SRX Services Gateway
Highlighted
SRX Services Gateway

VPN SRX240 Racoon Site-to-Site no Traffic

‎05-27-2015 05:31 AM

Hello,

 

we set up an vpn (site to site) connection between a SRX240H2 (version 12.1X44-D45.2) and a linux machine (centos6) using racoon (based on this instructions:
http://rtoodtoo.net/ipsec-vpn-between-srx-and-linux/)

 

We now have the problem that the tunnel between NET 172.16.100.0/24 and 172.29.0.1/24 will be established but no traffic will pass through it in both directions.

  

The SRX and CentOS Machine are directly connected to the internet.
Our setup looks like this:

 

(ANET)private network on srx: 172.100.16.0/24
(AIP)private IP srx: 172.16.100.1
(APUB)public IP srx: 1.1.3.145

(BNET)private network on centos: 172.29.0.0/16
(BIP)private IP srx: 172.29.0.1
(BPUB)public IP srx: 4.1.7.176

 

*------------- ( VPN TUNNEL ) ------------------*
ANET--SRX--APUB <--- INTERNET ---> BIP--CENTOS--BNET
(AIP) (BIP)

 

SRX Config

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 1.1.3.145/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 172.16.100.1/24;
            }
        }
    }
    st0 {
        unit 6 {
            family inet;
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 1.1.3.1;
    	...
        route 172.29.0.0/16 next-hop st0.6;
    }
}
security {
    ike {
        proposal ike-prop-vpn-ka {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 28800;
        }
        policy ike-pol-vpn-ka {
            mode main;
            proposals ike-prop-vpn-ka;
            pre-shared-key ascii-text "xxxxxxxxxx"; ## SECRET-DATA
        }
        gateway gw-vpn-ka {
            ike-policy ike-pol-vpn-ka;
            address 4.1.7.176;
            dead-peer-detection;
            local-identity inet 1.1.3.145;
            remote-identity inet 4.1.7.176;
            external-interface ge-0/0/0.0;
        }
    }
    ipsec {
        vpn-monitor-options;
        proposal ipsec-prop-vpn-ka {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 3600;
        }
        policy ipsec-pol-vpn-ka {
            perfect-forward-secrecy {
                keys group1;
            }
            proposals ipsec-prop-vpn-ka;
        }
        vpn vpn-ka {
            bind-interface st0.6;
            ike {
                gateway gw-vpn-ka;
                proxy-identity {
                    local 172.16.100.0/24;
                    remote 172.29.0.0/16;
                    service any;
                }
                ipsec-policy ipsec-pol-vpn-ka;
            }
            establish-tunnels immediately;
        }
    }
    address-book {
        global {
			...
        }
    }
    flow {
        inactive: traceoptions {
            file aws-flow;
            flag basic-datapath;
            packet-filter in {
                source-prefix 172.29.0.0/16;
            }
            packet-filter out {
                destination-prefix 172.29.0.0/16;
            }
        }
        tcp-mss {
            ipsec-vpn {
                mss 1387;
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
		   policy VPN-Out {
				match {
					source-address any;
					destination-address any;
					application any;
				}
				then {
					permit;
				}
			}
        }
        from-zone trust to-zone trust {
            policy vpn-interconnect {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    telnet;
                    ssh;
                    ping;
                    traceroute;
                }
            }
            interfaces {
                ge-0/0/1.0;
                st0.0;
                st0.1;
                st0.2;
                st0.3;
                st0.4;
                st0.5;
                st0.6;
            }
        }
        security-zone untrust {
            host-inbound-traffic {
                system-services {
                    ping;
                    ike;
                }
            }
            interfaces {
                ge-0/0/0.0;
            }
        }
    }
}

 

