SRX Services Gateway
Highlighted
SRX Services Gateway

Site to Site between Cisco (Hub) and SRX 100 (spoke)

‎02-04-2019 12:20 PM

Attempting to use SRX100s as spokes for two locations. The tunnel temporarily establishes then bounces. Also I would like to be able to define ike gateway as a ddns address, however when I used fqdn no traffic is generated. Any assistance with making the tunnel stable would be appreciated. And if anyone can offer insight on how to establish the tunnel using the FQDN would be appreciated as well.

 

 

set security ike proposal ike-prop authentication-method pre-shared-keys
set security ike proposal ike-prop dh-group group2
set security ike proposal ike-prop authentication-algorithm md5
set security ike proposal ike-prop encryption-algorithm 3des-cbc
set security ike proposal ike-prop lifetime-seconds 28800
set security ike policy ike-policy mode aggressive
set security ike policy ike-policy proposals ike-prop
set security ike policy ike-policy pre-shared-key ascii-text 
set security ike gateway ike-gw ike-policy ike-policy
set security ike gateway ike-gw dynamic hostname 1709.ddns.net
set security ike gateway ike-gw nat-keepalive 15
set security ike gateway ike-gw external-interface fe-0/0/0.0

config that generates traffic:

 

set security ike proposal ike-prop authentication-method pre-shared-keys
set security ike proposal ike-prop dh-group group2
set security ike proposal ike-prop authentication-algorithm md5
set security ike proposal ike-prop encryption-algorithm 3des-cbc
set security ike proposal ike-prop lifetime-seconds 28800
set security ike policy ike-policy mode main
set security ike policy ike-policy proposals ike-prop
set security ike policy ike-policy pre-shared-key ascii-text 
set security ike gateway ike-gw ike-policy ike-policy
set security ike gateway ike-gw address 148.X.X.X
set security ike gateway ike-gw nat-keepalive 15
set security ike gateway ike-gw external-interface fe-0/0/0.0
set security ike gateway ike-gw general-ikeid
set security ike gateway ike-gw version v1-only
set security ipsec proposal TEST-P2-PROPOSAL protocol esp
set security ipsec proposal TEST-P2-PROPOSAL authentication-algorithm hmac-md5-96
set security ipsec proposal TEST-P2-PROPOSAL encryption-algorithm 3des-cbc
set security ipsec policy TEST-P2-POLICY proposals TEST-P2-PROPOSAL
set security ipsec vpn TEST-VPN bind-interface st0.1
set security ipsec vpn TEST-VPN vpn-monitor
set security ipsec vpn TEST-VPN ike gateway ike-gw
set security ipsec vpn TEST-VPN ike ipsec-policy TEST-P2-POLICY
set security ipsec vpn TEST-VPN establish-tunnels immediately
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security zones security-zone trust address-book address local-net 192.168.2.192/26
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust interfaces lo0.0
set security zones security-zone trust interfaces st0.1
set security zones security-zone untrust address-book address 1709LAN 192.168.2.64/26
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ntp
set security zones security-zone untrust host-inbound-traffic system-services dns
set security zones security-zone untrust interfaces fe-0/0/0.0

 


