SRX Services Gateway
Highlighted
SRX Services Gateway

IPSEC between SRX and Fortinet not coming up

[ Edited ]
‎05-04-2020 12:07 AM

HI Team,

i'm new with ipsec, trying to setup a IPSEC vpn between fortinet and SRX but it is not working . i have captured the packet and found that SRX is not initiating ike communication. configuration and topo is as below. phase 1 is no comming up. Please help

 

TOPO.PNG

 


set system root-authentication encrypted-password "$1$CBYD0bv7$aJZtFlHQHZcjMDDi5F9ab1"
set system services ssh
set system services web-management http interface ge-0/0/0.0
set system services web-management http interface ge-0/0/1.0
set system services web-management https pki-local-certificate 12345
set system services web-management https interface ge-0/0/1.0
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces ge-0/0/0 unit 0
set interfaces ge-0/0/1 description TO_FORTINET
set interfaces ge-0/0/1 unit 0 family inet address 192.168.86.3/24
set interfaces ge-0/0/2 description TO_R4
set interfaces ge-0/0/2 unit 0 family inet address 23.0.0.1/24
set interfaces st0 unit 0 family inet
set routing-options static route 2.2.2.2/32 next-hop 23.0.0.2
set security ike traceoptions file IKE
set security ike traceoptions file size 10k
set security ike traceoptions file files 2
set security ike traceoptions flag all
set security ike proposal AES256-SHA256-DH2 authentication-method pre-shared-keys
set security ike proposal AES256-SHA256-DH2 dh-group group2
set security ike proposal AES256-SHA256-DH2 authentication-algorithm sha-256
set security ike proposal AES256-SHA256-DH2 encryption-algorithm des-cbc
set security ike proposal AES256-SHA256-DH2 lifetime-seconds 28800
set security ike policy ike01-DUB-Three mode aggressive
set security ike policy ike01-DUB-Three proposals AES256-SHA256-DH2
set security ike policy ike01-DUB-Three pre-shared-key ascii-text "$9$b9soJUjHm5QDjp01RSyoJZGqm69At0B"
set security ike gateway ike01-DUB-Three ike-policy ike01-DUB-Three
set security ike gateway ike01-DUB-Three address 192.168.86.4
set security ike gateway ike01-DUB-Three local-identity inet 192.168.86.3
set security ike gateway ike01-DUB-Three external-interface ge-0/0/1.0
set security ike gateway ike01-DUB-Three version v2-only
set security ipsec proposal AES256-SHA256-PFS protocol esp
set security ipsec proposal AES256-SHA256-PFS authentication-algorithm hmac-sha1-96
set security ipsec proposal AES256-SHA256-PFS encryption-algorithm des-cbc
set security ipsec proposal AES256-SHA256-PFS lifetime-seconds 3600
set security ipsec policy ipsec01-DUB-Three perfect-forward-secrecy keys group2
set security ipsec policy ipsec01-DUB-Three proposals AES256-SHA256-PFS
set security ipsec vpn vpn01-DUB-Three bind-interface st0.0
set security ipsec vpn vpn01-DUB-Three df-bit clear
set security ipsec vpn vpn01-DUB-Three ike gateway ike01-DUB-Three
set security ipsec vpn vpn01-DUB-Three ike proxy-identity local 1.1.1.1/32
set security ipsec vpn vpn01-DUB-Three ike proxy-identity service any
set security ipsec vpn vpn01-DUB-Three ike ipsec-policy ipsec01-DUB-Three
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security zones security-zone trust tcp-rst
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services ping
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services snmp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ike

 

 

config vpn ipsec phase1-interface
edit "ike01-DUB-Three"
set interface "port2"
set ike-version 2
set local-gw 192.168.86.4
set keylife 28800
set peertype any
set net-device disable
set proposal des-md5 des-sha256
set comments "ike01-DUB-Three"
set dhgrp 2
set remote-gw 192.168.86.3
set psksecret ENC aGBmGGUZbROTSqjPLFzg6E5DGdFjhYuySFrv99s0NsQ3cJvYzW9sjkEANCZ22HyyNTLY+qnDMWxuE6xPKKu8FAnCO11UggEOQWKSH4gfZIl8jEl8u/dZ1Xc/ChSPaGXT7Ch/mFpQwkoR/HX/2CpOc8IDiQ806LhcyQ4edqlLrzTm+A+G/02qHXipb+bYiUUwA7uhpg==
next
end

FORTINET # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "ike01-DUB-Three"
set phase1name "ike01-DUB-Three"
set proposal des-md5 des-sha1
set pfs disable
set comments "ike01-DUB-Three"
set src-addr-type ip
set dst-addr-type ip
set keylifeseconds 3600
set src-start-ip 1.1.1.1
set dst-start-ip 2.2.2.2
next
end

 

 

 

 

 

 

 

7 REPLIES 7
Highlighted
SRX Services Gateway

Re: IPSEC between SRX and Fortinet not coming up

‎05-04-2020 01:11 AM

There is no aggressive mode in ikev2. Try below steps and update us

> Remove aggressive mode config

> Remove PFS config from SRX side. Fortinet side it is disabled

> Remove proxy-identity config from SRX side

> Assign st0.0 interface to a security zone.

