ScreenOS Firewalls (NOT SRX)
Reply
Visitor
jburrow
Posts: 5
Registered: ‎11-25-2009
0

VPN construction problems on SSG5

I'm attempting to build an IKEv1 VPN between a Nexaria router and a Juniper SSG5 running 6.3.0r6. The Nexaria is using dyn-dns, and it's registered and reporting it's IP correctly. When I attempt to pass traffic, I get the following messages:

 

2011-03-27 22:14:15infoIKE xxx.xxx.xxx.xxx Phase 1: Main mode negotiations have failed.
2011-03-27 22:14:15infoRejected an IKE packet on ethernet0/0 from xxx.xxx.xxx.xxx:33361 to yyy.yyy.yyy.yyy:4500 with cookies 3bbc64b50e6e53fa and d2fb6a1c0ec38053 because Phase-1: no user configuration was found for the received IKE ID type: IP Address,1.
2011-03-27 22:14:15infoIKE xxx.xxx.xxx.xxx phase 1:The symmetric crypto key has been generated successfully.
2011-03-27 22:14:15infoIKE<xxx.xxx.xxx.xxx> Phase 1: IKE responder has detected NAT in front of the remote device.
2011-03-27 22:14:10infoIKE xxx.xxx.xxx.xxx Phase 1: Responder starts MAIN mode negotiations.

 

My google-fu is weak -- I'm pretty sure this problem has something to do with the peer actually having a private IP address on it's outside interface, but I don't know how to fix it.

 

Can anyone give me some hints on what to try next?

 

VPN Specifics:

 

Remote gateway -- static IP address (using dyn-dns hostname), P1 = pre-g2-aes128-sha, NAT-T enabled, P2 = g2-esp-aes128-sha.

 

Nexaira matches (as close as I can tell).

 

Thanks!

 

Joel

 

Distinguished Expert
Screenie
Posts: 1,085
Registered: ‎01-10-2008
0

Re: VPN construction problems on SSG5

Try enabling nat traversal on both sides!

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Visitor
jburrow
Posts: 5
Registered: ‎11-25-2009
0

Re: VPN construction problems on SSG5

Unfortunately, I can't find a nat-traversal option on the Nexaira. Here's the latest event information. Does this still look like a NAT traversal problem?

 

 

2011-03-28 19:38:32 system info  00536 IKE xxx.xxx.xxx.xxx Phase 2 msg ID
                                       1da4d411: Negotiations have failed.
2011-03-28 19:38:32 system info  00536 Rejected an IKE packet on ethernet0/0
                                       from xxx.xxx.xxx.xxx:500 to
                                       yyy.yyy.yyy.yyy:500 with cookies
                                       f4377aa0a71a3035 and 3f6c3f0f2cada157
                                       because The peer sent a proxy ID that
                                       did not match the one in the SA
                                       config.
2011-03-28 19:38:32 system info  00536 IKE xxx.xxx.xxx.xxx Phase 2: No policy
                                       exists for the proxy ID received:
                                       local ID (192.168.0.0/255.255.255.0, 0,
                                       0) remote ID (192.168.6.0/
                                       255.255.255.0, 0, 0).
2011-03-28 19:38:32 system info  00536 IKE xxx.xxx.xxx.xxx Phase 2 msg ID
                                       1da4d411: Responded to the peer's
                                       first message.

 

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: VPN construction problems on SSG5

Those logs point to a mismatched proxy id.

 

Are you using route or policy-based VPNs?