[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] 192.168.2.254:500 (Initiator) <-> 148.X.X.X:500 { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 [-1] / 0x00000000 } IP; Output of SKEYID hash[16] = 0x11a77418 75165d15 9f8cad5d 9b19a66d
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] 192.168.2.254:500 (Initiator) <-> 148.X.X.X:500 { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 [-1] / 0x00000000 } IP; Output of SKEYID_d hash[16] = 0xaa8d6f23 03a84dc4 92f5606f 21d70988
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] 192.168.2.254:500 (Initiator) <-> 148.X.X.X:500 { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 [-1] / 0x00000000 } IP; Output of SKEYID_a hash[16] = 0x12aa6ccd 95063c68 3364943b 752bbef7
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] 192.168.2.254:500 (Initiator) <-> 148.X.X.X:500 { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 [-1] / 0x00000000 } IP; Output SKEYID_e hash[16] = 0x416fa34e e7cd08f1 8917ad0d a09ff458
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] 192.168.2.254:500 (Initiator) <-> 148.X.X.X:500 { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 [-1] / 0x00000000 } IP; Final encryption key[24] = 0x41715d89 06e9a617 bb204d9b 64e2d69c 1e7ea
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] ike_calc_mac: Start, initiator = true, local = true
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] 192.168.2.254:500 (Initiator) <-> 148.X.X.X:500 { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 [-1] / 0x00000000 } IP; Output of HASH_I hash[16] = 0x3343f698 50cb3a81 89358324 777b8f5f
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] ike_st_o_status_n: Start
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] ike_st_o_private: Start
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] ike_policy_reply_private_payload_out: Start
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] ike_st_o_encrypt: Marking encryption for packet
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] ike_state_step: All done, new state = MM final I (7)
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] ike_encode_packet: Start, SA = { 0x93031b76 852f6e4a - 4a2edbe5 775ab4b5 } / 00000000, nego = -1
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] ike_encode_packet: Encrypting packet
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] ike_encode_packet: Final length = 92
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] ike_send_packet: Start, send SA = { 93031b76 852f6e4a - 4a2edbe5 775ab4b5}, nego = -1, dst = 148.X.X.X:4500, routing table id = 0
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_sa_find: Found SA = { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 }
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_get_sa: Start, SA = { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 } / 00000000, remote = 148.X.X.X:4500
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_sa_find: Found SA = { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 }
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] 192.168.2.254:4500 (Initiator) <-> 148.X.X.X:4500 { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 [-1] / 0x00000000 } IP; Packet to old negotiation
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_decode_packet: Start
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_decode_packet: Start, SA = { 93031b76 852f6e4a - 4a2edbe5 775ab4b5} / 00000000, nego = -1
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_decode_packet: Decrypting packet
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] 192.168.2.254:4500 (Initiator) <-> 148.X.X.X:4500 { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 [-1] / 0x00000000 } IP; Warning, junk after packet len = 40, decoded = 32
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] 192.168.2.254:4500 (Initiator) <-> 148.X.X.X:4500 { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 [-1] / 0x00000000 } IP; Version = 1.0, Input packet fields = 0024 ID HASH
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_state_step: Current state = MM final I (7)/-1, exchange = 2, auth_method = pre shared key, Initiator
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_st_i_encrypt: Check that packet was encrypted succeeded
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_st_i_id: Start
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_st_i_hash: Start, hash[0..16] = 6c81c9c8 bb1eb6c8 ...
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_calc_mac: Start, initiator = true, local = false
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] 192.168.2.254:4500 (Initiator) <-> 148.X.X.X:4500 { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 [-1] / 0x00000000 } IP; Output of HASH_R hash[16] = 0x6c81c9c8 bb1eb6c8 d099295f b35e1b61
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_st_i_cert: Start
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_st_i_private: Start
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] 192.168.2.254:4500 (Initiator) <-> 148.X.X.X:4500 { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 [-1] / 0x00000000 } IP; dec->enc iv[8] = 0xcdb41e6f f3349c49
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_st_o_wait_done: Marking for waiting for done
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_st_o_all_done: MESSAGE: Phase 1 { 0x93031b76 852f6e4a - 0x4a2edbe5 775ab4b5 } / 00000000, version = 1.0, xchg = Identity protect, auth_method = Pre shared keys, Initiator, cipher = 3d
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] 192.168.2.254:4500 (Initiator) <-> 148.X.X.X:4500 { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 [-1] / 0x00000000 } IP; MESSAGE: Phase 1 version = 1.0, auth_method = Pre shared keys, ciphe
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_state_step: All done, new state = MM done I (9)
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ikev2_fallback_negotiation_free: Fallback negotiation dfb800 has still 1 references
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_send_notify: Connected, SA = { 93031b76 852f6e4a - 4a2edbe5 775ab4b5}, nego = -1
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] 192.168.2.254:4500 (Initiator) <-> 148.X.X.X:4500 { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 [-1] / 0x00000000 } IP; Connected
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_process_packet: No output packet, returning
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] iked_pm_ike_sa_done: local:192.168.2.254, remote:148.X.X.X IKEv1
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] kmd_pm_ike_id_in_range: NOT in the range
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] iked_pm_id_validate id NOT matched.
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] P1 SA 2031101 stop timer. timer duration 30, reason 1.
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] P1 SA 2031101 start timer. timer duration 0, reason 3.
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] iked_pm_ipsec_spi_allocate: local:192.168.2.254, remote:148.X.X.X IKEv1
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] Added (spi=0x3c7327a8, protocol=0) entry to the spi table
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] Parsing notification payload for local:192.168.2.254, remote:148.X.X.X IKEv1
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] iked_pm_ipsec_spi_allocate: local:192.168.2.254, remote:148.X.X.X IKEv1
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] Added (spi=0xa31c7206, protocol=0) entry to the spi table
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] Parsing notification payload for local:192.168.2.254, remote:148.X.X.X IKEv1
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] Parsing notification payload for local:192.168.2.254, remote:148.X.X.X IKEv1
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ikev2_fallback_negotiation_free: Fallback negotiation dfb800 has still 1 references

 

on the cisco side

 

R91704Cisco_1921#show crypto session
Crypto session current status

Interface: Virtual-Access2
Profile: VTILABTEST
Session status: UP-ACTIVE
Peer: 69.X.X.X port 4500
Session ID: 0
IKEv1 SA: local 192.168.2.126/4500 remote 69.X.X.X/4500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map

