Junos OS

Hi Everyone,

We've got a Juniper SRX 210H and we need to configure a site-to-site VPN going to one remote site with a cisco router. Since I'm new to Juniper, I already expect that it will take a while for me to solve this problem. Its been a week now and i'm still stuck at configuring this SRX. Can anyone please help me? I really can't seem to find the problem here. Internet is working fine but the VPN won't establish. Did I miss something on my config?

When I typed in show security ike security-associations , nothing will show up. Also, total active tunnels: 0 when I typed-in show security ipsec security-associations. Guys I really need your help on this. Any kind of help would be appreciated.

root@LA> show configuration
## Last commit: 2014-12-01 03:46:55 UTC by root
version 12.1X44-D40.2;
groups {
wiz_PPPoE_0 {
system {
services;
}
interfaces {
pp0 {
unit 0 {
description ------;
ppp-options {
chap {
default-chap-secret "$9$o0aik5QF9tu3nreKWx7Hq.536Ctu"; ## SECRET-DATA
local-name "------------------";
no-rfc2486;
passive;
}
pap {
local-name "-----------------";
no-rfc2486;
local-password "$9$jlifT69AOIEtp8Xx-ws5Qz6tuBIE"; ## SECRET-DATA
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/1.0;
}
family inet {
negotiate-address;
}
}
}
ge-0/0/1 {
unit 0 {
encapsulation ppp-over-ether;
}
}
}
routing-options {
static {
route 0.0.0.0/0 {
qualified-next-hop pp0.0 {
metric 1;
}
}
}
}
security {
zones {
security-zone WAN {
interfaces {
pp0.0;
}
}
}
}
}
}
apply-groups wiz_PPPoE_0;
system {
host-name LA;
root-authentication {
encrypted-password "$1$vjccqdqi$eq8BVk7w2BZhv4Xe1XjS90"; ## SECRET-DATA
}
name-server {
8.8.8.8;
8.8.4.4;
}
login {
user LA {
uid 2003;
class super-user;
authentication {
encrypted-password "$1$glZ3MPVU$VWLFRJGP7PPt/0.lDayll/"; ## SECRET-DATA
}
}
}
services {
ssh;
telnet;
web-management {
http;
https {
system-generated-certificate;
interface ge-0/0/0.0;
}
}
dhcp {
pool 172.16.10.0/24 {
address-range low 172.16.10.10 high 172.16.10.20;
default-lease-time 3600;
domain-name company.local;
name-server {
8.8.8.8;
8.8.4.4;
}
router {
172.16.10.1;
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 172.16.10.1/24;
}
}
}
ge-0/0/1 {
unit 0;
}
st0 {
unit 1 {
family inet;
}
}
}
routing-options {
static {
route 172.16.1.0/24 next-hop st0.1;
}
}
security {
log {
mode event;
}
ike {
proposal CA-ike-phase1-proposal {
description Proposal;
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}
policy CA-ike-phase1-policy {
mode aggressive;
description Phase1IKE;
proposals CA-ike-phase1-proposal;
pre-shared-key ascii-text "$9$6M6f9CpREyM87Ndk.mPQzEcSrWLx7-Vbspu"; ## SECRET-DATA
}
gateway CA-gw {
ike-policy CA-ike-phase1-policy;
address 165.xxx.xxx.xxx;
no-nat-traversal;
local-identity inet 222.xxx.xxx.xxx;
external-interface ge-0/0/1.0;
}
}
ipsec {
vpn-monitor-options {
interval 10;
threshold 5;
}
proposal CA-ipsec-phase2-proposal {
description "phase 2 proposal";
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy CA-ipsec-phase2-policy {
description "phase 2 ipsec";
perfect-forward-secrecy {
keys group2;
}
proposals CA-ipsec-phase2-proposal;
}
vpn CA-vpn {
bind-interface st0.1;
vpn-monitor {
destination-ip 172.16.1.1;
}
ike {
gateway CA-gw;
ipsec-policy CA-ipsec-phase2-policy;
}
establish-tunnels immediately;
}
}
application-tracking;
flow {
tcp-mss {
ipsec-vpn {
mss 1350;
}
}
}
nat {
source {
rule-set Lan_to_WAN {
from zone LAN;
to zone WAN;
rule Lan_to_WAN {
match {
source-address 172.16.10.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone LAN to-zone WAN {
policy LAN_to_WAN {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy permit-any {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone WAN to-zone LAN {
policy WAN_to_LAN {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
from-zone LAN to-zone VPN {
policy VPN_LA-to-CA {
match {
source-address VoiceLAN;
destination-address CA_LAN;
application any;
}
then {
permit;
}
}
}
from-zone VPN to-zone LAN {
policy VPN_CA-to-LA {
match {
source-address CA_LAN;
destination-address VoiceLAN;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone LAN {
address-book {
address VoiceLAN 172.16.10.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
dns;
ping;
sip;
ssh;
http;
https;
}
}
}
}
application-tracking;
}
security-zone WAN {
address-book {
address CA_Subnet 172.16.1.0/24;
}
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
pp0.0 {
host-inbound-traffic {
system-services {
any-service;
}
}
}
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
dns;
https;
ping;
ssh;
traceroute;
ike;
}
}
}
}
application-tracking;
}
security-zone VPN {
address-book {
address CA_LAN 172.16.1.0/24;
}
interfaces {
st0.1 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
}
}