 

Posting your configuration would help troubleshoot.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Visitor
jburrow
Posts: 5
Registered: ‎11-25-2009
0

Re: VPN construction problems on SSG5

As a follow up to my previous post, I did a debug ike. Here are the results:

 

 

## 2011-03-28 20:29:31 : IKE<xxx.xxx.xxx.xxx> ****** Recv packet if <ethernet0/0> of vsys <Root> ******
## 2011-03-28 20:29:31 : IKE<xxx.xxx.xxx.xxx> Catcher: get 300 bytes. src port 500
## 2011-03-28 20:29:31 : IKE<0.0.0.0        >   ISAKMP msg: len 300, nxp 8[HASH], exch 32[QM], flag 01  E
## 2011-03-28 20:29:31 : IKE<xxx.xxx.xxx.xxx> Create conn entry...
## 2011-03-28 20:29:31 : IKE<xxx.xxx.xxx.xxx>   ...done(new f11b9724)
## 2011-03-28 20:29:31 : IKE<xxx.xxx.xxx.xxx> Phase 2 msg-id <f11b9724>: Responded to the first peer message.
## 2011-03-28 20:29:31 : IKE<xxx.xxx.xxx.xxx> Decrypting payload (length 272)
## 2011-03-28 20:29:31 : IKE<xxx.xxx.xxx.xxx   > Recv*: [HASH] [SA] [NONCE] [KE] [ID] [ID]
## 2011-03-28 20:29:31 : valid id checking, id type:IP Subnet, len:16.
## 2011-03-28 20:29:31 : valid id checking, id type:IP Subnet, len:16.
## 2011-03-28 20:29:31 : IKE<0.0.0.0        >   extract payload (272):
## 2011-03-28 20:29:31 : valid id checking, id type:IP Subnet, len:16.
## 2011-03-28 20:29:31 : valid id checking, id type:IP Subnet, len:16.
## 2011-03-28 20:29:31 : IKE<xxx.xxx.xxx.xxx> QM in state OAK_QM_SA_ACCEPT.
## 2011-03-28 20:29:31 : IKE<xxx.xxx.xxx.xxx> Start by finding matching member SA (verify -1/-1)
## 2011-03-28 20:29:31 : IKE<xxx.xxx.xxx.xxx> IKE: Matching policy: gw ip <xxx.xxx.xxx.xxx> peer entry id<4>
## 2011-03-28 20:29:31 : IKE<0.0.0.0        >   protocol matched expected<0>.
## 2011-03-28 20:29:31 : IKE<0.0.0.0        >   port matched expect l:<0>, r<0>.
## 2011-03-28 20:29:31 : ipvx = IPV4
## 2011-03-28 20:29:31 : rcv_local_addr = 192.168.0.0, rcv_local_mask = 255.255.255.0, p_rcv_local_real = 192.168.0.0
## 2011-03-28 20:29:31 : rcv_remote_addr = 192.168.6.0, rcv_remote_mask = 255.255.255.0, p_rcv_remote_real = 192.168.6.0
## 2011-03-28 20:29:31 : ike_p2_id->local_ip = 0.0.0.0, cfg_local_mask = 0.0.0.0, p_cfg_local_real = 0.0.0.0
## 2011-03-28 20:29:31 : ike_p2_id->remote_ip = 255.255.255.255, cfg_remote_mask = 255.255.255.255, p_cfg_remote_real = 255.255.255.255
## 2011-03-28 20:29:31 : IKE<xxx.xxx.xxx.xxx> Proxy ID match: No policy exists for the proxy ID received
## 2011-03-28 20:29:31 : IKE<xxx.xxx.xxx.xxx> Multiple proxy ID match: P2 SA <-1>
## 2011-03-28 20:29:31 : IKE<xxx.xxx.xxx.xxx> proxy-id do not match ipsec sa config
## 2011-03-28 20:29:31 : IKE<xxx.xxx.xxx.xxx> oakley_process_quick_mode():exit
## 2011-03-28 20:29:31 : IKE<xxx.xxx.xxx.xxx> Phase 2 msg-id <f11b9724>: Negotiations have failed.

 

Visitor
jburrow
Posts: 5
Registered: ‎11-25-2009
0

Re: VPN construction problems on SSG5

Sorry, did not hit refresh before posting. The VPN that's giving the errors is Nexaira to Juniper VPN, GW Nexaira VPN.

