SRX

Hi everyone, I am new  in SRX. I got a profile VPN from SSG and config VPN on my SRX. My SRX is behind a NAT device that has a dynamic IP address. I searched a lot but  not to solve my problem which shows “negotiation failed with error: SA unusable”. I hope you give me some intrustions for this issue. Thanks in advanced.
             Local-ID=test-bk0                                              33.12.22.1     10.0.0.0/8
(PC-A) -----[SRX]--------[NAT]-----------ISP-------[FIREWALL]-----(PC-B)
 10.32.197.64 /28  192.168.1.0/24   DYNAMIC IP           STATIC IP                                        

 

 

Here is all my configuration on SRX:

root@SRX220> show configuration

    services {

        ssh;

        telnet;

        xnm-clear-text;

        dhcp {

          pool 10.32.197.64/28 {

                address-range low 10.33.197.66 high 10.33.197.70;

                name-server {

               8.8.8.8;

                }

                router {

                    10.32.197.65;

                }

            }                          

            propagate-settings ge-0/0/0.0;

        }

    }

    syslog {

        archive size 100k files 3;

        user * {

            any emergency;

        }

        file messages {

            any critical;

            authorization info;

        }

        file interactive-commands {

            interactive-commands error;

        }

        file kmd-logs {

            daemon info;

            match KMD;

        }

    }

    max-configurations-on-flash 5;

    max-configuration-rollbacks 5;

    license {                          

        autoupdate {

            url https://ae1.juniper.net/junos/key_retrieval;

        }

    }

}

interfaces {

    ge-0/0/0 {

        unit 0 {

            description "Connect to Internet behind NAT 192.168.1.0/24";

            family inet {

                address 192.168.1.5/24;

            }

        }

    }

    ge-0/0/1 {

        unit 0 {

            family ethernet-switching {

                vlan {

                    members vlan-trust;

                }

            }

        }

    }                                  

    ge-0/0/2 {

        unit 0 {

            family ethernet-switching {

                vlan {

                    members vlan-trust;

                }

            }

        }

    }

 

:

:

:

    ge-0/0/7 {                         

        unit 0 {

            family ethernet-switching {

                vlan {

                    members vlan-trust;

                }

            }

        }

    }

    st0 {

        description "Tunnel 1 - VPN";

        unit 0 {

            family inet;

        }

    }

    vlan {

        unit 0 {

            description "LAN Noi Bo";

            family inet {

                address 10.32.197.65/28;

            }

        }

    }

}                                      

routing-options {

    static {

        route 0.0.0.0/0 next-hop 192.168.1.1;

        route 10.0.0.0/8 next-hop st0.0;

    }

}

protocols {

    stp;

}

security {

    ike {

        policy IKE-POLICY {

            mode aggressive;

            proposal-set standard;

            pre-shared-key ascii-text "$9$ssYgJf5FCtuQFCu1IleoJGDk.f5F/CuPfp0B1hcbsYoUj3n/Cp0TQhSylMWUjiqTz"; ## SECRET-DATA

        }

        gateway IKE-GATEWAY{

            ike-policy IKE-POLICY ;

            address 33.12.22.1;

            dead-peer-detection {

                interval 10;

                threshold 5;           

            }

            nat-keepalive 10;

            local-identity hostname test-bk0;

            external-interface ge-0/0/0.0;

            version v1-only;

        }

    }

    ipsec {

        vpn-monitor-options {

            interval 10;

            threshold 10;

        }

        proposal ipsec-phase2-proposal {

            protocol esp;

            authentication-algorithm hmac-md5-96;

            encryption-algorithm des-cbc;

            lifetime-seconds 28800;

            lifetime-kilobytes 86400;

        }

        policy IPSEC-POLICY {

            perfect-forward-secrecy {

                keys group2;

            }                          

            proposals ipsec-phase2-proposal;

        }

        vpn IPSEC-VPN {

            bind-interface st0.0;

            vpn-monitor {

                optimized;

            }

            ike {

                gateway IKE-GATEWAY;

                proxy-identity {

                    local 10.32.197.64/28;

                    remote 10.0.0.0/8;

                    service any;

