SRX Services Gateway
SRX Services Gateway

Dynamic VPN route-based won't come up

10.11.17   |  
a week ago

Hi,

I have purchased a SRX320 to replace a working Netscreen-25 which is used as a VPN concentrator. I cannot get the config to work, here is from the kmd-logs (I masked the IP addresses in the logs, x.x.x.x is my public IP, y.y.y.y is the remote side:

 

IKE negotiation failed with error: IKE gateway configuration lookup failed during negotiation. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local: x.x.x.x/500, Remote: y.y.y.y/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder

 

The initiator is on the remote side. 

 

Part of my config:

# show security ike
traceoptions {
file ike-debug;
flag all;
}
proposal smartbox-proposal {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
}
policy ike-dyn-vpn-policy {
mode aggressive;
proposals smartbox-proposal;
pre-shared-key ascii-text "$9$VvYaGDikfTFYg3/AuIRlevw2GjHsYP5QnpuKM8Xs24jk.4o/Cp0RE-VbwaU.P56/AZU"; ## SECRET-DATA
}
gateway dyn-vpn-local-gw {
ike-policy ike-dyn-vpn-policy;
dynamic {
hostname dynvpn;
connections-limit 10;
ike-user-type group-ike-id;
}
external-interface ge-0/0/0.0;
xauth {
access-profile access-profile-smartbox;
}
}

# show security ipsec
traceoptions {
flag all;
}
proposal smartbox-phase2 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 600;
}
policy ipsec-dyn-vpn-policy {
proposals smartbox-phase2;
}
vpn dyn-vpn {
bind-interface st0.0;
ike {
gateway dyn-vpn-local-gw;
ipsec-policy ipsec-dyn-vpn-policy;
}
establish-tunnels immediately;
}

 

The IKE SA shows:

> show security ike sa detail
IKE peer y.y.y.y, Index 401858
Role: Responder, State: DOWN
Initiator cookie: 8bba78cf71fcc127, Responder cookie: 051fc7e75b033b82
Exchange type: Unknown, Authentication method: Unknown
:500, Remote: y.y.y.y:500
Reauth Lifetime: Disabled
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : (null)
Diffie-Hellman group : unknown
Traffic statistics:
Input bytes : 396
Output bytes : 102
Input packets: 1
Output packets: 1
IPSec security associations: 0 created, 0 deleted
Phase 2 negotiations in progress: 0

Flags: IKE SA is created

10 REPLIES
SRX Services Gateway

Re: Dynamic VPN route-based won't come up

10.11.17   |  
a week ago
gateway dyn-vpn-local-gw {
ike-policy ike-dyn-vpn-policy;
dynamic {
hostname dynvpn;

Instead of using host name you need to configure a matching pair in the configurations:

 

Static side

gateway dyn-vpn-local-gw {
ike-policy ike-dyn-vpn-policy;
dynamic {
dynamic hostname dynvpn;

dynamic side

gateway dyn-vpn-local-gw {
ike-policy ike-dyn-vpn-policy;
dynamic {
local-identity
hostname dynvpn;

 

 

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
SRX Services Gateway

Re: Dynamic VPN route-based won't come up

[ Edited ]
10.11.17   |  
a week ago

Thanks Steve, I've tried some hostnames, but I don't know what the other side wants to use as a hostname, it's not a juniper device. Do you know if that would be somewhere in the (old) netscreen configuration (see below)?

 

set ike p1-proposal "pre-g2-3des-sha-15min" preshare group2 esp 3des sha-1 minute 15
set ike p2-proposal "nopfs-esp-3des-sha-10min" no-pfs esp 3des sha-1 minute 10
set ike gateway "teleconnect" dialup "teleconnect" Aggr outgoing-interface "ethernet2" seed-preshare "FcMz9P8SNwPCsfWlZtTnxrsT2Og==" proposal "pre-g2-3des-sha-15min"
set ike gateway "teleconnect" cert peer-ca all
set ike gateway "teleconnect" nat-traversal udp-checksum
set ike gateway "teleconnect" nat-traversal keepalive-frequency 5
set ike respond-bad-spi 1
unset ike ikeid-enumeration

SRX Services Gateway

Re: Dynamic VPN route-based won't come up

10.11.17   |  
a week ago

Since SRX is acting as responder, you can use "monitor traffic interface ge-0/0/0 no-resolve extensive  matching "host y.y.y.y" to see whats the host name used by the peer. It will come under Identification.