Couple things that pop out at me here which may only be copy-paste errors:

1.  There is no IP address on your ge-0/0/1.0 interface. 

2.  There is no default route or more specific static route to the 222.x.x.x remote IKE gateway.

Does your actual config have these things in it?

Hi Evt,

Really appreaciate your reply here.

1. I am using PPPOE on my WAN. And my IP is coming from it (222.x.x.x). So I don't have any static IP that I can set on my WAN. Does this answer your question?

2. 165.x.x.x is my remote IKE gateway and my local IKE gateway is 222.x.x.x. Did I do it wrong? please see my config

gateway CA-gw {
ike-policy CA-ike-phase1-policy;

address 165.xxx.xxx.xxx;
no-nat-traversal;
local-identity inet 222.xxx.xxx.xxx;
external-interface ge-0/0/1.0;

Also, here's the list of all my route.

root@LA>show route

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 20:32:35, metric 1
> via pp0.0
172.16.10.0/24 *[Direct/0] 20:32:50
> via ge-0/0/0.0
172.16.10.1/32 *[Local/0] 20:32:56
Local via ge-0/0/0.0
222.x.x.x/32 *[Local/0] 20:32:35
Local via pp0.0
222.x.x.x/32 *[Direct/0] 20:32:35
> via pp0.0

Hi, I was given this logs from the remote cisco router

key eng. msg.) OUTBOUND local= 165.x.x.x, remote= 222.x.x.x,

    local_proxy= 172.16.0.0/255.255.248.0/0/0 (type=4),

    remote_proxy= 172.16.10.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Dec  2 00:49:49.710: ISAKMP:(0): SA request profile is (NULL)

Dec  2 00:49:49.710: ISAKMP: Created a peer struct for 222.x.x.x, peer port 500

Dec  2 00:49:49.710: ISAKMP: New peer created peer = 0x4A227914 peer_handle = 0x800000ED

Dec  2 00:49:49.710: ISAKMP: Locking peer struct 0x4A227914, refcount 1 for isakmp_initiator

Dec  2 00:49:49.710: ISAKMP: local port 500, remote port 500

Dec  2 00:49:49.710: ISAKMP: set new node 0 to QM_IDLE     

Dec  2 00:49:49.710: ISAKMP:(0):insert sa successfully sa = 4A47F678

Dec  2 00:49:49.710: ISAKMP:(0):SA has tunnel attributes set.