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: IPSEC between SRX and Fortinet not coming up

[ Edited ]
‎05-04-2020 01:54 AM

Hi Nellikka

 

Thanks for your quick responce.

 

i have done the changes that you have mentioned below. but still it is not working . please find latest configuration and debug traces for IKE

 

> Remove aggressive mode config--------------------------------Removed

> Remove PFS config from SRX side. Fortinet side it is disabled-----------------------Removed

> Remove proxy-identity config from SRX side--------------while using traffic selector i'm getting error "IKEv2 does not support traffic-selectors"  thats why i am using proxy identity for traffic selection

> Assign st0.0 interface to a security zone.---------------Assigned to security Zone

 

 

set system root-authentication encrypted-password "$1$CBYD0bv7$aJZtFlHQHZcjMDDi5F9ab1"
set system services ssh
set system services web-management http interface ge-0/0/0.0
set system services web-management http interface ge-0/0/1.0
set system services web-management https pki-local-certificate 12345
set system services web-management https interface ge-0/0/1.0
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces ge-0/0/0 unit 0
set interfaces ge-0/0/1 description TO_FORTINET
set interfaces ge-0/0/1 unit 0 family inet address 192.168.86.3/24
set interfaces ge-0/0/2 description TO_R4
set interfaces ge-0/0/2 unit 0 family inet address 23.0.0.1/24
set interfaces st0 unit 0 family inet
set routing-options static route 2.2.2.2/32 next-hop 23.0.0.2
set security ike traceoptions file IKE
set security ike traceoptions file size 10k
set security ike traceoptions file files 2
set security ike traceoptions flag all
set security ike proposal AES256-SHA256-DH2 authentication-method pre-shared-keys
set security ike proposal AES256-SHA256-DH2 dh-group group2
set security ike proposal AES256-SHA256-DH2 authentication-algorithm sha-256
set security ike proposal AES256-SHA256-DH2 encryption-algorithm des-cbc
set security ike proposal AES256-SHA256-DH2 lifetime-seconds 28800
set security ike policy ike01-DUB-Three proposals AES256-SHA256-DH2
set security ike policy ike01-DUB-Three pre-shared-key ascii-text "$9$b9soJUjHm5QDjp01RSyoJZGqm69At0B"
set security ike gateway ike01-DUB-Three ike-policy ike01-DUB-Three
set security ike gateway ike01-DUB-Three address 192.168.86.4
set security ike gateway ike01-DUB-Three local-identity inet 192.168.86.3
set security ike gateway ike01-DUB-Three external-interface ge-0/0/1.0
set security ike gateway ike01-DUB-Three version v2-only
set security ipsec proposal AES256-SHA256-PFS protocol esp
set security ipsec proposal AES256-SHA256-PFS authentication-algorithm hmac-sha1-96
set security ipsec proposal AES256-SHA256-PFS encryption-algorithm des-cbc
set security ipsec proposal AES256-SHA256-PFS lifetime-seconds 3600
set security ipsec policy ipsec01-DUB-Three proposals AES256-SHA256-PFS
set security ipsec vpn vpn01-DUB-Three bind-interface st0.0
set security ipsec vpn vpn01-DUB-Three df-bit clear
set security ipsec vpn vpn01-DUB-Three ike gateway ike01-DUB-Three
set security ipsec vpn vpn01-DUB-Three ike proxy-identity local 1.1.1.1/32
set security ipsec vpn vpn01-DUB-Three ike proxy-identity remote 2.2.2.2/32
set security ipsec vpn vpn01-DUB-Three ike proxy-identity service any
set security ipsec vpn vpn01-DUB-Three ike ipsec-policy ipsec01-DUB-Three
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security zones security-zone trust tcp-rst
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services ping
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services snmp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces st0.0 host-inbound-traffic system-services all

 

 

 

[May 4 05:55:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is a8, reclen = 32 **
[May 4 05:55:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is cc, reclen = 0 **
[May 4 05:55:43]Deleting existing ipsec trace cfg with key: 16777216

[May 4 05:55:43]iked_ipsec_trace_flag_update: Successfully added ipsec trace config with key 0x1
[May 4 05:55:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = -1078471800 **
[May 4 05:55:43]No SPUs are operational, returning.
[May 4 05:55:43]iked_spu_sync_config_add this is SEC ASSOC on RE/complete, add it to the list
[May 4 05:55:43]Config download: Processed 7 - 8 messages
[May 4 05:55:43]Config download time: 0 secs
[May 4 05:55:43]iked_config_process_config_list, configuration diff complete
[May 4 05:58:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = 143028240 **
[May 4 05:58:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is c, reclen = 143028240 **
[May 4 05:58:43]kmd_iked_cfgbuf_addrec: 432: record IPSEC_SA_TYPE, reclen = 380
[May 4 05:58:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 17c, reclen = -1876615776 **
[May 4 05:58:43]kmd_iked_cfgbuf_addrec: 440: record TRAFFIC_SELECTOR, reclen = 168
[May 4 05:58:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is a8, reclen = 32 **
[May 4 05:58:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is cc, reclen = 0 **
[May 4 05:58:43]Deleting existing ipsec trace cfg with key: 16777216

