SRX Services Gateway
Highlighted
SRX Services Gateway

VPN IPsec between SRX345 and NS5GT with dynamic IP address (policy based)

[ Edited ]
‎04-08-2019 08:11 AM

Hi to all,

I'm trying to configure a VPN conection between one SRX345 with static IP address and an Netscreen NS5GT with dynamic IP address... I've read a lot of community's articles but the connection doesn't go up....

I have got this configuration in the SRX side (Maybe, there is any error with the {}, I've copied omiting some info):

 

security {
    log {
        mode stream;
        report;
    }
    ike {
        traceoptions {
            file size 100m;
            flag all;
        }
        respond-bad-spi 5;
        proposal pre-g2-3des-sha {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 28800;
        }
        policy gw_girona_2 {
            mode aggressive;
            proposal-set compatible;
            pre-shared-key ascii-text "$9$-/Vb2kqfF6AoJ39A0hcYgoajqTz69Cu"; ## SECRET-DATA
       }
        gateway gw_girona_2 {
            ike-policy gw_girona_2;
            dynamic {
                hostname girona2;
                ike-user-type group-ike-id;
            }
            nat-keepalive 100;
            external-interface ge-0/0/2.0;
            version v1-only;
    }
    ipsec {
        policy policy-vpn_girona {
            proposals [ nopfs-esp-3des-sha nopfs-esp-3des-md5 nopfs-esp-des-sha nopfs-esp-des-md5 ];
        }
        vpn vpn_girona {
            ike {
                gateway gw_girona_2;
                no-anti-replay;
                ipsec-policy policy-vpn_girona;
            }
            establish-tunnels on-traffic;
        }
}

And in the NS5GT side, which have a dynamic IP address, I have got this configuration:

 

 

set ike gateway "a_centralONO" address X.X.X.X id "XXXXXXXXX" Aggr local-id "girona2" outgoing-interface "untrust" preshare "lzxXgyM+N7nC5YsPvTCHKvt3zNnIMszB5g==" proposal "pre-g2-3des-sha"
set ike gateway  "a_centralONO" nat-traversal
set ike gateway "a_centralONO" nat-traversal udp-checksum
set ike gateway "a_centralONO" nat-traversal keepalive-frequency 0
set vpn "vpn_centralONO" gateway "a_centralONO" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"  "nopfs-esp-3des-md5"  "nopfs-esp-des-sha"  "nopfs-esp-des-md5" 

I've configured the security policies as well, but the connection is not comming up.

 

I can see in the kmd log this:

 

