SRX Services Gateway
Highlighted
SRX Services Gateway

VPN Error - Packet to unknown Isakmp - SRX & OpenSwan

‎04-10-2015 09:16 AM

Hi all,

 

I've been trying to debug a VPN set up between an SRX device and OpenSwan, but I'm not having any luck. Phase 1 seems to complete correctly, but the SRC device does not seem to recognize the incoming connection on port 4500 to establish Phase 2 and is therefore ending the negotation.

 

Below is my full trace on the SRX side, the suspicious piece to me is:

 

Apr 9 14:08:14 unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 54.208.213.64:500
Apr 9 14:08:24 ike_get_sa: Start, SA = { 0136c400 87fc63e5 - 9e3a884d bd7432b4 } / 00000000, remote = 54.208.213.64:4500

 

Any ideas on tracking this down?

 

Full trace below..

--

 

Apr 9 14:08:11 ike_get_sa: Start, SA = { 0136c400 87fc63e5 - 9e3a884d bd7432b4 } / 00000000, remote = 54.208.213.64:500
Apr 9 14:08:11 ike_find_pre_shared_key: Find pre shared key key for 213.177.161.90:500, id = No Id -> 54.208.213.64:500, id = No Id
Apr 9 14:08:11 ike_find_pre_shared_key: Find pre shared key key for 213.177.161.90:500, id = No Id -> 54.208.213.64:500, id = No Id
Apr 9 14:08:11 ike_send_packet: Start, send SA = { 0136c400 87fc63e5 - 9e3a884d bd7432b4}, nego = -1, src=213.177.161.90:500, dst = 54.208.213.64:500, routing table id = 4
Apr 9 14:08:14 ike_get_sa: Start, SA = { 0136c400 87fc63e5 - 9e3a884d bd7432b4 } / 00000000, remote = 54.208.213.64:4500
Apr 9 14:08:14 213.177.161.90:4500 (Responder) <-> 54.208.213.64:4500 { 0136c400 87fc63e5 - 9e3a884d bd7432b4 [-1] / 0x00000000 } IP; MESSAGE: Phase 1 version = 1.0, auth_method = Pre shared keys, cipher = 3des-cbc, hash = sha1, prf = hmac-sha1, life = 0 kB / 86400 sec,
Apr 9 14:08:14 ike_send_packet: Start, send SA = { 0136c400 87fc63e5 - 9e3a884d bd7432b4}, nego = -1, src=213.177.161.90:4500, dst = 54.208.213.64:4500, routing table id = 4
Apr 9 14:08:14 Inserting DPD server entry for remote: 54.208.213.64:4500. SA_CFG=
Apr 9 14:08:14 Phase-1 [responder] done for local=ipv4(udp:0,[0..3]=213.177.161.90) remote=ipv4(any:0,[0..3]=54.208.213.64)
Apr 9 14:08:14 unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 54.208.213.64:500
Apr 9 14:08:24 ike_get_sa: Start, SA = { 0136c400 87fc63e5 - 9e3a884d bd7432b4 } / 00000000, remote = 54.208.213.64:4500
Apr 9 14:08:24 ike_send_packet: Start, retransmit previous packet SA = { 0136c400 87fc63e5 - 9e3a884d bd7432b4}, nego = -1, src=213.177.161.90:4500, dst = 54.208.213.64:4500, routing table id = 4
Apr 9 14:08:35 unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 54.208.213.64:500
Apr 9 14:08:39 ike_send_packet: Start, retransmit previous packet SA = { 268017af 94fc9de3 - 9e3621c8 724324e6}, nego = -1, src=213.177.161.90:500, dst = 54.208.213.64:500, routing table id = 4
Apr 9 14:08:39 ike_get_sa: Start, SA = { 1b276ff0 64508643 - 00000000 00000000 } / 00000000, remote = 54.208.213.64:500
Apr 9 14:08:39 ike_init_isakmp_sa: Start, remote = 54.208.213.64:500, initiator = 0
Apr 9 14:08:39 The remote server at 54.208.213.64:500 is '4f 45 75 5c 64 5c 6a 79 5c 5c 61 70'
Apr 9 14:08:39 The remote server at 54.208.213.64:500 is 'draft-ietf-ipsec-dpd-00.txt'
Apr 9 14:08:39 Not setting PMDATA_PEER_IS_OURS for 54.208.213.64
Apr 9 14:08:39 The remote server at 54.208.213.64:500 is '4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f'
Apr 9 14:08:39 The remote server at 54.208.213.64:500 is 'draft-ietf-ipsec-nat-t-ike-03'
Apr 9 14:08:39 Not setting PMDATA_PEER_IS_OURS for 54.208.213.64
Apr 9 14:08:39 The remote server at 54.208.213.64:500 is 'draft-ietf-ipsec-nat-t-ike-02'
Apr 9 14:08:39 Not setting PMDATA_PEER_IS_OURS for 54.208.213.64
Apr 9 14:08:39 The remote server at 54.208.213.64:500 is 'draft-ietf-ipsec-nat-t-ike-02'
Apr 9 14:08:39 Not setting PMDATA_PEER_IS_OURS for 54.208.213.64
Apr 9 14:08:39 The remote server at 54.208.213.64:500 is 'draft-ietf-ipsec-nat-t-ike-00'
Apr 9 14:08:39 Not setting PMDATA_PEER_IS_OURS for 54.208.213.64

3 REPLIES 3
Highlighted
SRX Services Gateway

Re: VPN Error - Packet to unknown Isakmp - SRX & OpenSwan

‎04-11-2015 08:41 AM
Can you share Vpn config from SRX
Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: VPN Error - Packet to unknown Isakmp - SRX & OpenSwan

‎04-13-2015 10:06 PM

Hi,

 

Can you share both your openswan and your SRX config ?

 

 

 

 

Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------
Highlighted
SRX Services Gateway

Re: VPN Error - Packet to unknown Isakmp - SRX & OpenSwan

‎04-13-2015 11:00 PM

Which are the OS versions (srx - Junos and openswan) ? Are you creating the proposals at your own or using those exists on SRX? try matching the config (auth. hashing, encryption, PFS etc) exactly same.

 

Also the configuration from both end would help understanding it further.

 

_
Regards
Malik
JNCIEx4, CCIE, HCIE, VCIX-DCV, VCIX-NV, CISSP, PMP

[If it helped to solve your problem, please mark it "Accept as solution"; Kudos are always Appreciated]