[May 4 05:58:43]iked_ipsec_trace_flag_update: Successfully added ipsec trace config with key 0x1
[May 4 05:58:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = -1078471800 **
[May 4 05:58:43]No SPUs are operational, returning.
[May 4 05:58:43]iked_spu_sync_config_add this is SEC ASSOC on RE/complete, add it to the list
[May 4 05:58:43]Config download: Processed 8 - 9 messages
[May 4 05:58:43]Config download time: 0 secs
[May 4 05:58:43]iked_config_process_config_list, configuration diff complete
[May 4 06:49:36]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = 143028240 **
[May 4 06:49:36]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is c, reclen = 143028240 **
[May 4 06:49:36]Error: Unknown record, type = 25

[May 4 06:49:36]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 40, reclen = -1876617120 **
[May 4 06:49:36]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 41c, reclen = -1876616672 **
[May 4 06:49:36]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 4, reclen = 0 **
[May 4 06:49:36]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = -1078471800 **
[May 4 06:49:36]No SPUs are operational, returning.
[May 4 06:49:36]Config download: Processed 9 - 10 messages
[May 4 06:49:36]Config download time: 0 secs
[May 4 06:49:36]iked_config_process_config_list, configuration diff complete
[May 4 08:30:46]iked_spu_sync_config_add this is SEC ASSOC on RE/complete, add it to the list
[May 4 08:30:46]Config download: Processed 1 - 1 messages
[May 4 08:30:46]Config download time: 0 secs
[May 4 08:30:46]iked_ts_config_template_clean_up_all_gt_gi Failed to find sa_cfg vpn01-DUB-Three
[May 4 08:30:46]Creating PM instance for service_set: root
[May 4 08:30:47]ssh_ike_init: Start
[May 4 08:30:47]ssh_ike_init: params->ignore_cr_payloads = FALSE
[May 4 08:30:47]ssh_ike_init: params->no_key_hash_payload = FALSE
[May 4 08:30:47]ssh_ike_init: params->no_cr_payloads = FALSE
[May 4 08:30:47]ssh_ike_init: params->do_not_send_crls = FALSE
[May 4 08:30:47]ssh_ike_init: params->send_full_chains = FALSE
[May 4 08:30:47]ssh_ike_init: params->trust_icmp_messages = FALSE
[May 4 08:30:47]ssh_ike_init: params->spi_size = 0
[May 4 08:30:47]ssh_ike_init: params->zero_spi = TRUE
[May 4 08:30:47]ssh_ike_init: params->max_key_length = 512
[May 4 08:30:47]ssh_ike_init: params->max_isakmp_sa_count = 8192
[May 4 08:30:47]Obsolete parameter length_of_local_secret is not set to zero in ssh_ike_init
[May 4 08:30:47]Obsolete parameter token_hash_type is not set to zero in ssh_ike_init
[May 4 08:30:47]ssh_ike_create_system: params->randomizers_default_cnt = 1
[May 4 08:30:47]ssh_ike_create_system: params->randomizers_default_max_cnt = 64
[May 4 08:30:47]ssh_ike_create_system: params->randomizers_default_retry = 2
[May 4 08:30:47]ssh_ike_create_system: params->randomizers_private_cnt = 1
[May 4 08:30:47]ssh_ike_create_system: params->randomizers_private_max_cnt = 16
[May 4 08:30:47]ssh_ike_create_system: params->randomizers_private_retry = 2
[May 4 08:30:47]ssh_ike_attach_audit_context: Attaching a new audit context
[May 4 08:30:47]ssh_ike_init: params->base_retry_limit = 5
[May 4 08:30:47]ssh_ike_init: params->base_retry_timer = 10.000000
[May 4 08:30:47]ssh_ike_init: params->base_retry_timer_max = 150.000000
[May 4 08:30:47]ssh_ike_init: params->base_expire_timer = 180.000000
[May 4 08:30:47]ssh_ike_init: params->extended_retry_limit = 5
[May 4 08:30:47]ssh_ike_init: params->extended_retry_timer = 5.000000
[May 4 08:30:47]ssh_ike_init: params->extended_retry_timer_max = 300.000000
[May 4 08:30:47]ssh_ike_init: params->extended_expire_timer = 240.000000
[May 4 08:30:47]ssh_ikev2_fallback_create: FB; v1 policy manager 8c33900 started
[May 4 08:30:47]ssh_ikev2_fallback_attach: FB; v1 policy manager 8c33900 attached to server 8ced500
[May 4 08:30:47]iked_config_process_config_list, configuration diff complete
[May 4 08:30:47]IKED-PKID-IPC
[May 4 08:30:47]kmd_rpd_init
[May 4 08:30:47]rpd session connected
[May 4 08:30:47]iked_spu_ha_ipc_get_server_addr, server tnp addr (standalone): 0x1, ISSU pending=no
[May 4 08:30:48]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received
[May 4 08:30:48]kmd_rpd_cb_session_connect
[May 4 08:30:48]kmd_rpd_cb_session_connect: rpd session established
[May 4 08:30:48]kmd_rpd_db_read
[May 4 08:30:48]kmd_rpd_db_read: gw handle 38
[May 4 08:30:48]kmd_rpd_cb_protocol_register gw handle 0 return code 1
[May 4 08:30:48]kmd_rpd_cb_protocol_register:Failed to register with rpd rc 1
[May 4 08:30:48]kmd_rpd_db_write
[May 4 08:30:48]kmd_rpd_shutdown_session
[May 4 08:30:53]kmd_rpd_init
[May 4 08:30:53]rpd session connected
[May 4 08:30:53]kmd_rpd_cb_session_connect
[May 4 08:30:53]kmd_rpd_cb_session_connect: rpd session established
[May 4 08:30:53]kmd_rpd_db_write
[May 4 08:30:53]kmd_rpd_cb_protocol_register gw handle 39 return code 0
[May 4 08:30:53]kmd_rpd_db_write
[May 4 08:30:53]kmd_rpd_refresh_routes
[May 4 08:31:10]iked_process_ifl_ext_add: ifl tunnel-id lookup failed for ifl ge-0/0/0.0
[May 4 08:31:11]Couldn't get the zone information for interface ext st0, error No such file or directory
[May 4 08:31:14]iked_process_ifl_ext_add: ifl tunnel-id lookup failed for ifl ge-0/0/2.0
[May 4 08:34:05]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = 143028240 **
[May 4 08:34:05]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is c, reclen = 143028240 **
[May 4 08:34:05]kmd_iked_cfgbuf_addrec: 432: record IPSEC_SA_TYPE, reclen = 380
[May 4 08:34:05]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 17c, reclen = -1876606944 **
[May 4 08:34:05]kmd_iked_cfgbuf_addrec: 440: record TRAFFIC_SELECTOR, reclen = 168
[May 4 08:34:05]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is a8, reclen = 32 **
[May 4 08:34:05]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is cc, reclen = 0 **
[May 4 08:34:05]Deleting existing ipsec trace cfg with key: 16777216

