotiations with a 28800-second lifetime.

     

    Phase-2 was failing due to proxy-ID mismatch:

    2015-05-05 11:09:08 info Rejected an IKE packet on ethernet0/0.1 from JuniperExternalIP:500 to ZyxelExternalIP:500 with cookies d0f7ce782ad4137d and cc36db7ceaad572e because The peer sent a proxy ID that did not match the one in the SA config.

     

    But, after you modified the configuration, phase-1 is failing:

    2015-05-05 11:20:59 info IKE ZyxelExternalIP Phase 1: Retransmission limit has been reached.

     

    As Bob pointed out, retransmission happens when the peer does not respond to the messages from the Juniper Firewall. This has to be debugged from the peer end.

    Otherwise, try initiating the VPN negotiation from the peer end and review the event logs on the Juniper box.



  • 5.  RE: Juniper to Zyxel VPN issue

    Posted 05-06-2015 19:52

    Hi Gokul

     

    After reading your response, I changed a number of things and I'm not sure exactly what fixed the issue. Some of the changes were removing the Local ID and Remote ID settings on both ends, changing the "Source Interface" in the Juniper AutoKey IKE from default to a specific interface, changing the tunnel interface from a new one I created to a tunnel used by a different working VPN. The only change I made on the Zyxel end was removing the Local ID and Remote ID.

     

    The strange thing is - even though the VPN is now working (I have tested it), the Link Status is still down in the Juniper Monitor Status page but SA Status is active. Can you help me understand why this is the case?



  • 6.  RE: Juniper to Zyxel VPN issue

     
    Posted 05-12-2015 20:57

    Glad to know that the VPN is up Smiley Happy

     

    Monitoring is the firewalls own way of testing logical connectivity of the tunnel - it is not an IPsec standard. So, myu guess is that the Zyxel is simply ignoring the monitor probes from the Juniper. When there is no response to the probes, he SSG will mark the monitor status as Down.

     

    If the tunnel is up and carrying traffic, you can simpley disable monitoring.

     

    If you want to use monitoring, you can add a destination-IP to the monitor setings of the VPN. This IP can be any machine in the remote subnet, that would respond to ICMP ping requests. As long as this remote machine responds to he monitor probes from the SSG, the VPN will be marked UP.