                }

                ipsec-policy IPSEC-POLICY;

            }

            establish-tunnels immediately;

        }

    }

    screen {

        ids-option untrust-screen {

            icmp {

                ping-death;            

            }

            ip {

                source-route-option;

                tear-drop;

            }

            tcp {

                syn-flood {

                    alarm-threshold 1024;

                    attack-threshold 200;

                    source-threshold 1024;

                    destination-threshold 2048;

                    timeout 20;

                }

                land;

            }

        }

    }

    nat {

        source {

            rule-set TRUST-TO-UNTRUST {

                from zone trust;

                to zone untrust;

                rule NO_NAT {          

                    match {

                        destination-address 10.0.0.0/8;

                    }

                    then {

                        source-nat {

                            off;

                        }

                    }

                }

                rule INTERFACE-NAT {

                    match {

                        source-address 10.32.197.64/28;

                        destination-address 0.0.0.0/0;

                    }

                    then {

                        source-nat {

                            interface;

                        }

                    }

                }

            }

        }

    }                                  

    policies {

        from-zone trust to-zone untrust {

            policy trust-to-untrust {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit;

                }

            }

        }

        from-zone trust to-zone VPN {

            policy TRUST-TO-VPN {

                match {

                    source-address local-net;

                    destination-address remote-net;

                    application any;

                }

                then {

                    permit;

                }                      

            }

        }

        from-zone VPN to-zone trust {

            policy VPN-TO-TRUST {

                match {

                    source-address remote-net;

                    destination-address local-net;

                    application any;

                }

                then {

                    permit;

                }

            }

        }

        from-zone untrust to-zone trust {

            policy UNTRUST-TO-TRUST {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit;            

                }

            }

        }

    }

    zones {

        security-zone trust {

            address-book {

                address local-net 10.33.197.64/28;

            }

            host-inbound-traffic {

                system-services {

                    all;

                }

                protocols {

                    all;

                }

            }

            interfaces {

                vlan.0;

            }

        }

        security-zone untrust {

            screen untrust-screen;     

            host-inbound-traffic {

                system-services {

                    all;

                }

                protocols {

                    all;

                }

            }

            interfaces {

                ge-0/0/0.0 {

                    host-inbound-traffic {

                        system-services {

                            all;

                        }

                        protocols {

                            all;

                        }

                    }

                }

            }

        }

        security-zone VPN {

            address-book {             

                address remote-net 10.0.0.0/8;

            }

            host-inbound-traffic {

                system-services {

                    all;

                }

                protocols {

                    all;

                }

            }

            interfaces {

                st0.0;

            }

        }

    }

}

vlans {

    vlan-trust {

        vlan-id 3;

        l3-interface vlan.0;

    }

}

 

--------

root@SRX220>show security ike security-association detail

KE peer 33.12.22.1, Index 5393328, Gateway Name: IKE-GATEWAY

  Role: Initiator, State: UP

  Initiator cookie: bf3766e935a76519, Responder cookie: 166b0c89c2c05ff9

  Exchange type: Aggressive, Authentication method: Pre-shared-keys

  Local: 192.168.1.5:4500, Remote: 33.12.22.1:4500

  Lifetime: Expires in 5111 seconds

  Peer ike-id: 33.12.22.1

  Xauth user-name: not available

  Xauth assigned IP: 0.0.0.0

  Algorithms:

   Authentication        : hmac-sha1-96

   Encryption            : 3des-cbc

   Pseudo random function: hmac-sha1

   Diffie-Hellman group  : DH-group-2

  Traffic statistics:

   Input  bytes  :                  516

   Output bytes  :                  887

   Input  packets:                    2

   Output packets:                    3

  Flags: IKE SA is created

  IPSec security associations: 0 created, 0 deleted

  Phase 2 negotiations in progress: 0

 

    Flags: IKE SA is created

 

root@SRX220> show log kmd-logs

Apr 25 08:21:05  SRX220 kmd[1283]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: IPSEC-VPN Gateway: IKE-GATEWAY, Local: 192.168.1.5/500, Remote: 33.12.22.1/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0

 

 

These networks are overlapping with the local segment you declare is also inside the remote segment.  This is not a valid configuration.