 

Here's my config:

 

 

set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "QA"
set zone id 101 "DEMO"
set zone id 102 "DEV"
set zone id 103 "NSF"
set zone id 104 "NewDemo"
set zone "Untrust-Tun" vrouter "trust-vr"
set interface ethernet0/2 phy full 100mb
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "Null"
set interface "ethernet0/3" zone "DEV"
set interface "ethernet0/5" zone "DEMO"
set interface "bgroup0" zone "Trust"
set interface "tunnel.1" zone "Untrust"
set interface bgroup0 port ethernet0/2
unset interface vlan1 ip
set interface ethernet0/0 ip yyy.yyy.yyy.yyy/28
set interface ethernet0/0 route
set interface ethernet0/3 ip 192.168.45.254/24
set interface ethernet0/3 route
set interface ethernet0/5 ip 192.168.5.1/24
set interface ethernet0/5 route
set interface bgroup0 ip 10.250.250.250/24
set interface bgroup0 nat
set interface tunnel.1 ip unnumbered interface ethernet0/0
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set address "Trust" "10.10.192.0/24" 10.10.192.0 255.255.255.0
set address "Trust" "192.168.0.0" 192.168.0.0 255.255.255.0 "Internal Network"
set address "Trust" "192.168.0.0/24" 192.168.0.0 255.255.255.0
set address "Trust" "192.168.0.169" 192.168.0.169 255.255.255.255 "Enterprise Linux Admin"
set address "Trust" "192.168.0.183" 192.168.0.183 255.255.255.255
set address "Trust" "192.168.0.210" 192.168.0.210 255.255.255.255
set address "Trust" "All Internal" 10.0.0.0 255.0.0.0
set address "Trust" "Encore Networks Office End 1" 135.35.81.50 255.255.255.255 "Bandwidth Test"
set address "Trust" "Encore Networks Office End 2" 135.35.81.51 255.255.255.255
set address "Trust" "Encore Networks Office End 3" 135.35.81.53 255.255.255.255
set address "Trust" "Encore Networks Office End 4" 135.35.81.54 255.255.255.255
set address "Trust" "Encore Networks Office End 5" 135.35.81.55 255.255.255.255
set address "Trust" "Switch" 192.168.0.251 255.255.255.255
set address "Untrust" "192.168.6.0/24" 192.168.6.0 255.255.255.0
set address "DMZ" "Customer_wireless_ap" 172.20.0.250 255.255.255.255
set address "DMZ" "Customers" 192.168.16.0 255.255.255.0
set address "QA" "Encore Networks Field End 1" 10.20.10.50 255.255.255.255 "Bandwidth Test"
set address "QA" "Encore Networks Field End 2" 10.20.10.51 255.255.255.255
set address "QA" "Encore Networks Field End 3" 10.20.10.52 255.255.255.255
set address "QA" "Encore Networks Field End 4" 10.20.10.53 255.255.255.255
set address "QA" "Encore Networks Field End 5" 10.20.10.54 255.255.255.255
set address "QA" "Encore Networks Field End 6" 10.20.10.55 255.255.255.255
set address "DEMO" "192.168.5.1/32" 192.168.5.1 255.255.255.255
set address "DEMO" "192.168.5.2/32" 192.168.5.2 255.255.255.255
set address "DEV" "192.168.45.1/32" 192.168.45.1 255.255.255.255
set address "DEV" "192.168.45.199/32" 192.168.45.199 255.255.255.255
set address "DEV" "Customer Wireless AP" 192.168.45.250 255.255.255.255
set address "NSF" "Internal_wireless_ap" 10.224.0.250 255.255.255.255
set group address "Trust" "Encore Networks Office End" comment "Bandwidth Test"
set group address "Trust" "Encore Networks Office End" add "Encore Networks Office End 1"
set group address "Trust" "Encore Networks Office End" add "Encore Networks Office End 2"
set group address "Trust" "Encore Networks Office End" add "Encore Networks Office End 3"
set group address "Trust" "Encore Networks Office End" add "Encore Networks Office End 4"
set group address "Trust" "Encore Networks Office End" add "Encore Networks Office End 5"