IKE AND IPSEC SA

root@srx# run show security ike sa detail index 2532500
IKE peer 4.1.7.176, Index 2532500, Gateway Name: gw-vpn-ka
  Role: Initiator, State: UP
  Initiator cookie: 4d6a13fd2d09da8d, Responder cookie: b78f030ad5b5fac1
  Exchange type: Main, Authentication method: Pre-shared-keys
  Local: 1.1.3.145:500, Remote: 4.1.7.176:500
  Lifetime: Expires in 28742 seconds
  Peer ike-id: 4.1.7.176
  Xauth assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha1-96
   Encryption            : 3des-cbc
   Pseudo random function: hmac-sha1
   Diffie-Hellman group  : DH-group-2
  Traffic statistics:
   Input  bytes  :                  712
   Output bytes  :                 1152
   Input  packets:                    5
   Output packets:                    6
  Flags: IKE SA is created
  IPSec security associations: 1 created, 0 deleted
  Phase 2 negotiations in progress: 0

    Negotiation type: Quick mode, Role: Initiator, Message ID: 0
    Local: 1.1.3.145:500, Remote: 4.1.7.176:500
    Local identity: 1.1.3.145
    Remote identity: 4.1.7.176
    Flags: IKE SA is created



root@srx# run show security ipsec sa index 131079
  ID: 131079 Virtual-system: root, VPN Name: vpn-ka
  Local Gateway: 1.1.3.145, Remote Gateway: 4.1.7.176
  Local Identity: ipv4_subnet(any:0,[0..7]=172.16.100.0/24)
  Remote Identity: ipv4_subnet(any:0,[0..7]=172.29.0.0/16)
  Version: IKEv1
    DF-bit: clear
    Bind-interface: st0.6

  Port: 500, Nego#: 23, Fail#: 0, Def-Del#: 0 Flag: 600a29
  Tunnel Down Reason: Delete payload received
    Direction: inbound, SPI: f8dd3175, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3307 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2681 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: 23ea2f7, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3307 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2681 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64
    

 

Routing

root@srx# run show route 172.29.0.1 detail

inet.0: 15 destinations, 15 routes (15 active, 0 holddown, 0 hidden)
172.29.0.0/16 (1 entry, 1 announced)
        *Static Preference: 5
                Next hop type: Router, Next hop index: 593
                Address: 0x15d064c
                Next-hop reference count: 4
                Next hop: via st0.6, selected
                State: <Active Int Ext>
                Age: 5:45
                Task: RT
                Announcement bits (1): 0-KRT
                AS path: I

 

Output of flow traceoptions when trying to ping the other tunnel endpoint

 

