SRX

Hi,

 

I'm trying to configure vpn between Fortigate 800C and SRX 240 in test environment (the same subnet for WAN interfaces). I have a problem with ike:

 

Juniper:

 show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
2842773 DOWN f819d2c735939f64 a267c13f16767608 Any A.B.C.24

 

Fortigate:

 diagnose vpn ike gateway
name: VPN-SRX
version: 1
interface: wan1 5
addr: A.B.C.24:500 -> A.B.C.25:500
created: 6s ago
auto-discovery: 0
IKE SA: created 1/1
IPsec SA: created 0/0

id/spi: 375 82b42b5847a79362/0000000000000000
direction: responder
status: connecting, state 3, started 6s ago

 

SRX debug:

[Nov 14 19:07:46]ike_free_sa: Start
[Nov 14 19:07:47]ikev2_packet_allocate: Allocated packet dc0400 from freelist
[Nov 14 19:07:47]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Nov 14 19:07:47]ike_get_sa: Start, SA = { dac663eb 94378770 - 00000000 00000000 } / 00000000, remote = A.B.C.24:500
[Nov 14 19:07:47]ike_sa_allocate: Start, SA = { dac663eb 94378770 - 0ccc7df7 e063728a }
[Nov 14 19:07:47]ike_init_isakmp_sa: Start, remote = A.B.C.24:500, initiator = 0
[Nov 14 19:07:47]ike_decode_packet: Start
[Nov 14 19:07:47]ike_decode_packet: Start, SA = { dac663eb 94378770 - 0c97b2f3 dd18068f} / 00000000, nego = -1
[Nov 14 19:07:47]ike_decode_payload_sa: Start
[Nov 14 19:07:47]ike_decode_payload_t: Start, # trans = 1
[Nov 14 19:07:47]ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
[Nov 14 19:07:47]ike_st_i_vid: VID[0..16] = 4048b7d5 6ebce885 ...
[Nov 14 19:07:47]ike_st_i_vid: VID[0..20] = 4048b7d5 6ebce885 ...
[Nov 14 19:07:47]ike_st_i_vid: VID[0..16] = 82990317 57a36082 ...
[Nov 14 19:07:47]ike_st_i_sa_proposal: Start
[Nov 14 19:07:47]iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
[Nov 14 19:07:47]ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg e06800)
[Nov 14 19:07:47]ike_isakmp_sa_reply: Start
[Nov 14 19:07:47]ike_state_restart_packet: Start, restart packet SA = { dac663eb 94378770 - 0c97b2f3 dd18068f}, nego = -1
[Nov 14 19:07:47]ike_st_i_sa_proposal: Start
[Nov 14 19:07:47]ike_st_i_cr: Start
[Nov 14 19:07:47]ike_st_i_cert: Start
[Nov 14 19:07:47]ike_st_i_private: Start
[Nov 14 19:07:47]ike_st_o_sa_values: Start
[Nov 14 19:07:47]A.B.C.25:500 (Responder) <-> A.B.C.24:500 { dac663eb 94378770 - 0c97b2f3 dd18068f [-1] / 0x00000000 } IP; Error = No proposal chosen (14)
[Nov 14 19:07:47]ike_alloc_negotiation: Start, SA = { dac663eb 94378770 - 0c97b2f3 dd18068f}
[Nov 14 19:07:47]ike_encode_packet: Start, SA = { 0xdac663eb 94378770 - 0c97b2f3 dd18068f } / d4330be2, nego = 0
[Nov 14 19:07:47]ike_send_packet: Start, send SA = { dac663eb 94378770 - 0c97b2f3 dd18068f}, nego = 0, dst = A.B.C.24:500,  routing table id = 0
[Nov 14 19:07:47]ike_delete_negotiation: Start, SA = { dac663eb 94378770 - 0c97b2f3 dd18068f}, nego = 0
[Nov 14 19:07:47]ike_free_negotiation_info: Start, nego = 0
[Nov 14 19:07:47]ike_free_negotiation: Start, nego = 0
[Nov 14 19:07:47]IKE negotiation fail for local:A.B.C.25, remote:A.B.C.24 IKEv1 with status: No proposal chosen
[Nov 14 19:07:47]  IKEv1 Error : No proposal chosen