set group address "Trust" "Unicoi_access"
set group address "Trust" "Unicoi_access" add "10.10.192.0/24"
set group address "Trust" "Unicoi_access" add "192.168.0.183"
set group address "Trust" "Unicoi_access" add "192.168.0.210"
set ippool "9Network" 192.168.9.10 192.168.9.20
set ippool "Unicoi" 192.168.105.10 192.168.105.20
set user "Remote_Users" uid 15
set user "Remote_Users" ike-id u-fqdn "remote@objecttel.com" share-limit 10
set user "Remote_Users" type ike
set user "Remote_Users" "enable"
set user "unicoi" uid 23
set user "unicoi" ike-id u-fqdn "unicoi@objecttel.com" share-limit 1
set user "unicoi" type ike
set user "unicoi" "enable"
set user "voip" uid 29
set user "voip" ike-id fqdn "objecttel.com" share-limit 10
set user "voip" type ike
set user "voip" "enable"
set user-group "Avaya_Group" id 2
set user-group "Avaya_Group" user "avaya"
set user-group "Extranet" id 5
set user-group "Extranet" location external
set user-group "Extranet" type xauth 
set user-group "R_S" id 6
set user-group "R_S" user "Remote_Users"
set user-group "Remote_Phones" id 3
set user-group "Remote_Phones" user "cfischer"
set user-group "Remote_Phones" user "jleary"
set user-group "Remote_Phones" user "tlehmann"
set user-group "unicoi_group" id 8
set user-group "unicoi_group" user "unicoi"
set user-group "voip_group" id 9
set user-group "voip_group" user "voip"
set crypto-policy
exit
set ike modecfg profile name Unicoi
set ike modecfg profile Unicoi ippool Unicoi
set ike modecfg profile Unicoi dns1 192.168.0.210
set ike modecfg profile Unicoi wins1 192.168.0.210
set ike p1-proposal "p2-aes256-sha1" preshare group2 esp aes256 sha-1 second 28800
set ike p2-proposal "p2-aes256-sha" group2 esp aes256 sha-1 second 3600
set ike gateway "DialUp_GW" dialup "Demo_Group" Aggr outgoing-interface "ethernet0/0" preshare "puDmFg7fNf77Y8sen+CjpJV442nAqEe8ag==" proposal "pre-g2-3des-sha"
unset ike gateway "DialUp_GW" nat-traversal udp-checksum
set ike gateway "DialUp_GW" nat-traversal keepalive-frequency 5
set ike gateway "vpnphone-gw" dialup "Avaya_Group" Aggr outgoing-interface "ethernet0/0" preshare "RWfz3Dn2NzMFg9sC4tCwVT/0vBnQwTGy6w==" proposal "pre-g2-3des-sha"
unset ike gateway "vpnphone-gw" nat-traversal udp-checksum
set ike gateway "vpnphone-gw" nat-traversal keepalive-frequency 5
set ike gateway "vpnphone-gw" xauth server "Local" user-group "Remote_Phones"
unset ike gateway "vpnphone-gw" xauth do-edipi-auth
set ike gateway "Remote" dialup "R_S" Aggr outgoing-interface "ethernet0/0" preshare "zBxZMLlONCFBLPsYoDC/5w+0u6nu7hpS3w==" proposal "pre-g2-aes128-sha"
unset ike gateway "Remote" nat-traversal udp-checksum
set ike gateway "Remote" nat-traversal keepalive-frequency 5
set ike gateway "Remote" xauth server "Local"
set ike gateway "Remote" xauth accounting server "xmdmcip01" 
set ike gateway "Remote" xauth accounting off 
unset ike gateway "Remote" xauth do-edipi-auth
set ike gateway ikev2 "Unicoi" dialup "voip_group" outgoing-interface "ethernet0/0" seed-preshare "6QGM0NqGNiU1Zqsxg9Cj6PJ7efnS6VRfrA==" sec-level compatible
unset ike gateway ikev2 "Unicoi" nat-traversal udp-checksum
set ike gateway ikev2 "Unicoi" nat-traversal keepalive-frequency 5
set ike gateway "Unicoi" modecfg server profile "Unicoi"
set ike gateway "Unicoi" modecfg server info-origin local dns
set ike gateway "Nexaira VPN" address objcase01.dyndns-remote.com Main outgoing-interface "ethernet0/0" preshare "K0+gGI9iNzlBEBsiqkCDbipGg6nqw8mIjg==" proposal "pre-g2-aes128-sha"
