03-27-2011 08:30 PM
I'm attempting to build an IKEv1 VPN between a Nexaria router and a Juniper SSG5 running 6.3.0r6. The Nexaria is using dyn-dns, and it's registered and reporting it's IP correctly. When I attempt to pass traffic, I get the following messages:
|2011-03-27 22:14:15||info||IKE xxx.xxx.xxx.xxx Phase 1: Main mode negotiations have failed.|
|2011-03-27 22:14:15||info||Rejected an IKE packet on ethernet0/0 from xxx.xxx.xxx.xxx:33361 to yyy.yyy.yyy.yyy:4500 with cookies 3bbc64b50e6e53fa and d2fb6a1c0ec38053 because Phase-1: no user configuration was found for the received IKE ID type: IP Address,1.|
|2011-03-27 22:14:15||info||IKE xxx.xxx.xxx.xxx phase 1:The symmetric crypto key has been generated successfully.|
|2011-03-27 22:14:15||info||IKE<xxx.xxx.xxx.xxx> Phase 1: IKE responder has detected NAT in front of the remote device.|
|2011-03-27 22:14:10||info||IKE xxx.xxx.xxx.xxx Phase 1: Responder starts MAIN mode negotiations.|
My google-fu is weak -- I'm pretty sure this problem has something to do with the peer actually having a private IP address on it's outside interface, but I don't know how to fix it.
Can anyone give me some hints on what to try next?
Remote gateway -- static IP address (using dyn-dns hostname), P1 = pre-g2-aes128-sha, NAT-T enabled, P2 = g2-esp-aes128-sha.
Nexaira matches (as close as I can tell).
03-28-2011 02:42 PM
Try enabling nat traversal on both sides!
03-28-2011 06:00 PM
Unfortunately, I can't find a nat-traversal option on the Nexaira. Here's the latest event information. Does this still look like a NAT traversal problem?
03-28-2011 06:15 PM
Those logs point to a mismatched proxy id.
Are you using route or policy-based VPNs?
Posting your configuration would help troubleshoot.
03-28-2011 06:37 PM
As a follow up to my previous post, I did a debug ike. Here are the results:
03-28-2011 06:53 PM
Sorry, did not hit refresh before posting. The VPN that's giving the errors is Nexaira to Juniper VPN, GW Nexaira VPN.
Here's my config:
03-28-2011 07:46 PM
A couple quick things that may or may not help (I'm on my way out for the day...)
You should unset the vpn monitor for the Nexaira VPN (and any VPNs that don't have Juniper boxes on the other side). It can cause issues with other vendors, and as far as I know it doesn't work properly with non-Juniper remote ends unless you configure a monitor-ip for it to check pings to.
I see it's a route-based vpn, Since you seem to be getting to Phase 2, again it's a proxy-id mismatch. I don't know how Nexaira VPNs are configured, but you will need to make sure that the proxy ids on that end are the same as the Juniper (reversed, of course).
In the future if you could use the file attachment feature instead of posting your config into the post it really makes reading through them much easier.
03-28-2011 09:06 PM
Unset the monitor, and checking the "strict" compliance on the Nexaira caused the tunnel to come up. Unfortunately, I don't seem to be running any traffic across it. Is there something specific I need to do? I have policies in place to move the traffic via the proxy-id's. Do I need to do anything with Next Hop Tunnel Binding?
Here's the stats on the tunnel:
04-06-2011 12:49 PM
NHTB should only be needed in a multi-point configuration.
Check the output of "get sa" to ensure your phase 2 SA's are being built. Your route for 192.168.6.0/24 points to your tunnel.1 interface, so my next question is, have you configured a route on the remote side to send the traffic back over the tunnel?