Hello All,
I'm having a trouble connecting SRX100 to SSG320 via route-based IPSec tunnel
(I have access to SRX only, the other side is already configured and we are given
the VPN settings - nothing special here: proposal-set compatible, static IPs -
mode main, no NAT-T).
Unfortunately I can't provide CLI outputs right now, but weird things are that
1) Phase 1 only goes up after the REBOOT of SRX.
If I do "clear security ike security-associations", phase 1 never comes back
(SRX sends initiating request, SSG never replies, which is seen by zero cookie).
Same if I restart ipsec-key-management. No reply from SSG.
Again if I completely reboot the SRX, phase 1 is back online! How can it be? 🙂
2) Phase 2 never goes up, even when phase 1 seems fine, and I see no clue at
all in the traceoptions... Usually if proxy-ids or proposals, etc, do not match,
it is clearly seen, right? But in our case, SSG does not seem to reply at all.
Why?
Any ideas for troubleshooting this further (preferably from the SRX side) will
be appreciated!
P.S. Tried with Junos 10.4R8 and 11.2R5 on the SRX - result is the same.