[May 4 08:34:05]iked_ipsec_trace_flag_update: Successfully added ipsec trace config with key 0x1
[May 4 08:34:05]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = -1078471800 **
[May 4 08:34:05]No SPUs are operational, returning.
[May 4 08:34:05]iked_spu_sync_config_add this is SEC ASSOC on RE/complete, add it to the list
[May 4 08:34:05]Config download: Processed 1 - 2 messages
[May 4 08:34:05]Config download time: 0 secs
[May 4 08:34:05]iked_config_process_config_list, configuration diff complete
[May 4 08:35:35]In iked_sa_config_install Adding GENCFG msg with key; Tunnel = 131073, SPI-In = 0x0
[May 4 08:35:35]Successfully added SA Config
[May 4 08:37:08]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = 143028240 **
[May 4 08:37:08]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is c, reclen = 143028240 **
[May 4 08:37:08]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 168, reclen = -1876615520 **
[May 4 08:37:08]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 48, reclen = -1078474165 **
[May 4 08:37:08]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is cc, reclen = 0 **
[May 4 08:37:08]Deleting existing ipsec trace cfg with key: 16777216

[May 4 08:37:08]iked_ipsec_trace_flag_update: Successfully added ipsec trace config with key 0x1
[May 4 08:37:08]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = -1078471800 **
[May 4 08:37:08]No SPUs are operational, returning.
[May 4 08:37:08]iked_spu_sync_config_add this is SEC ASSOC on RE/complete, add it to the list
[May 4 08:37:08]Config download: Processed 2 - 3 messages
[May 4 08:37:08]Config download time: 0 secs
[May 4 08:37:08]iked_config_process_config_list, configuration diff complete
[May 4 08:38:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = 143028240 **
[May 4 08:38:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is c, reclen = 143028240 **
[May 4 08:38:07]Error: Unknown record, type = 25

[May 4 08:38:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 168, reclen = -1876616416 **
[May 4 08:38:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 48, reclen = -1078474165 **
[May 4 08:38:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 4, reclen = 0 **
[May 4 08:38:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = -1078471800 **
[May 4 08:38:07]No SPUs are operational, returning.
[May 4 08:38:07]Config download: Processed 3 - 4 messages
[May 4 08:38:07]Config download time: 0 secs
[May 4 08:38:07]iked_config_process_config_list, configuration diff complete

 

 