May 27 09:22:03 09:22:03.075489:CID-0:RT:<172.29.0.1/1->172.16.100.1/59909;1> matched filter in:
May 27 09:22:03 09:22:03.075489:CID-0:RT:packet [84] ipid = 0, @0x4367dbc0
May 27 09:22:03 09:22:03.075489:CID-0:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 1, common flag 0x0, mbuf 0x4367d980, rtbl_idx = 0
May 27 09:22:03 09:22:03.075489:CID-0:RT: in_ifp <trust:st0.6>
May 27 09:22:03 09:22:03.075489:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 0x68111f90
May 27 09:22:03 09:22:03.075489:CID-0:RT:pkt out of tunnel.Proceed normally
May 27 09:22:03 09:22:03.075489:CID-0:RT:  st0.6:172.29.0.1->172.16.100.1, icmp, (8/0)
May 27 09:22:03 09:22:03.075489:CID-0:RT: find flow: table 0x510e0f70, hash 17590(0xffff), sa 172.29.0.1, da 172.16.100.1, sp 1, dp 59909, proto 1, tok 6 
May 27 09:22:03 09:22:03.075489:CID-0:RT:  no session found, start first path. in_tunnel - 0x54bd2928, from_cp_flag - 0
May 27 09:22:03 09:22:03.075489:CID-0:RT:  flow_first_create_session
May 27 09:22:03 09:22:03.075489:CID-0:RT:  flow_first_in_dst_nat: in <st0.6>, out <N/A> dst_adr 172.16.100.1, sp 1, dp 59909
May 27 09:22:03 09:22:03.075489:CID-0:RT:  chose interface st0.6 as incoming nat if.
May 27 09:22:03 09:22:03.075489:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 172.16.100.1(59909)
May 27 09:22:03 09:22:03.075489:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 172.29.0.1, x_dst_ip 172.16.100.1, in ifp st0.6, out ifp N/A sp 1, dp 59909, ip_proto 1, tos 0
May 27 09:22:03 09:22:03.075489:CID-0:RT:Doing DESTINATION addr route-lookup
May 27 09:22:03 09:22:03.075489:CID-0:RT:Changing out-ifp from .local..0 to ge-0/0/1.0 for dst: 172.16.100.1 in vr_id:0
May 27 09:22:03 09:22:03.075489:CID-0:RT:  routed (x_dst_ip 172.16.100.1) from trust (st0.6 in 0) to ge-0/0/1.0, Next-hop: 172.16.100.1
May 27 09:22:03 09:22:03.075489:CID-0:RT:flow_first_policy_search: policy search from zone trust-> zone trust (0x0,0x1ea05,0xea05)
May 27 09:22:03 09:22:03.075489:CID-0:RT:Policy lkup: vsys 0 zone(6:trust) -> zone(6:trust) scope:0
May 27 09:22:03 09:22:03.075489:CID-0:RT:             172.29.0.1/2048 -> 172.16.100.1/36818 proto 1
May 27 09:22:03 09:22:03.075872:CID-0:RT:  app 0, timeout 60s, curr ageout 60s
May 27 09:22:03 09:22:03.075872:CID-0:RT:  permitted by policy vpn-interconnect(6)
May 27 09:22:03 09:22:03.075872:CID-0:RT:  packet passed, Permitted by policy.
May 27 09:22:03 09:22:03.075872:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
May 27 09:22:03 09:22:03.075872:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.
May 27 09:22:03 09:22:03.075872:CID-0:RT:  dip id = 0/0, 172.29.0.1/1->172.29.0.1/1 protocol 0
May 27 09:22:03 09:22:03.075872:CID-0:RT:  choose interface ge-0/0/1.0 as outgoing phy if
May 27 09:22:03 09:22:03.075872:CID-0:RT:is_loop_pak: Found loop on ifp ge-0/0/1.0, addr: 172.16.100.1, rtt_idx: 0 addr_type:0x3.
May 27 09:22:03 09:22:03.075872:CID-0:RT:flow_first_loopback_check: Setting interface: ge-0/0/1.0 as loop ifp.
May 27 09:22:03 09:22:03.076010:CID-0:RT:-jsf : Alloc sess plugin info for session 385416
May 27 09:22:03 09:22:03.076010:CID-0:RT:[JSF]Normal interest check. regd plugins 19, enabled impl mask 0x0
May 27 09:22:03 09:22:03.076010:CID-0:RT:-jsf int check: plugin id  2, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:03 09:22:03.076010:CID-0:RT:-jsf int check: plugin id  3, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:03 09:22:03.076010:CID-0:RT:-jsf int check: plugin id  5, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:03 09:22:03.076074:CID-0:RT:-jsf int check: plugin id  6, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:03 09:22:03.076074:CID-0:RT:-jsf int check: plugin id  7, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:03 09:22:03.076074:CID-0:RT:-jsf int check: plugin id  8, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:03 09:22:03.076074:CID-0:RT:-jsf int check: plugin id 12, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:03 09:22:03.076124:CID-0:RT:-jsf int check: plugin id 15, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:03 09:22:03.076124:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3