[Apr  8 13:21:01]---------> Received from 2.2.2.101:500 to X.X.X.X:0, VR 0, length 367 on IF
[Apr  8 13:21:01]ikev2_packet_st_input_start: FSM_SET_NEXT:ikev2_packet_st_input_v1_get_sa
[Apr  8 13:21:01]ikev2_packet_st_input_v1_get_sa: FSM_SET_NEXT:ikev2_packet_st_input_v1_create_sa
[Apr  8 13:21:01]ikev2_packet_st_input_v1_create_sa: [123f000/0] No IKE SA for packet; requesting permission to create one.
[Apr  8 13:21:01]ikev2_packet_st_input_v1_create_sa: FSM_SET_NEXT:ikev2_packet_st_connect_decision
[Apr  8 13:21:01]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Apr  8 13:21:01]ike_get_sa: Start, SA = { 8d607adb 00e69fba - 00000000 00000000 } / 00000000, remote = 2.2.2.101:500
[Apr  8 13:21:01]ike_sa_allocate: Start, SA = { 8d607adb 00e69fba - 57a241d2 b47556d2 }
[Apr  8 13:21:01]ike_init_isakmp_sa: Start, remote = 2.2.2.101:500, initiator = 0
[Apr  8 13:21:01]ikev2_fb_p1_negotiation_allocate_sa: FSM_SET_NEXT:ikev2_fb_p1_negotiation_wait_sa_done
[Apr  8 13:21:01]ikev2_fb_st_new_p1_connection_start: FSM_SET_NEXT:ikev2_fb_st_new_p1_connection_local_addresses
[Apr  8 13:21:01]ikev2_fb_st_new_p1_connection_local_addresses: FSM_SET_NEXT:ikev2_fb_st_new_p1_connection_result
[Apr  8 13:21:01]IKEv1 packet R(<none>:500 <- 2.2.2.101:500): len=  367, mID=00000000, HDR, SA, KE, Nonce, ID, Vid, Vid, Vid, Vid, Vid
[Apr  8 13:21:01]ike_st_i_vid: VID[0..28] = 166f932d 55eb64d8 ...
[Apr  8 13:21:01]ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
[Apr  8 13:21:01]ike_st_i_vid: VID[0..16] = 4485152d 18b6bbcd ...
[Apr  8 13:21:01]ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
[Apr  8 13:21:01]ike_st_i_vid: VID[0..20] = 48656172 74426561 ...
[Apr  8 13:21:01]ike_st_i_id: Start
[Apr  8 13:21:01]ike_st_i_sa_proposal: Start
[Apr  8 13:21:01]ikev2_fb_st_select_ike_sa: FSM_SET_NEXT:ikev2_fb_st_select_ike_sa_finish
[Apr  8 13:21:01]iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
[Apr  8 13:21:01]ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg eff800)
[Apr  8 13:21:01]ike_isakmp_sa_reply: Start
[Apr  8 13:21:01]ike_state_restart_packet: Start, restart packet SA = { 8d607adb 00e69fba - 1bd9a0e0 ac3315d4}, nego = -1
[Apr  8 13:21:01]ike_st_i_sa_proposal: Start
[Apr  8 13:21:01]ike_st_i_nonce: Start, nonce[0..20] = 82c494ad 065c0618 ...
[Apr  8 13:21:01]ike_st_i_cert: Start
[Apr  8 13:21:01]ike_st_i_hash_key: Start, no key_hash
[Apr  8 13:21:01]ike_st_i_ke: Ke[0..128] = 61f15f03 2ceafdff ...
[Apr  8 13:21:01]ike_st_i_cr: Start
[Apr  8 13:21:01]ike_st_i_private: Start
[Apr  8 13:21:01]ike_st_o_sa_values: Start
[Apr  8 13:21:01]X.X.X.X:500 (Responder) <-> 2.2.2.101:500 { 8d607adb 00e69fba - 1bd9a0e0 ac3315d4 [-1] / 0x00000000 } Aggr; Error = No proposal chosen (14)
[Apr  8 13:21:01]IKEv1 packet S(<none>:500 -> 2.2.2.101:500): len=  102, mID=41d7bea0, HDR, N(NO_PROPOSAL_CHOSEN)
[Apr  8 13:21:01]ike_send_packet: Start, send SA = { 8d607adb 00e69fba - 1bd9a0e0 ac3315d4}, nego = 0, dst = 2.2.2.101:500
[Apr  8 13:21:01]IKE negotiation fail for local:X.X.X.X, remote:2.2.2.101 IKEv1 with status: No proposal chosen
[Apr  8 13:21:01]  IKEv1 Error : No proposal chosen

I can see "No proposal chosen", but the proposal is configured in the both sides. And this in the messages log:

 

Apr  8 13:23:11  IURISTEL-FW kmd[1834]: IKE negotiation failed with error: IKE gateway configuration lookup failed during negotiation. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local: X.X.X.X/500, Remote: 2.2.2.101/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder

Could anybody say me what is the error???? I'm going crazy with this. I'm not able to solve this issue....

Thanks in advance!!! Any help will be appreciated!!

David.

 

9 REPLIES 9
SRX Services Gateway

Re: VPN IPsec between SRX345 and NS5GT with dynamic IP address (policy based)

‎04-08-2019 10:29 AM

Hi dBabi,

 

Under ipsec configuration(srx) st0 interface is not defined, hence configuration lookup failure.

 

Check output of the following command should confirm the same:

show security ipsec inactive-tunnels

 

Example config for a router based vpn between SRX and and SSG:

https://www.juniper.net/documentation/en_US/junos12.1x44/topics/example/ipsec-route-based-vpn-config...

 

Regards,

 

Rahul

 

Regards,
Rahul
SRX Services Gateway

Re: VPN IPsec between SRX345 and NS5GT with dynamic IP address (policy based)

‎04-08-2019 12:17 PM

Hi David,

 

If the title is correct and you are configuring a policy-based VPN on the SRX then you dont need a st0 interface. Do you have a security-policy on the correct zones context making reference to "vpn_girona"? Do you have a route pointing to the remote subnet via the correct external interface?

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
SRX Services Gateway

Re: VPN IPsec between SRX345 and NS5GT with dynamic IP address (policy based)

‎04-08-2019 11:42 PM

Hi Epaniagua,

Yes, it's correct... I need to configure a policy-based VPN, between the SRX (static WAN IP address) and a NS5GT (dynamic WAN IP address)...

I have configured the policy from trust zone (Internal inthis case) to untrust zone (Internet in this case) for in and out traffic. If the traffic match, I tunnel the traffic.

I don't understand your question about the route... Where I need to configure this route?? In the SRX?? The NS5GT doesn't have a static IP addres, then I can't route anything. So I could configure this in the NS5GT side only, it's correct??

Thanks for all!!

