SRX

I have an IPsec tunnel up and working, using ge-0/0/1 as the external interface and st0.0 as the bind interface. I'm trying to set up two additional tunnels to AWS using ge-0/0/1 as th external interface and st1.0 and st1.1 as the bind interfaces. Running Junos 12.1X44-D20.3, should this be an issue?

The two additional tunnels to AWS aren't coming up. I'm seeing in the debug logs that it's not finding a gateway match:

[Jan 6 14:20:08][<local IP> <-> <remote IP>] Search for a tunnel matching the IKE peers, local:<local IP>, remote:<remote IP> IKEv1
[Jan 6 14:20:08][<local IP> <-> <remote IP>] iked_pm_phase1_sa_cfg_lookup_by_addr: Address based phase 1 SA-CFG lookup failed for local:<local IP>, remote:<remote IP> IKEv1
[Jan 6 14:20:08][<local IP> <-> <remote IP>] iked_pm_dynamic_gw_local_addr_based_lookup: called with local ip:<local IP>
[Jan 6 14:20:08][<local IP> <-> <remote IP>] dynamic gateway match unsuccessful:
[Jan 6 14:20:08][<local IP> <-> <remote IP>] iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
[Jan 6 14:20:08][<local IP> <-> <remote IP>] ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg df8800)

Here's what I have configured for IKE gateways:

set security ike gateway gw-aws-193 ike-policy ike-pol-aws-193
set security ike gateway gw-aws-193 address <remote IP>
set security ike gateway gw-aws-193 dead-peer-detection interval 10
set security ike gateway gw-aws-193 dead-peer-detection threshold 3
set security ike gateway gw-aws-193 external-interface ge-0/0/1

I've checked and double checked the config. AWS has a standard set of IKE proposal options:

set security ike proposal ike-prop-aws authentication-method pre-shared-keys
set security ike proposal ike-prop-aws dh-group group2
set security ike proposal ike-prop-aws authentication-algorithm sha1
set security ike proposal ike-prop-aws encryption-algorithm aes-128-cbc
set security ike proposal ike-prop-aws lifetime-seconds 28800

The majority of the config comes straight from Amazon. There's nothing exotic going on. What am I missing?

Hi cknight,

You can configuration Multiple IPSEC VPN terminating on the same external interface in all junos version.

As per trace logs , it is clear that IKE request from remote peer is not able to match any IKE Gateway configuration on SRX

 No proposal chosen may be thrown when no vpn configuration is matched for the received IKE Packet.

Check the configuration and share it .

Regards,

rparthi

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Hi rparthi,

Thanks for the response. Here's what I have as a config:

set security ike proposal ike-prop-aws authentication-method pre-shared-keys 
set security ike proposal ike-prop-aws authentication-algorithm sha1
set security ike proposal ike-prop-aws encryption-algorithm aes-128-cbc
set security ike proposal ike-prop-aws lifetime-seconds 28800
set security ike proposal ike-prop-aws dh-group group2

set security ike policy ike-pol-aws-194 mode main 
set security ike policy ike-pol-aws-194 proposals ike-prop-aws
set security ike policy ike-pol-aws-194 pre-shared-key ascii-text <PSK>

set security ike gateway gw-aws-194 ike-policy ike-pol-aws-194
set security ike gateway gw-aws-194 external-interface ge-0/0/1
set security ike gateway gw-aws-194 address <external IP>

set security ipsec proposal ipsec-prop-aws protocol esp
set security ipsec proposal ipsec-prop-aws authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-prop-aws encryption-algorithm aes-128-cbc
set security ipsec proposal ipsec-prop-aws lifetime-seconds 3600

set security ipsec policy ipsec-pol-aws perfect-forward-secrecy keys group2
set security ipsec policy ipsec-pol-aws proposals ipsec-prop-aws

set security ipsec vpn vpn-aws-194 bind-interface st1.0
set security ipsec vpn vpn-aws-194 ike gateway gw-aws-194
set security ipsec vpn vpn-aws-194 ike ipsec-policy ipsec-pol-aws
set security ipsec vpn vpn-aws-194 df-bit clear 

set security ike gateway gw-aws-194 dead-peer-detection interval 10
set security ike gateway gw-aws-194 dead-peer-detection threshold 3

Here's the configuration Amazon gives you (note that you can't change any proposal options, they're set in stone by Amazon): http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Juniper.html

They have you configure two tunnels. The only difference in the second tunnel is the gateway address, PSK, and bind interface. I added a static route so all communication with the gateway goes out the proper interface (since it isn't our default route) and uses the correct source IP.

I've checked and double checked the gateway addresses. Why would the Juniper say it can't find a gateway match?

iked_pm_phase1_sa_cfg_lookup_by_addr: Address based phase 1 SA-CFG lookup failed for local:<local IP>, remote:<remote IP> IKEv1

Change your additional secure tunnel interfaces to st0.2 and st0.3, I dont think you can have st1.0 etc

mykegoneby... that was it. That's so frustrating that (a) it lets you do that, and (b) that no one else I showed this config to caught that. Thank you so much!

Edit: Is this because I already had an st0 tunnel? If they were all st1, would that work?