 

root> ping 192.168.86.4
PING 192.168.86.4 (192.168.86.4): 56 data bytes
64 bytes from 192.168.86.4: icmp_seq=0 ttl=255 time=13.466 ms
64 bytes from 192.168.86.4: icmp_seq=1 ttl=255 time=7.005 ms
64 bytes from 192.168.86.4: icmp_seq=2 ttl=255 time=6.879 ms
64 bytes from 192.168.86.4: icmp_seq=3 ttl=255 time=11.194 ms
64 bytes from 192.168.86.4: icmp_seq=4 ttl=255 time=7.379 ms
64 bytes from 192.168.86.4: icmp_seq=5 ttl=255 time=8.763 ms

 

 

 

 

Highlighted
SRX Services Gateway
Solution
Accepted by topic author Sunil_Sandhu
‎05-05-2020 10:10 PM

Re: IPSEC between SRX and Fortinet not coming up

‎05-04-2020 02:55 AM

Do below config and update us:

 

set security ipsec vpn vpn01-DUB-Three establish-tunnels immediately

set security ipsec vpn vpn01-DUB-Three ike proxy-identity local 2.2.2.2/32
set security ipsec vpn vpn01-DUB-Three ike proxy-identity remote 1.1.1.1/32

 

show security ike security-associations

show security ipsec security-associations 

show security ipsec security-associations detail

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: IPSEC between SRX and Fortinet not coming up

[ Edited ]
‎05-04-2020 01:15 PM

Hi Nellikka,

 

i have done the changes that you have mentioned below , but still it is not working . Please find below results

 

set security ipsec vpn vpn01-DUB-Three establish-tunnels immediately---------------Configured

set security ipsec vpn vpn01-DUB-Three ike proxy-identity local 2.2.2.2/32----------Configured
set security ipsec vpn vpn01-DUB-Three ike proxy-identity remote 1.1.1.1/32--------------Configured

 

root> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
2089264 DOWN b6f334ca1da64432 0000000000000000 IKEv2 192.168.86.4

root>

root> show security ipsec security-associations
Total active tunnels: 0

root>

root> show security ipsec security-associations detail

root>

 

 

Please find below latest IPSEC COnfiguration and IKE traces

 

set system root-authentication encrypted-password "$1$CBYD0bv7$aJZtFlHQHZcjMDDi5F9ab1"
set system services ssh
set system services web-management http interface ge-0/0/0.0
set system services web-management http interface ge-0/0/1.0
set system services web-management https pki-local-certificate 12345
set system services web-management https interface ge-0/0/1.0
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces ge-0/0/0 unit 0
set interfaces ge-0/0/1 description TO_FORTINET
set interfaces ge-0/0/1 unit 0 family inet address 192.168.86.3/24
set interfaces ge-0/0/2 description TO_R4
set interfaces ge-0/0/2 unit 0 family inet address 23.0.0.1/24
set interfaces st0 unit 0 family inet
set routing-options static route 2.2.2.2/32 next-hop 23.0.0.2
set security ike traceoptions file IKE
set security ike traceoptions file size 10k
set security ike traceoptions file files 2
set security ike traceoptions flag all
set security ike proposal AES256-SHA256-DH2 authentication-method pre-shared-keys
set security ike proposal AES256-SHA256-DH2 dh-group group2
set security ike proposal AES256-SHA256-DH2 authentication-algorithm sha-256
set security ike proposal AES256-SHA256-DH2 encryption-algorithm des-cbc
set security ike proposal AES256-SHA256-DH2 lifetime-seconds 28800
set security ike policy ike01-DUB-Three proposals AES256-SHA256-DH2
set security ike policy ike01-DUB-Three pre-shared-key ascii-text "$9$b9soJUjHm5QDjp01RSyoJZGqm69At0B"
set security ike gateway ike01-DUB-Three ike-policy ike01-DUB-Three
set security ike gateway ike01-DUB-Three address 192.168.86.4
set security ike gateway ike01-DUB-Three local-identity inet 192.168.86.3
set security ike gateway ike01-DUB-Three external-interface ge-0/0/1.0
set security ike gateway ike01-DUB-Three version v2-only
set security ipsec proposal AES256-SHA256-PFS protocol esp
set security ipsec proposal AES256-SHA256-PFS authentication-algorithm hmac-sha1-96
set security ipsec proposal AES256-SHA256-PFS encryption-algorithm des-cbc
set security ipsec proposal AES256-SHA256-PFS lifetime-seconds 3600
set security ipsec policy ipsec01-DUB-Three proposals AES256-SHA256-PFS
set security ipsec vpn vpn01-DUB-Three bind-interface st0.0
set security ipsec vpn vpn01-DUB-Three df-bit clear
set security ipsec vpn vpn01-DUB-Three ike gateway ike01-DUB-Three
set security ipsec vpn vpn01-DUB-Three ike proxy-identity local 1.1.1.1/32
set security ipsec vpn vpn01-DUB-Three ike proxy-identity remote 2.2.2.2/32
set security ipsec vpn vpn01-DUB-Three ike proxy-identity service any
set security ipsec vpn vpn01-DUB-Three ike ipsec-policy ipsec01-DUB-Three
set security ipsec vpn vpn01-DUB-Three establish-tunnels immediately
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security zones security-zone trust tcp-rst
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services ping
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services snmp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces st0.0 host-inbound-traffic system-services all