David.

 

SRX Services Gateway

Re: VPN IPsec between SRX345 and NS5GT with dynamic IP address (policy based)

‎04-09-2019 03:39 AM

Hi David,

 

My bad to miss the subject ending for this being policy based VPN.

 

Routes that are required in either sides are internet default routes. (I believe they exist hence you recieve a request from peer).

From SRX side the config is not found correct and hence no return IKE gets generated.

 

Further, What is the policy configuration? Does that comply as in following example?

set security policies from-zone trust to-zone untrust policy vpn-tr-untr match source-address sunnyvale
set security policies from-zone trust to-zone untrust policy vpn-tr-untr match destination-address chicago
set security policies from-zone trust to-zone untrust policy vpn-tr-untr match application any
set security policies from-zone trust to-zone untrust policy vpn-tr-untr then permit tunnel ipsec-vpn ike-vpn-chicago
set security policies from-zone trust to-zone untrust policy vpn-tr-untr then permit tunnel pair-policy vpn-untr-tr
 
set security policies from-zone untrust to-zone trust policy vpn-untr-tr match source-address chicago
set security policies from-zone untrust to-zone trust policy vpn-untr-tr match destination-address sunnyvale
set security policies from-zone untrust to-zone trust policy vpn-untr-tr match application any
set security policies from-zone untrust to-zone trust policy vpn-untr-tr then permit tunnel ipsec-vpn ike-vpn-chicago
set security policies from-zone untrust to-zone trust policy vpn-untr-tr then permit tunnel pair-policy vpn-tr-untr
 
 
Regards,
 
Rahul
 
Regards,
Rahul
SRX Services Gateway

Re: VPN IPsec between SRX345 and NS5GT with dynamic IP address (policy based)

‎04-09-2019 08:02 AM

David,

 

Please confirm that you have a pair-policy configured for the security-policy that sends the traffic to the tunnel.

 

Also take again the IKE traces but increase the level to 15 so we can check deeper:

 

    ike {
        traceoptions {
            file size [max value];
            flag all;
        }

 

After commiting the above configuration, increase the level and filter by peer with the following command:

 

> request security ike debug-enable local [Local_Public_IP] remote [Remote_Public_IP] level 15
> show security ike debug-status

 

This will log more detailed information about the negotiation and may reveal the root cause.

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
SRX Services Gateway

Re: VPN IPsec between SRX345 and NS5GT with dynamic IP address (policy based)

‎04-10-2019 02:12 AM

Hi Epaniagua,

 

sorry for the delay in my answer...

 

No... I hadn't got the security-policy configured............ This configuration was migrated from one SSG with the Juniper's migration tool and this part was not migrated properly.... Now are configured...

 

This SRX is at my customer's home, so I will call them to test this configuration... When I have the result I answer this discussion treat.

 

I have configured this line in the security ipsec vpn: "establish-tunnels on-traffic". Is correct in this case???

 

Thanks for all!!

David.

SRX Services Gateway

Re: VPN IPsec between SRX345 and NS5GT with dynamic IP address (policy based)

‎04-10-2019 02:31 AM

Hi David,

 

Hence, pair policy seems to be the miss.

 

[David] I have configured this line in the security ipsec vpn: "establish-tunnels on-traffic". Is correct in this case???

 

[Juniper] :Not required as its default behaviour.

on-traffic—IKE is activated only when data traffic flows and must to be negotiated with the peer gateway. This is the default behavior.

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/security-...

 

Regards,

 

Rahul

Juniper

Regards,
Rahul
SRX Services Gateway

Re: VPN IPsec between SRX345 and NS5GT with dynamic IP address (policy based)

‎04-11-2019 11:42 PM

Hi to all,

Sorry for the delay... I don't know why but the system didn't let me reply this post yesterday...

I'm going crazy with this issue... The past Wednesday, I went to my customer to configure the policy rules and the SRX began to assign the VPN connection properly but I hadn't configured the local ID fine, then the VPN didn't works... After I to configure the local ID, the SRX stopped to assign the VPN connection and all was going as the begin....

I changed all as the begin but the VPN didn't go up and I haven't gotten back to leave it as at the beginning.

I attach the VPN config and the logs (kmd and messages)... Any help will be wellcome??

Thanks in advance!!

David

Attachments

SRX Services Gateway

Re: VPN IPsec between SRX345 and NS5GT with dynamic IP address (policy based)

‎04-12-2019 11:48 AM

Hi David,

 

Please elevate the level of debuging to 15 and provide again the IKE traceoptions. You can do this with the following command after activating the traceoptions:

 

> request security ike debug-enable local [SRX-IP] remote [SSG-IP] level 15
> show security ike debug-status

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!