 

 

 

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
SRX Services Gateway

Re: Dynamic VPN route-based won't come up

10.12.17   |  
a week ago

Thanks Suraj,

 

This is the output of the command, but no host identification found:

 

09:49:56.879341 In
Juniper PCAP Flags [Ext, no-L2, In], PCAP Extension(s) total length 16
Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
Device Interface Index Extension TLV #1, length 2, value: 35328
Logical Interface Index Extension TLV #4, length 4, value: 73
-----original packet-----
PFE proto 2 (ipv4): (tos 0x20, ttl 47, id 60036, offset 0, flags [DF], proto: UDP (17), length: 424) y.y.y.y.500 > x.x.x.x.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 4104b687f132e109->0000000000000000: phase 1 I agg:
(sa: doi=ipsec situation=identity
(p: #0 protoid=isakmp transform=1
(t: #0 id=ike (type=lifetype value=sec)(type=lifeduration value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth value=preshared)(type=group desc value=modp1024))))
(ke: key len=128)
(nonce: n len=16)
(id: idtype=user FQDN protoid=ip port=0 len=33 user1@teleconnect.local)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
09:49:56.882257 Out
Juniper PCAP Flags [Ext], PCAP Extension(s) total length 16
Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
Device Interface Index Extension TLV #1, length 2, value: 35328
Logical Interface Index Extension TLV #4, length 4, value: 73
-----original packet-----
30:b6:4f:24:e4:c0 > cc:ef:48:4b:4c:c1, ethertype IPv4 (0x0800), length 144: (tos 0xc0, ttl 64, id 44712, offset 0, flags [none], proto: UDP (17), length: 130) x.x.x.x.500 > y.y.y.y.500: [udp sum ok] isakmp 1.0 msgid 0bf076d0 cookie 4104b687f132e109->0a6f62b7ce4da7d0: phase 2/others R inf:
(n: doi=ipsec proto=isakmp type=NO-PROPOSAL-CHOSEN spi=4104b687f132e1090a6f62b7ce4da7d0 orig=(
(sa: doi=393250 situation=1131378028) [|#128]))

SRX Services Gateway

Re: Dynamic VPN route-based won't come up

10.12.17   |  
a week ago
user1@teleconnect.local
This is your id.

Try configuring below

delete security ike gateway dyn-vpn-local-gw dynamic
set security ike gateway dyn-vpn-local-gw dynamic user-at-hostname "user1@teleconnect.local"
commit
Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
SRX Services Gateway

Re: Dynamic VPN route-based won't come up

10.12.17   |  
a week ago

Hi Suraj,

 

With those commands I get this error:

 

[edit security ike gateway dyn-vpn-local-gw]
'dynamic'
Missing dynamic hostname for IKE gateway dyn-vpn-local-gw for ipsec_vpn dyn-vpn

 

In the original config the other side should authenticate using the access profile, see this config I did not share before:

 

profile access-profile-smartbox {
client user1 {
xauth {
ip-address 10.12.1.7/32;
}
firewall-user {
password "$9$mf360BIRSrAtX7-dsY5Qz36AOBESlKB1dbwYZGHqmTn/0ORcretp0IEhrlKMJZjHmfaJGi.mTQn/CuIErlM-bsLX-wY4ZG9AtuIEleW7dbMWLN"; ## SECRET-DATA
}
}
address-assignment {
pool dyn-vpn-pool;
}
}
address-assignment {
pool dyn-vpn-pool {
family inet {
network 10.12.0.0/16;
}
}
}
firewall-authentication {
web-authentication {
default-profile access-profile-smartbox;
}
}

SRX Services Gateway

Re: Dynamic VPN route-based won't come up

10.12.17   |  
a week ago

did you try adding below

 

set security ike gateway dyn-vpn-local-gw dynamic user-at-hostname "user1@teleconnect.local"
commit

 

 

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
SRX Services Gateway

Re: Dynamic VPN route-based won't come up

10.12.17   |  
a week ago

see below. 

 

[edit security ike gateway dyn-vpn-local-gw]
fw# show
ike-policy ike-dyn-vpn-policy;
dynamic user-at-hostname "user1@teleconnect.local";
external-interface ge-0/0/0.0;
xauth {
access-profile access-profile-smartbox;
}

[edit security ike gateway dyn-vpn-local-gw]
fw# commit
[edit security ike gateway dyn-vpn-local-gw]
'dynamic'
Missing dynamic hostname for IKE gateway dyn-vpn-local-gw for ipsec_vpn dyn-vpn
commit complete

 

SRX Services Gateway

Re: Dynamic VPN route-based won't come up

10.12.17   |  
a week ago
Ok, can you try configuring " user1@teleconnect.local" as dynamic hostname?
Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
SRX Services Gateway

Re: Dynamic VPN route-based won't come up

10.12.17   |  
a week ago

I've tried, it brings me back to the output of the monitor command exactly the same as posted earlier

 

Thanks,

Mart