 

                proxy-identity {

                    local 10.32.197.64/28;

                    remote 10.0.0.0/8;

 

 

Hi spuluka,

Thank you for your response. In my case, we still have VPN site to site which local is just like a subnet of remote ip range.

it works in my configuration with draytek and ssg20 as well. Now we change to SRX. 🙂

Hi,

 

The first thing that you need to configure is the local identity of the devise in the Ike gateway since you are doing NAT on another devise.

set security ike gateway IKE-GATEWAY local-identity inet 192.168.1.5

 

regards,

Guru Prasad

Thanks Guru Prasad,

but when i edit  to "set security ike gateway IKE-GATEWAY local-identity inet 192.168.1.5", the log says:

IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: IPSEC-VPN Gateway: IKE-GATEWAY, Local: 192.168.1.5/500, Remote: 33.12.22.1/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0

regards,

Junvin

Hi Junvin,

 

Thank you for posting your query here.

 

I looked through the original post you have made and found that IKE SA to be UP in the output of "show security ike security-associations detail" . Please confirm if the issue was phase 1 and 2 both not coming up or only phase 2 not coming up.

 

Now coming to the error you have got now after the changing the locala identity from test-bko to IP address 192.168.1.5 looks lile there was some attribute sent from our side in the first packet which was not accepted by the peer. Could you please check the below settings on the peer side and compare it with the settings on the SRX-

 

1. Phase 1 and 2 Proposal
2. Value in Identity (ID) Payload expected by peer (IP address or hostname

If they match with the settings on the SRX then we will need IKE Traceoptions on the SRX side to proceed further. You can configure the same using the below commands-

 

#set security ike traceoptions file ike-trace

#set security ike traceoptions flag all 

#commit

 

Hope this help. 🙂

 

Thanks and Regards,

Pulkit Bhandari

 

Hi PulkltB,
Thanks for your response . I did a careful check as your recommends for days, but it's still found that
there is something wrong in setting as "No proposal chosen" at IKE (Phase 1). Is there any problem from Behind NAT configuration?
here is my configuration on SSG, i also attached a ike-trace log file:
set interfaces st0.10 description "DL test"
set interfaces st0.10 family inet mtu 1400
set security zones security-zone Untrust interfaces st0.10
set security ike policy test-bk0 mode aggressive
set security ike policy test-bk0 description "DL test"
set security ike policy test-bk0 proposal-set standard
set security ike policy test-bk0 pre-shared-key ascii-text dl-test-bk0-123
set security ike gateway test-bk0 ike-policy test-bk0
set security ike gateway test-bk0 dynamic hostname test-bk0
set security ike gateway test-bk0 external-interface reth0.101
set security ipsec vpn test-bk0 bind-interface st0.10
set security ipsec vpn test-bk0 vpn-monitor destination-ip 10.32.197.65
set security ipsec vpn test-bk0 vpn-monitor optimized
set security ipsec vpn test-bk0 vpn-monitor source-interface reth0.102
set security ipsec vpn test-bk0 ike gateway test-bk0
set security ipsec vpn test-bk0 ike ipsec-policy phase2
set security ipsec vpn test-bk0 establish-tunnels immediately
set routing-options static route 10.32.197.64/28 qualified-next-hop st0.10 preference 8

 

Regards,

Junvin. 

 

Hi Junvin,

 

 

I checked the traceoptions an looks like the issue is with packet 1 exchange itself.

 

But as per the configuration phase 1 proposal  seems to be same on the SRX as well as SSG firewall. zthe only thing i now suspect is pre-shared key. Is ity possible for you to change the pre-shared key on both the ends tand then see if it works.

 

If it still does not works, please use th below command and get the ike-trace once again on the SRX-

> request security ike debug-enable local <local_peer_ip> remote <remote_peer_ip> level 12

 

Hope this helps.

 

Thanks and Regards,

Pulkit Bhandari 

Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too.