Fortigate debug:

ike 0:VPN-SRX-PL: schedule auto-negotiate
ike 0:VPN-SRX-PL: auto-negotiate connection
ike 0:VPN-SRX-PL: created connection: 0x399fb00 5 A.B.C.24->A.B.C.25:500.
ike 0:VPN-SRX-PL:383: initiator: main mode is sending 1st message...
ike 0:VPN-SRX-PL:383: cookie 04dc6135a7b58c34/0000000000000000
ike 0:VPN-SRX-PL:383: out 04DC6135A7B58C3400000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00050428
ike 0:VPN-SRX-PL:383: sent IKE msg (ident_i1send): A.B.C.24:500->A.B.C.25:500, len=172, id=04dc6135a7b58c34/0000000000000000
ike 0: comes A.B.C.25:500->A.B.C.24:500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=04dc6135a7b58c34/b68f181de8ae682f:18ad0f9b len=102
ike 0: in 04DC6135A7B58C34B68F181DE8AE682F0B10050018AD0F9B000000660000004A000000010110000E04DC6135A7B58C34B68F181DE8AE682F800C000100060022436F756C64206E6F742066696E642061636365707461626C652070726F706F73616C80080000
ike 0:VPN-SRX-PL:383: ignoring unsupported INFORMATIONAL message 0.
ike 0:VPN-SRX-PL:383: out 04DC6135A7B58C3400000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00050428
ike 0:VPN-SRX-PL:383: sent IKE msg (P1_RETRANSMIT): A.B.C.24:500->A.B.C.25:500, len=172, id=04dc6135a7b58c34/0000000000000000
ike 0:VPN-SRX-PL:383: out 04DC6135A7B58C3400000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00050428
ike 0:VPN-SRX-PL:383: sent IKE msg (P1_RETRANSMIT): A.B.C.24:500->A.B.C.25:500, len=172, id=04dc6135a7b58c34/0000000000000000
ike 0: comes A.B.C.25:500->A.B.C.24:500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=04dc6135a7b58c34/b68f181de8ae682f:18ad0f9b len=102
ike 0: in 04DC6135A7B58C34B68F181DE8AE682F0B10050018AD0F9B000000660000004A000000010110000E04DC6135A7B58C34B68F181DE8AE682F800C000100060022436F756C64206E6F742066696E642061636365707461626C652070726F706F73616C80080000
ike 0:VPN-SRX-PL:383: ignoring unsupported INFORMATIONAL message 0.
ike 0:VPN-SRX-PL:383: negotiation timeout, deleting
ike 0:VPN-SRX-PL: connection expiring due to phase1 down

 

I've tried with compatibile proposals and selecting manually some of them.

 

Current p1 for SRX:

authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 86400;

 

Current p1 for Fortigate:

 

edit "VPN-SRX"
set interface "wan1"
set proposal aes128-sha1
set dhgrp 2
set nattraversal disable
set remote-gw A.B.C.25
set psksecret ENC qtJ/743mzf[cut]8nsg==
next

 

I'm new in Fortinet.

Maybe someone have experience with connecting these boxes?

 

Regards, Kacper

P.S.
It is route based VPN on both sides. I have 2 another Fortigates connected the to 800c. I also had other srxes connected to Srx240.

Hello,

 

---

@groovee wrote:
P.S.
It is route based VPN on both sides.

---

Have You included stX.Y subinterface on SRX side into appropriate security zone and have You added security policy/ies allowing traffic to go into/from that subinterface?

HTH

Thx

Alex

@spuluka: Yes, I've configured explict proposals package

 

@aarseniev: Bingo! The simplest reason - tunnel interface was not in security zone.

 

 

Why on earth such debug in Juniper (No proposal choosen)??

 

Index State Initiator cookie Responder cookie Mode Remote Address
2846137 UP 3512508dbf524509 53189e16ba6ad168 Main A.B.C.24

 

Thank you for help!

iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen

This message does mean that the IKE crypto packages do not match.  You should create an explict package under the security hierarchy with all parameters called out to match the Fortigate.

 

security ike proposal

 

Then use this as the proposal set

 

security ike policy test proposal-set