set ike gateway "Nexaira VPN" nat-traversal
unset ike gateway "Nexaira VPN" nat-traversal udp-checksum
set ike gateway "Nexaira VPN" nat-traversal keepalive-frequency 0
set ike respond-bad-spi 1
set ike gateway ikev2 "Unicoi" auth-method self preshare peer preshare
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set xauth default ippool "9Network"
set xauth default dns1 192.168.0.210
set vpn "DialUp_VPN" gateway "DialUp_GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha" 
set vpn "DialUp_VPN" monitor
set vpn "Avaya_Phones" gateway "vpnphone-gw" replay tunnel idletime 0 proposal "g2-esp-3des-sha" 
set vpn "Avaya_Phones" monitor
set vpn "Remote_VPN" gateway "Remote" no-replay tunnel idletime 0 proposal "nopfs-esp-aes128-sha" 
set vpn "Remote_VPN" monitor source-interface ethernet0/0
set vpn "Unicoi_Repeaters" gateway "Unicoi" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha" 
set vpn "Nexaira to Juniper" gateway "Nexaira VPN" no-replay tunnel idletime 0 proposal "g2-esp-aes128-sha" 
set vpn "Nexaira to Juniper" monitor
set vpn "Nexaira to Juniper" id 0x8 bind interface tunnel.1
unset interface tunnel.1 acvpn-dynamic-routing
set l2tp default dns1 65.106.1.196
set l2tp default dns2 65.106.7.196
exit
set vpn "Nexaira to Juniper" proxy-id local-ip 192.168.0.0/24 remote-ip 192.168.6.0/24 "ANY" 
set policy id 45 from "Untrust" to "Trust"  "192.168.6.0/24" "192.168.0.0/24" "ANY" permit 
set policy id 45
exit
set policy id 42 from "Untrust" to "Trust"  "Dial-Up VPN" "192.168.0.0" "ANY" tunnel vpn "Remote_VPN" id 0x7 log 
set policy id 42
set log session-init
exit
set policy id 43 from "Untrust" to "Trust"  "Dial-Up VPN" "Unicoi_access" "ANY" tunnel vpn "Unicoi_Repeaters" id 0x8 log 
set policy id 43
exit
set policy id 40 from "Untrust" to "Trust"  "Dial-Up VPN" "Any" "ANY" tunnel vpn "Avaya_Phones" id 0x2 pair-policy 41 log 
set policy id 40
exit
set policy id 19 from "Untrust" to "Trust"  "Dial-Up VPN" "192.168.0.0" "ANY" tunnel vpn "DialUp_VPN" id 0x4 log 
set policy id 19
set dst-address "All Internal"
exit
set policy id 44 from "Trust" to "Untrust"  "192.168.0.0/24" "192.168.6.0/24" "ANY" permit 
set policy id 44
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit log 
set policy id 1
exit
set syslog config "192.168.0.169"
set syslog config "192.168.0.169" facilities local0 local0
set syslog config "192.168.0.169" log traffic
set syslog src-interface bgroup0
set syslog enable
set ssh version v2
set ssh enable
set scp enable
set config lock timeout 5
unset license-key auto-update
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/0 gateway yyy.yyy.yyy.81
set route 192.168.9.0/24 interface bgroup0
set route 10.0.0.0/8 interface bgroup0 gateway 10.250.250.1
set route 192.168.0.0/24 interface bgroup0 gateway 10.250.250.1
set route 192.168.1.0/24 interface bgroup0 gateway 10.250.250.1
set route 192.168.42.0/24 interface bgroup0 gateway 10.250.250.1
set route 135.35.81.0/24 interface bgroup0 gateway 10.250.250.1
set route 170.49.216.0/24 interface bgroup0 gateway 10.250.250.1
set route 192.168.31.0/24 gateway 192.168.5.2
set route 192.168.73.0/24 interface bgroup0 gateway 192.168.5.2 permanent description "Demo Case"
set route 192.168.6.0/24 interface tunnel.1
set route 192.168.6.0/24 interface null metric 10
set access-list extended 1 src-ip 192.168.0.0/24 dst-ip 192.168.6.0/24 protocol any entry 1
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