Interface: Virtual-Access1
Profile: VTILABTEST
Session status: UP-ACTIVE
Peer: 74.X.X.X port 4500
Session ID: 0
IKEv1 SA: local 192.168.2.126/4500 remote 74.X.X.X/4500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map

 

*Feb 4 19:50:59.759: ISAKMP-PAK: (1487):received packet from 74.X.X.X dport 4500 sport 4500 Global (R) QM_IDLE
*Feb 4 19:50:59.759: ISAKMP: (1487):set new node 9136541 to QM_IDLE
*Feb 4 19:50:59.763: ISAKMP: (1487)Smiley Tonguerocessing HASH payload. message ID = 9136541
*Feb 4 19:50:59.763: ISAKMP: (1487)Smiley Tonguerocessing SA payload. message ID = 9136541
*Feb 4 19:50:59.763: ISAKMP: (1487):Checking IPSec proposal 1
*Feb 4 19:50:59.763: ISAKMP: (1487):transform 0, ESP_3DES
*Feb 4 19:50:59.763: ISAKMP: (1487): attributes in transform:
*Feb 4 19:50:59.763: ISAKMP: (1487): authenticator is HMAC-MD5
*Feb 4 19:50:59.763: ISAKMP: (1487): SA life type in seconds
*Feb 4 19:50:59.763: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
*Feb 4 19:50:59.763: ISAKMP: (1487): encaps is 3 (Tunnel-UDP)
*Feb 4 19:50:59.763: ISAKMP: (1487):atts are acceptable.
*Feb 4 19:50:59.763: ISAKMP: (1487)Smiley Tonguerocessing NONCE payload. message ID = 9136541
*Feb 4 19:50:59.763: ISAKMP: (1487)Smiley Tonguerocessing ID payload. message ID = 9136541
*Feb 4 19:50:59.763: ISAKMP: (1487)Smiley Tonguerocessing ID payload. message ID = 9136541
*Feb 4 19:50:59.763: ISAKMP: (1487):QM Responder gets spi
*Feb 4 19:50:59.763: ISAKMP: (1487):Node 9136541, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Feb 4 19:50:59.763: ISAKMP: (1487)Smiley Surprisedld State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
*Feb 4 19:50:59.763: ISAKMP: (1487):Node 9136541, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
*Feb 4 19:50:59.763: ISAKMP: (1487)Smiley Surprisedld State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT
*Feb 4 19:50:59.771: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
*Feb 4 19:50:59.771: ISAKMP: (1487):Received IPSec Install callback... proceeding with the negotiation
*Feb 4 19:50:59.771: ISAKMP: (1487)Smiley Frustrateduccessfully installed IPSEC SA (SPI:0x5A613300) on Virtual-Access1
*Feb 4 19:50:59.779: ISAKMP-PAK: (1487):sending packet to 74.X.X.X my_port 4500 peer_port 4500 (R) QM_IDLE
*Feb 4 19:50:59.779: ISAKMP: (1487)Smiley Frustratedending an IKE IPv4 Packet.
*Feb 4 19:50:59.779: ISAKMP: (1487):Node 9136541, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
*Feb 4 19:50:59.779: ISAKMP: (1487)Smiley Surprisedld State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2
*Feb 4 19:50:59.879: ISAKMP-PAK: (1487):received packet from 74.X.X.X dport 4500 sport 4500 Global (R) QM_IDLE
*Feb 4 19:50:59.879: ISAKMP: (1487):deleting node 9136541 error FALSE reason "QM done (await)"
*Feb 4 19:50:59.879: ISAKMP: (1487):Node 9136541, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Feb 4 19:50:59.879: ISAKMP: (1487)Smiley Surprisedld State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
R91704Cisco_1921#
*Feb 4 19:50:59.879: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
R91704Cisco_1921#
*Feb 4 19:51:02.651: ISAKMP: (0)Smiley Frustratedending an IKE IPv4 Packet.
R91704Cisco_1921#.
*Feb 4 19:51:14.879: ISAKMP: (0)Smiley Frustratedending an IKE IPv4 Packet.
R91704Cisco_1921#.
*Feb 4 19:51:17.651: ISAKMP: (0)Smiley Frustratedending an IKE IPv4 Packet.
R91704Cisco_1921#
*Feb 4 19:51:29.879: ISAKMP: (0)Smiley Frustratedending an IKE IPv4 Packet.
R91704Cisco_1921#
*Feb 4 19:51:32.651: ISAKMP: (0)Smiley Frustratedending an IKE IPv4 Packet.
R91704Cisco_1921#
*Feb 4 19:51:39.719: ISAKMP: (1487)Smiley Tongueurging node -1754824165
R91704Cisco_1921#
*Feb 4 19:51:44.879: ISAKMP: (0)Smiley Frustratedending an IKE IPv4 Packet.
R91704Cisco_1921#
*Feb 4 19:51:47.651: ISAKMP: (0)Smiley Frustratedending an IKE IPv4 Packet.
R91704Cisco_1921#
*Feb 4 19:51:49.879: ISAKMP: (1487)Smiley Tongueurging node 9136541
R91704Cisco_1921#
*Feb 4 19:51:59.879: ISAKMP: (0)Smiley Frustratedending an IKE IPv4 Packet.
R91704Cisco_1921#
*Feb 4 19:52:02.651: ISAKMP: (0)Smiley Frustratedending an IKE IPv4 Packet.
R91704Cisco_1921#
*Feb 4 19:52:14.879: ISAKMP: (0)Smiley Frustratedending an IKE IPv4 Packet.
R91704Cisco_1921#
*Feb 4 19:52:17.651: ISAKMP: (0)Smiley Frustratedending an IKE IPv4 Packet.
R91704Cisco_1921#
*Feb 4 19:52:29.879: ISAKMP: (0)Smiley Frustratedending an IKE IPv4 Packet.
R91704Cisco_1921#
*Feb 4 19:52:32.651: ISAKMP: (0)Smiley Frustratedending an IKE IPv4 Packet.
R91704Cisco_1921#
*Feb 4 19:52:44.879: ISAKMP: (0)Smiley Frustratedending an IKE IPv4 Packet.
R91704Cisco_1921#
*Feb 4 19:52:47.651: ISAKMP: (0)Smiley Frustratedending an IKE IPv4 Packet.
R91704Cisco_1921#
*Feb 4 19:52:49.851: ISAKMP-PAK: (1487):received packet from 74.X.X.X dport 4500 sport 4500 Global (R) QM_IDLE
*Feb 4 19:52:49.851: ISAKMP: (1487):set new node 609811635 to QM_IDLE
*Feb 4 19:52:49.851: ISAKMP: (1487)Smiley Tonguerocessing HASH payload. message ID = 609811635
*Feb 4 19:52:49.851: ISAKMP: (1487)Smiley Tonguerocessing DELETE payload. message ID = 609811635
*Feb 4 19:52:49.851: ISAKMP: (1487)Smiley Tongueeer does not do paranoid keepalives.
*Feb 4 19:52:49.851: ISAKMP: (1487):Enqueued KEY_MGR_DELETE_SAS for IPSEC SA (SPI:0x5E7F1F22)
*Feb 4 19:52:49.851: ISAKMP: (1487):deleting node 609811635 error FALSE reason "Informational (in) state 1"
*Feb 4 19:52:49.851: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
R91704Cisco_1921#.
*Feb 4 19:52:49.851: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down