root> show log IKE
[May 4 19:57:44]Config download time: 0 secs
[May 4 19:57:44]iked_ts_config_template_clean_up_all_gt_gi Failed to find sa_cfg vpn01-DUB-Three
[May 4 19:57:44]Creating PM instance for service_set: root
[May 4 19:57:44]ssh_ike_init: Start
[May 4 19:57:44]ssh_ike_init: params->ignore_cr_payloads = FALSE
[May 4 19:57:44]ssh_ike_init: params->no_key_hash_payload = FALSE
[May 4 19:57:44]ssh_ike_init: params->no_cr_payloads = FALSE
[May 4 19:57:44]ssh_ike_init: params->do_not_send_crls = FALSE
[May 4 19:57:44]ssh_ike_init: params->send_full_chains = FALSE
[May 4 19:57:44]ssh_ike_init: params->trust_icmp_messages = FALSE
[May 4 19:57:44]ssh_ike_init: params->spi_size = 0
[May 4 19:57:44]ssh_ike_init: params->zero_spi = TRUE
[May 4 19:57:44]ssh_ike_init: params->max_key_length = 512
[May 4 19:57:44]ssh_ike_init: params->max_isakmp_sa_count = 8192
[May 4 19:57:44]Obsolete parameter length_of_local_secret is not set to zero in ssh_ike_init
[May 4 19:57:44]Obsolete parameter token_hash_type is not set to zero in ssh_ike_init
[May 4 19:57:44]ssh_ike_create_system: params->randomizers_default_cnt = 1
[May 4 19:57:44]ssh_ike_create_system: params->randomizers_default_max_cnt = 64
[May 4 19:57:44]ssh_ike_create_system: params->randomizers_default_retry = 2
[May 4 19:57:44]ssh_ike_create_system: params->randomizers_private_cnt = 1
[May 4 19:57:44]ssh_ike_create_system: params->randomizers_private_max_cnt = 16
[May 4 19:57:44]ssh_ike_create_system: params->randomizers_private_retry = 2
[May 4 19:57:44]ssh_ike_attach_audit_context: Attaching a new audit context
[May 4 19:57:44]ssh_ike_init: params->base_retry_limit = 5
[May 4 19:57:44]ssh_ike_init: params->base_retry_timer = 10.000000
[May 4 19:57:44]ssh_ike_init: params->base_retry_timer_max = 150.000000
[May 4 19:57:44]ssh_ike_init: params->base_expire_timer = 180.000000
[May 4 19:57:44]ssh_ike_init: params->extended_retry_limit = 5
[May 4 19:57:44]ssh_ike_init: params->extended_retry_timer = 5.000000
[May 4 19:57:44]ssh_ike_init: params->extended_retry_timer_max = 300.000000
[May 4 19:57:44]ssh_ike_init: params->extended_expire_timer = 240.000000
[May 4 19:57:44]ssh_ikev2_fallback_create: FB; v1 policy manager 8c33900 started
[May 4 19:57:44]ssh_ikev2_fallback_attach: FB; v1 policy manager 8c33900 attached to server 8ced500
[May 4 19:57:44]iked_config_process_config_list, configuration diff complete
[May 4 19:57:44]IKED-PKID-IPC
[May 4 19:57:44]kmd_rpd_init
[May 4 19:57:44]rpd session connected
[May 4 19:57:44]iked_spu_ha_ipc_get_server_addr, server tnp addr (standalone): 0x1, ISSU pending=no
[May 4 19:57:45]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received
[May 4 19:57:45]kmd_rpd_cb_session_connect
[May 4 19:57:45]kmd_rpd_cb_session_connect: rpd session established
[May 4 19:57:45]kmd_rpd_db_read
[May 4 19:57:45]kmd_rpd_db_read: gw handle 39
[May 4 19:57:45]kmd_rpd_cb_protocol_register gw handle 3216496872 return code 1
[May 4 19:57:45]kmd_rpd_cb_protocol_register:Failed to register with rpd rc 1
[May 4 19:57:45]kmd_rpd_db_write
[May 4 19:57:45]kmd_rpd_shutdown_session
[May 4 19:57:50]kmd_rpd_init
[May 4 19:57:50]rpd session connected
[May 4 19:57:50]kmd_rpd_cb_session_connect
[May 4 19:57:50]kmd_rpd_cb_session_connect: rpd session established
[May 4 19:57:50]kmd_rpd_db_write
[May 4 19:57:50]kmd_rpd_cb_protocol_register gw handle 39 return code 0
[May 4 19:57:50]kmd_rpd_db_write
[May 4 19:57:50]kmd_rpd_refresh_routes
[May 4 19:57:54]Couldn't get the zone information for interface ge-0/0/1, error No such file or directory
[May 4 19:58:23]iked_process_ifl_ext_add: ifl tunnel-id lookup failed for ifl ge-0/0/0.0
[May 4 19:58:23]In iked_sa_config_install Adding GENCFG msg with key; Tunnel = 131073, SPI-In = 0x0
[May 4 19:58:23]Successfully added SA Config
[May 4 19:58:23]iked_process_ifl_ext_add: ifl tunnel-id lookup failed for ifl ge-0/0/2.0
[May 4 20:06:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = 143028240 **
[May 4 20:06:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is c, reclen = 143028240 **
[May 4 20:06:07]kmd_iked_cfgbuf_addrec: 432: record IPSEC_SA_TYPE, reclen = 380
[May 4 20:06:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 17c, reclen = -1876615264 **
[May 4 20:06:07]kmd_iked_cfgbuf_addrec: 440: record TRAFFIC_SELECTOR, reclen = 168
[May 4 20:06:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is a8, reclen = 32 **
[May 4 20:06:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is cc, reclen = 0 **
[May 4 20:06:07]Deleting existing ipsec trace cfg with key: 16777216

