SRX Services Gateway
Highlighted
SRX Services Gateway

SRX300/SRX240 can't establish site-to-site VPN, show security ike security-associations empty

‎03-13-2020 01:33 PM

Hi All,

 

I am running into an issue I just cant wrap my head around at the moment.

 

At home I have a SRX300 running JUNOS 18.2R3-S2.9 which sits behind the ISP FTTH router, ports 500, 4500 and ESP are forwarded to the SRX.

 

I am trying to setup a VPN to the lab we have at the office, accessible by two SRX240H's running JUNOS 12.1X46-D86 in cluster mode.

 

For some reason I can't get the tunnel up and visible on the primary SRX240, yet the SRX300 at home thinks everything is honky dory.

 

HOME-SRX300:

 

leon@SRX300> show security ike security-associations 
Index State Initiator cookie Responder cookie Mode Remote Address 
8047590 UP a7e26ece934f0485 bf66d83ad27db7b2 IKEv2 a.a.a.a

leon@SRX300> show security ipsec security-associations 
Total active tunnels: 1 Total Ipsec sas: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway 
<131073 ESP:aes-cbc-256/sha256 beec2d48 3590/ unlim - root 4500 a.a.a.a 
>131073 ESP:aes-cbc-256/sha256 8005bac 3590/ unlim - root 4500 a.a.a.a

LAB-SRX240:

 

leon@SRX240> show security ike security-associations 
node0:
--------------------------------------------------------------------------

{primary:node0}
leon@SRX240> show security ipsec security-associations 
node0:
--------------------------------------------------------------------------
Total active tunnels: 0

{primary:node0}

 

a.a.a.a = LAB public IP address
b.b.b.b = HOME public IP address

 

Configs and flow sessions are attached.

 

Any pointers are highly appreciated 🙂

Attachments

3 REPLIES 3
Highlighted
SRX Services Gateway
Solution
Accepted by topic author LeonNL
‎03-13-2020 02:31 PM

Re: SRX300/SRX240 can't establish site-to-site VPN, show security ike security-associations empty

‎03-13-2020 02:09 PM

Hey LeonNL,

 

Please check this: https://forums.juniper.net/t5/SRX-Services-Gateway/Trouble-with-IPSEC-1-phase-SRX-220/td-p/305245

 

If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \:)/

Regards,

Lil Dexx
JNCIE-ENT#863, 3X JNCIP-[SP-ENT-DC], 4X JNCIA [cloud-DevOps-Junos-Design], Champions Ingenius, SSYB

 

Highlighted
SRX Services Gateway

Re: SRX300/SRX240 can't establish site-to-site VPN, show security ike security-associations empty

‎03-13-2020 02:31 PM

Hi Lil,

 

Pff can't believe I overlooked that.  Smiley Embarassed

After setting the local and remote identity it works like a charm

 

Have a great weekend.

 

Leon

Highlighted
SRX Services Gateway

Re: SRX300/SRX240 can't establish site-to-site VPN, show security ike security-associations empty

‎03-13-2020 04:58 PM

Hey LeonNL,

 

No worries mate, it happens to me all the time and I am glad to hear that everything is up and running!! 
You have a wonderful weekend as well.

 

If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \:)/

Regards,

Lil Dexx
JNCIE-ENT#863, 3X JNCIP-[SP-ENT-DC], 4X JNCIA [cloud-DevOps-Junos-Design], Champions Ingenius, SSYB

Feedback