5 REPLIES 5
Highlighted
SRX Services Gateway

Re: Site to Site between Cisco (Hub) and SRX 100 (spoke)

‎02-04-2019 06:54 PM

Hi,

 

I see you are using vpn-monitor with non juniper device "set security ipsec vpn TEST-VPN vpn-monitor" . Please specify the source interface and destination IP which can ping each other or please try not using vpn-monitor.

 

For FQDN based VPN , I believe peer has to initiate the tunnel, please IKE session, monitor traffic interface to see if you see the incoming traffic and then the logs accordinggly.

 

 

 

Thanks,

Vikas

Highlighted
SRX Services Gateway

Re: Site to Site between Cisco (Hub) and SRX 100 (spoke)

‎02-04-2019 07:46 PM

Remove vpn-monitor configuration. vpn-monitor is a proprietary feature and may not work with Cisco. VPN monitoring can cause tunnel flapping in some VPN environments if ping packets are not accepted by the peer (Cisco) based on the packet’s source or destination IP address.

delete security ipsec vpn TEST-VPN vpn-monitor

You can use fqdn as address but SRX will convert that to ip address when you commit and it will not update if the address changes.
set security ike gateway ike-gw address 1709.ddns.net

After commit:
set security ike gateway ike-gw address 148.X.X.X

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: Site to Site between Cisco (Hub) and SRX 100 (spoke)

‎02-04-2019 09:25 PM

Is there NAT configured on the Cisco side for VPN traffic? 

 

Anand

Highlighted
SRX Services Gateway

Re: Site to Site between Cisco (Hub) and SRX 100 (spoke)

‎02-05-2019 06:45 AM

the cisco side is behind a NAT device.

Highlighted
SRX Services Gateway

Re: Site to Site between Cisco (Hub) and SRX 100 (spoke)

‎02-05-2019 07:08 AM

Question. On our cisco devices, we use a tcl script to update ddns address daily. Is there any similar way to run a script on Juniper that would mimic.

 

https://community.cisco.com/t5/vpn-and-anyconnect/ipsec-tunnel-via-hostname-instead-of-ip-address/m-...