[May 4 20:06:07]iked_ipsec_trace_flag_update: Successfully added ipsec trace config with key 0x1
[May 4 20:06:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = -1078471800 **
[May 4 20:06:07]No SPUs are operational, returning.
[May 4 20:06:07]iked_spu_sync_config_add this is SEC ASSOC on RE/complete, add it to the list
[May 4 20:06:07]Config download: Processed 1 - 2 messages
[May 4 20:06:07]Config download time: 0 secs
[May 4 20:06:07]ikev2_packet_allocate: Allocated packet 8c24800 from freelist
[May 4 20:06:07]iked_config_process_config_list, configuration diff complete
[May 4 20:06:37]P1 SA 2089251 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
[May 4 20:06:37]IKE SA delete called for p1 sa 2089251 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
[May 4 20:06:37]Freeing all P2 SAs for IKEv2 p1 SA 2089251
[May 4 20:06:37]P1 SA 2089251 reference count is not zero (1). Delaying deletion of SA
[May 4 20:06:37]iked_pm_p1_sa_destroy: p1 sa 2089251 (ref cnt 0), waiting_for_del 0x8c809a0
[May 4 20:06:37]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
[May 4 20:06:37]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
[May 4 20:07:34]ikev2_packet_allocate: Allocated packet 8c24c00 from freelist
[May 4 20:08:04]P1 SA 2089252 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
[May 4 20:08:04]IKE SA delete called for p1 sa 2089252 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
[May 4 20:08:04]Freeing all P2 SAs for IKEv2 p1 SA 2089252
[May 4 20:08:04]P1 SA 2089252 reference count is not zero (1). Delaying deletion of SA
[May 4 20:08:04]iked_pm_p1_sa_destroy: p1 sa 2089252 (ref cnt 0), waiting_for_del 0x8c80a00
[May 4 20:08:04]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
[May 4 20:08:04]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
[May 4 20:08:34]ikev2_packet_allocate: Allocated packet 8c39000 from freelist

[May 4 20:13:34]ikev2_packet_allocate: Allocated packet 8c3a400 from freelist
[May 4 20:14:04]P1 SA 2089258 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
[May 4 20:14:04]IKE SA delete called for p1 sa 2089258 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
[May 4 20:14:04]Freeing all P2 SAs for IKEv2 p1 SA 2089258
[May 4 20:14:04]P1 SA 2089258 reference count is not zero (1). Delaying deletion of SA
[May 4 20:14:04]iked_pm_p1_sa_destroy: p1 sa 2089258 (ref cnt 0), waiting_for_del 0x8c80a00
[May 4 20:14:04]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
[May 4 20:14:04]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
[May 4 20:14:34]ikev2_packet_allocate: Allocated packet 8c3a800 from freelist
[May 4 20:15:04]P1 SA 2089259 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
[May 4 20:15:04]IKE SA delete called for p1 sa 2089259 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
[May 4 20:15:04]Freeing all P2 SAs for IKEv2 p1 SA 2089259
[May 4 20:15:04]P1 SA 2089259 reference count is not zero (1). Delaying deletion of SA
[May 4 20:15:04]iked_pm_p1_sa_destroy: p1 sa 2089259 (ref cnt 0), waiting_for_del 0x8c80a00
[May 4 20:15:04]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
[May 4 20:15:04]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
[May 4 20:15:34]ikev2_packet_allocate: Allocated packet 8c3ac00 from freelist
[May 4 20:16:04]P1 SA 2089260 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
[May 4 20:16:04]IKE SA delete called for p1 sa 2089260 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
[May 4 20:16:04]Freeing all P2 SAs for IKEv2 p1 SA 2089260
[May 4 20:16:04]P1 SA 2089260 reference count is not zero (1). Delaying deletion of SA
[May 4 20:16:04]iked_pm_p1_sa_destroy: p1 sa 2089260 (ref cnt 0), waiting_for_del 0x8c80a00
[May 4 20:16:04]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
[May 4 20:16:04]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
[May 4 20:16:34]ikev2_packet_allocate: Allocated packet 8c3b000 from freelist
[May 4 20:17:04]P1 SA 2089261 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
[May 4 20:17:04]IKE SA delete called for p1 sa 2089261 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
[May 4 20:17:04]Freeing all P2 SAs for IKEv2 p1 SA 2089261
[May 4 20:17:04]P1 SA 2089261 reference count is not zero (1). Delaying deletion of SA
[May 4 20:17:04]iked_pm_p1_sa_destroy: p1 sa 2089261 (ref cnt 0), waiting_for_del 0x8c80a00
[May 4 20:17:04]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
[May 4 20:17:04]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
[May 4 20:17:34]ikev2_packet_allocate: Allocated packet 8c3b400 from freelist
[May 4 20:18:04]P1 SA 2089262 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
[May 4 20:18:04]IKE SA delete called for p1 sa 2089262 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
[May 4 20:18:04]Freeing all P2 SAs for IKEv2 p1 SA 2089262
[May 4 20:18:04]P1 SA 2089262 reference count is not zero (1). Delaying deletion of SA
[May 4 20:18:04]iked_pm_p1_sa_destroy: p1 sa 2089262 (ref cnt 0), waiting_for_del 0x8c80a60
[May 4 20:18:04]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
[May 4 20:18:04]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
[May 4 20:18:34]ikev2_packet_allocate: Allocated packet 8c3b800 from freelist
[May 4 20:19:04]P1 SA 2089263 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
[May 4 20:19:04]IKE SA delete called for p1 sa 2089263 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
[May 4 20:19:04]Freeing all P2 SAs for IKEv2 p1 SA 2089263
[May 4 20:19:04]P1 SA 2089263 reference count is not zero (1). Delaying deletion of SA
[May 4 20:19:04]iked_pm_p1_sa_destroy: p1 sa 2089263 (ref cnt 0), waiting_for_del 0x8c80a60
[May 4 20:19:04]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
[May 4 20:19:04]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
[May 4 20:19:34]ikev2_packet_allocate: Allocated packet 8c3bc00 from freelist