Dec  2 00:49:49.710: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

Dec  2 00:49:49.710: ISAKMP:(0): constructed NAT-T vendor-07 ID

Dec  2 00:49:49.714: ISAKMP:(0): constructed NAT-T vendor-03 ID

Dec  2 00:49:49.714: ISAKMP:(0): constructed NAT-T vendor-02 ID

Dec  2 00:49:49.738: ISAKMP:(0):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

Dec  2 00:49:49.738: ISAKMP (0): ID payload

        next-payload : 13

        type         : 1

        address      : 222.x.x.x

        protocol     : 17

        port         : 0

        length       : 12

Dec  2 00:49:49.738: ISAKMP:(0):Total payload length: 12

Dec  2 00:49:49.738: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM

Dec  2 00:49:49.738: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_AM1

Dec  2 00:49:49.738: ISAKMP:(0): beginning Aggressive Mode exchange

Dec  2 00:49:49.738: ISAKMP:(0): sending packet to 222.x.x.x my_port 500 peer_port 500 (I) AG_INIT_EXCH

Dec  2 00:49:49.738: ISAKMP:(0):Sending an IKE IPv4 Packet.

Dec  2 00:49:50.274: ISAKMP (0): received packet from 222.x.x.x dport 500 sport 500 Global (I) AG_INIT_EXCH

Dec  2 00:49:50.274: ISAKMP:(0):Couldn't find node: message_id 1668535432

Dec  2 00:49:50.274: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_AM1

Dec  2 00:49:50.274: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Dec  2 00:49:50.274: ISAKMP:(0):Old State = IKE_I_AM1  New State = IKE_I_AM1

Dec  2 00:49:50.274: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 222.x.x.x.....

Success rate is 0 percent (0/5)

CA#

Dec  2 00:49:59.738: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...

Dec  2 00:49:59.738: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

Dec  2 00:49:59.738: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH

Dec  2 00:49:59.738: ISAKMP:(0): sending packet to 222.x.x.x my_port 500 peer_port 500 (I) AG_INIT_EXCH

Dec  2 00:49:59.738: ISAKMP:(0):Sending an IKE IPv4 Packet.

CAy#

Dec  2 00:50:09.738: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...

Dec  2 00:50:09.738: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

Dec  2 00:50:09.738: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH

Dec  2 00:50:09.738: ISAKMP:(0): sending packet to 222.x.x.x my_port 500 peer_port 500 (I) AG_INIT_EXCH

Dec  2 00:50:09.738: ISAKMP:(0):Sending an IKE IPv4 Packet.

Dec  2 00:50:09.966: ISAKMP (0): received packet from 222.x.x.x dport 500 sport 500 Global (I) AG_INIT_EXCH

Dec  2 00:50:09.966: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

CA#

Dec  2 00:50:09.966: ISAKMP:(0): retransmission skipped for phase 1 (time since last transmission 228)

this problem is really driving me crazy

Please use pp0 as external interface instead of ge-0/0/1 and check.

Thanks,

Suraj

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

Hi Rsuraj,

I've already made some changes and when I typed-in show security ike security associations, there's some results now! I think this one is the solution to this problem. I'll wait for the remote IT to check on his configs. BTW, I've already marked your answer as a solution.

root@LA> show security ike security-associations

Index State Initiator cookie Responder cookie Mode Remote Address
3636444 DOWN 66592540d383c1de 0000000000000000 IKEv2 165.x.x.x

Hi Kevin,

Thanks for the update. Lets wait for the inputs from remote end as the outputs shows we are sending the ike message but we are not getting a response.

Thanks,

Suraj

Hi Rsuraj,

VPN is up now! Thank you so much!!!

root@LA> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
3411676 UP 6b7a7da3b36a7a63 8305dc89388dcb2b Main 165.x.x.x

root@LA> ping 172.16.1.1
PING 172.16.1.1 (172.16.1.1): 56 data bytes
64 bytes from 172.16.1.1: icmp_seq=0 ttl=255 time=307.669 ms
64 bytes from 172.16.1.1: icmp_seq=1 ttl=255 time=305.194 ms
64 bytes from 172.16.1.1: icmp_seq=2 ttl=255 time=305.000 ms
64 bytes from 172.16.1.1: icmp_seq=3 ttl=255 time=304.690 ms

However, phones can do get IP address from Juniper. But, is not able to register. Did I miss something here?

I am currently checking all my routing configs and it seems correct to me.