SRX

Hi All

I am building a site to site VPN and am doing a trace on IKE to a file in the log directory.

Its failing on phase one and I know everything is spot on the only thing I am not sure about is the fact that I have set the external interface to "vlan" 

I have configured 8 VLAN interfaces on this firewall only.  Should this work?  

I have also set a no nat across the VPN

security {
ike {
traceoptions {
file trace.log;
flag all;
}
proposal my-Proposal {
description "my VPN";
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm md5;
encryption-algorithm aes-256-cbc;
lifetime-seconds 86400;
}
policy my-IKE-Policy {
mode main;
description "my%20VPN";
proposals my-Proposal;
pre-shared-key ascii-text "$9$WpJ8NbsYoGjqgoQF6/tp"; ## SECRET-DATA
}
gateway my-FW {
ike-policy my-IKE-Policy;
address myexternalip;
no-nat-traversal;
local-identity inet myexternalip;
external-interface vlan;
}
}
ipsec {
proposal my-IPSEC-Policy {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy my-IPSEC {
description "my VPN";
perfect-formy-secrecy {
keys group2;
}
proposals my-IPSEC-Policy;
}
vpn my-VPN {
ike {
gateway my-FW;
ipsec-policy my-IPSEC;
}
establish-tunnels on-traffic;

debug info

Dec 6 16:32:59 ike_get_sa: Start, SA = { d61cdce5 fe489dc1 - 00000000 00000000 } / 00000000, remote = myexternalip:500
Dec 6 16:32:59 ike_sa_allocate: Start, SA = { d61cdce5 fe489dc1 - a29dafac 256fe5cd }
Dec 6 16:32:59 ike_init_isakmp_sa: Start, remote = myexternalip:500, initiator = 0
Dec 6 16:32:59 ike_decode_packet: Start
Dec 6 16:32:59 ike_decode_packet: Start, SA = { d61cdce5 fe489dc1 - a29dafac 256fe5cd} / 00000000, nego = -1
Dec 6 16:32:59 ike_decode_payload_sa: Start
Dec 6 16:32:59 ike_decode_payload_t: Start, # trans = 1
Dec 6 16:32:59 ike_st_i_vid: VID[0..40] = f4ed19e0 c114eb51 ...
Dec 6 16:32:59 The remote server at myexternalip:500 is 'f4 ed 19 e0 c1 14 eb 51 6f aa ac 0e e3 7d af 28 07 b4 38 1f 00'
Dec 6 16:32:59 ike_st_i_sa_proposal: Start
Dec 6 16:32:59 Local dest IP: ipv4(any:0,[0..3]=juniperexternal)
Dec 6 16:32:59 Unable to find ike gateway as remote peer:myexternalip is not recognized.
Dec 6 16:32:59 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=juniperexternal) p1_remote=ipv4(any:0,[0..3]=myexternalip)
Dec 6 16:32:59 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=juniperexternal) p1_remote=ipv4(any:0,[0..3]=myexternalip)
Dec 6 16:32:59 ike_isakmp_sa_reply: Start
Dec 6 16:32:59 ike_st_i_cr: Start
Dec 6 16:32:59 ike_st_i_cert: Start
Dec 6 16:32:59 ike_st_i_private: Start
Dec 6 16:32:59 ike_st_o_sa_values: Start
Dec 6 16:32:59 juniperexternal:500 (Responder) <-> myexternalip:500 { d61cdce5 fe489dc1 - a29dafac 256fe5cd [-1] / 0x00000000 } IP; Error = No proposal chosen (14)
Dec 6 16:32:59 ike_alloc_negotiation: Start, SA = { d61cdce5 fe489dc1 - a29dafac 256fe5cd}
Dec 6 16:32:59 ike_encode_packet: Start, SA = { 0xd61cdce5 fe489dc1 - a29dafac 256fe5cd } / f6556d00, nego = 0
Dec 6 16:32:59 ike_send_packet: Start, send SA = { d61cdce5 fe489dc1 - a29dafac 256fe5cd}, nego = 0, src=juniperexternal:500, dst = myexternalip:500, routing table id = 0
Dec 6 16:32:59 ike_delete_negotiation: Start, SA = { d61cdce5 fe489dc1 - a29dafac 256fe5cd}, nego = 0
Dec 6 16:32:59 ike_free_negotiation_info: Start, nego = 0
Dec 6 16:32:59 ike_free_negotiation: Start, nego = 0
Dec 6 16:33:01 ike_get_sa: Start, SA = { d61cdce5 fe489dc1 - 00000000 00000000 } / 00000000, remote = myexternalip:500

I'm having a little issue with following the flow since you've got "myexternalip" in a couple different places...

Your IKE gateway seems to define the remote peer address and the local identity as the same IP?

---

@M2010 wrote:

 

gateway my-FW {
ike-policy my-IKE-Policy;
address myexternalip;
no-nat-traversal;
local-identity inet myexternalip;
external-interface vlan; 

---

The address defined there should be the address of the other firewall that's terminating the tunnel, not the local IP.

That would probably be the reason you're seeing this:

---

@M2010 wrote:

 

debug info

Dec 6 16:32:59 Unable to find ike gateway as remote peer:myexternalip is not recognized.
Dec 6 16:32:59 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=juniperexternal) p1_remote=ipv4(any:0,[0..3]=myexternalip)
Dec 6 16:32:59 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=juniperexternal) p1_remote=ipv4(any:0,[0..3]=myexternalip)

---

Looks like it's trying to establish the tunnel with itself?  Without seeing the rest of the configuration and where "myexternalip" and "juniperexternal" fit into the grand scheme, it's hard to know what else might be going on.

hi there

thanks for the reply.

so just to clarify 

myexternalip = remote peer address of a checkpoint firewall

juniperexternal = local address of the juniper firewall

I have configured other srx firewalls with VPN and are working and configured identical to this, the only difference is I am not sure what my external interface should be?  I only have one physical interface connected on the srx which is a trunk.  All the ip interfaces are VLAN's.  is this supported?

OK I got it working via command line by typing in the vlan.1 interface which is the vlan interface for the external

the vpn config tool needs some adjusting also.  I tried it to see if I was soing anything wrong and when you type in external interface vlan.1 it errors

https://www.juniper.net/customers/support/configtools/vpnconfig.html

Yeah, It was becuase you didn't specify the unit number.