 

SRX Services Gateway

Re: IPSEC between SRX and Fortinet not coming up

‎05-05-2020 07:06 AM

As per the given output, SRX is initiating vpn traffic but not getting packets from Fortinet. Please enable debug at Fortinet side and check: https://kb.fortinet.com/kb/documentLink.do?externalID=FD46611 

 

Which SRX model  and Junos version you are using? Please share the output of "show chassis fpc detail"

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: IPSEC between SRX and Fortinet not coming up

‎05-05-2020 10:21 PM

HI Nellikka

 

Thanks for your support , both phase 1 and phase are up now. there was issue with fortinet firewall policy after correcting it IPSEC came up. i have some questions:

 

1. how can i redirect the traffic over ipsec tunnel from source (2.2.2.2) to destination(1.1.1.1) as we can see in the routing table it is not showing route for it . do i need to configure static route for destination pointing towards st0.0 interface ?

 

2. what if "establish-tunnels immediately" not configured . what is the default behaviour of JunOS.

 


+ = Active Route, - = Last Active, * = Both

2.2.2.2/32 *[Static/5] 01:16:46
> to 23.0.0.2 via ge-0/0/2.0
23.0.0.0/24 *[Direct/0] 01:16:46
> via ge-0/0/2.0
23.0.0.1/32 *[Local/0] 01:16:59
Local via ge-0/0/2.0
192.168.86.0/24 *[Direct/0] 01:16:46
> via ge-0/0/1.0
192.168.86.3/32 *[Local/0] 01:17:00
Local via ge-0/0/1.0

 

 

root> show security ipsec security-associations detail
ID: 131073 Virtual-system: root, VPN Name: vpn01-DUB-Three
Local Gateway: 192.168.86.3, Remote Gateway: 192.168.86.4
Local Identity: ipv4(any:0,[0..3]=2.2.2.2)
Remote Identity: ipv4(any:0,[0..3]=1.1.1.1)
Version: IKEv2
DF-bit: clear
Bind-interface: st0.0

Port: 500, Nego#: 2, Fail#: 0, Def-Del#: 0 Flag: 0x600a29
Last Tunnel Down Reason: Lifetime expired
Direction: inbound, SPI: ea741b61, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 3518 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2880 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64

Direction: outbound, SPI: 5e5575e7, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 3518 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2880 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64

 

root> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
3264977 UP 2f31bcc0891ceff9 a1b8c28e9f518341 IKEv2 192.168.86.4


root> show chassis fpc detail
Slot 0 information:
State Online
Total CPU DRAM ---- CPU less FPC ----
Start time 2020-05-06 03:51:22 UTC
Uptime 12 hour, 17 minutes, 37 seconds

root>

Highlighted
SRX Services Gateway

Re: IPSEC between SRX and Fortinet not coming up

‎05-05-2020 10:30 PM

Glad to know that the VPN came up.

Yes, static route should be configured for the destination network with nexthop as st0.0 

Default behavior is on-demand. Tunnel will be initiated when traffic to destination hits SRX.

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Feedback