 

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: VPN construction problems on SSG5

A couple quick things that may or may not help (I'm on my way out for the day...)

 

You should unset the vpn monitor for the Nexaira VPN (and any VPNs that don't have Juniper boxes on the other side).  It can cause issues with other vendors, and as far as I know it doesn't work properly with non-Juniper remote ends unless you configure a monitor-ip for it to check pings to.

 

I see it's a route-based vpn,  Since you seem to be getting to Phase 2, again it's a proxy-id mismatch.  I don't know how Nexaira VPNs are configured, but you will need to make sure that the proxy ids on that end are the same as the Juniper (reversed, of course).

 

In the future if you could use the file attachment feature instead of posting your config into the post it really makes reading through them much easier.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Visitor
jburrow
Posts: 5
Registered: ‎11-25-2009
0

Re: VPN construction problems on SSG5

Unset the monitor, and checking the "strict" compliance on the Nexaira caused the tunnel to come up. Unfortunately, I don't seem to be running any traffic across it. Is there something specific I need to do? I have policies in place to move the traffic via the proxy-id's. Do I need to do anything with Next Hop Tunnel Binding?

 

Here's the stats on the tunnel:

 

 

objecttel-> get vpn "Nexaira to Juniper"
Name            Gateway         Mode RPlay 1st Proposal         Monitor Use Cnt Interface
--------------- --------------- ---- ----- -------------------- ------- ------- ---------------
Nexaira to Juni Nexaira VPN     tunl No    g2-esp-aes128-sha    off           0 eth0/0
all proposals: g2-esp-aes128-sha
peer gateway = 75.224.208.149
outgoing interface <ethernet0/0>
IPv4 address 64.244.158.90.
vpn monitor src I/F <default>, dst-IP <default>, optimized NO, rekey OFF
l2tp over ipsec use count <0>
idle timeout value <0>
vpnflag <00010082>
df-bit <clear>
sa_list <00000008>
single proxy id, check disabled, init done, total <1>
proxy id:
  local 192.168.0.0/255.255.255.0, remote 192.168.6.0/255.255.255.0, proto 0, port 0/0
Bound tunnel interface: tunnel.1
  Next-Hop Tunnel Binding table
  Flag Status Next-Hop(IP)    tunnel-id  VPN
DSCP-mark: disabled

 

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: VPN construction problems on SSG5

NHTB should only be needed in a multi-point configuration.

 

Check the output of "get sa" to ensure your phase 2 SA's are being built.  Your route for 192.168.6.0/24 points to your tunnel.1 interface, so my next question is, have you configured a route on the remote side to send the traffic back over the tunnel?

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.