May 27 09:22:03 09:22:03.076124:CID-0:RT:-jsf int check: plugin id 16, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:03 09:22:03.076124:CID-0:RT:-jsf int check: plugin id 22, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:03 09:22:03.076124:CID-0:RT:-jsf int check: plugin id 23, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:03 09:22:03.076179:CID-0:RT:-jsf int check: plugin id 26, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:03 09:22:03.076179:CID-0:RT:-jsf int check: plugin id 27, svc_req 0x0, impl mask 0x0. rc 2
May 27 09:22:03 09:22:03.076179:CID-0:RT:-jsf int check: plugin id 28, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:03 09:22:03.076219:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 1597432252, impli mask(0x0), post_nat cnt 385416 svc req(0x0)
May 27 09:22:03 09:22:03.076219:CID-0:RT:-jsf : no plugin interested for session 385416, free sess plugin info
May 27 09:22:03 09:22:03.076219:CID-0:RT:flow_first_service_lookup(): natp(0x5f36e120): app_id, 0(0).
May 27 09:22:03 09:22:03.076273:CID-0:RT:  service lookup identified service 0.
May 27 09:22:03 09:22:03.076273:CID-0:RT:  flow_first_final_check: in <st0.6>, out <ge-0/0/1.0>
May 27 09:22:03 09:22:03.076292:CID-0:RT:flow_first_complete_session, pak_ptr: 0x50a2ee38, nsp: 0x5f36e120, in_tunnel: 0x54bd2928
May 27 09:22:03 09:22:03.076292:CID-0:RT:construct v4 vector for nsp2
May 27 09:22:03 09:22:03.076292:CID-0:RT:  existing vector list 0x204-0x48c0ae50.
May 27 09:22:03 09:22:03.076292:CID-0:RT:  Session (id:385416) created for first pak 204
May 27 09:22:03 09:22:03.076292:CID-0:RT:  flow_first_install_session======> 0x5f36e120
May 27 09:22:03 09:22:03.076365:CID-0:RT: nsp 0x5f36e120, nsp2 0x5f36e1a0
May 27 09:22:03 09:22:03.076376:CID-0:RT:flow_xlate_pak
May 27 09:22:03 09:22:03.076376:CID-0:RT:flow_handle_icmp_xlate
May 27 09:22:03 09:22:03.076376:CID-0:RT:xlate_icmp_pak 
May 27 09:22:03 09:22:03.076376:CID-0:RT:  post addr xlation: 172.29.0.1->172.16.100.1.
May 27 09:22:03 09:22:03.076431:CID-0:RT:check self-traffic on ge-0/0/1.0, in_tunnel 0x54bd2928
May 27 09:22:03 09:22:03.076444:CID-0:RT:retcode: 0x204
May 27 09:22:03 09:22:03.076444:CID-0:RT:pak_for_self : proto 1, dst port 59909, action 0x4
May 27 09:22:03 09:22:03.076444:CID-0:RT:  flow_first_create_session
May 27 09:22:03 09:22:03.076444:CID-0:RT:  flow_first_in_dst_nat: in <ge-0/0/1.0>, out <N/A> dst_adr 172.16.100.1, sp 1, dp 59909
May 27 09:22:03 09:22:03.076444:CID-0:RT:  chose interface st0.6 as incoming nat if.
May 27 09:22:03 09:22:03.076444:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 172.16.100.1(59909)
May 27 09:22:03 09:22:03.076444:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 172.29.0.1, x_dst_ip 172.16.100.1, in ifp ge-0/0/1.0, out ifp N/A sp 1, dp 59909, ip_proto 1, tos 0
May 27 09:22:03 09:22:03.076444:CID-0:RT:Doing DESTINATION addr route-lookup
May 27 09:22:03 09:22:03.076444:CID-0:RT:  routed (x_dst_ip 172.16.100.1) from trust (ge-0/0/1.0 in 0) to .local..0, Next-hop: 172.16.100.1
May 27 09:22:03 09:22:03.076444:CID-0:RT:flow_first_policy_search: policy search from zone trust-> zone junos-host (0x0,0x1ea05,0xea05)
May 27 09:22:03 09:22:03.076444:CID-0:RT:Policy lkup: vsys 0 zone(6:trust) -> zone(2:junos-host) scope:0
May 27 09:22:03 09:22:03.076444:CID-0:RT:             172.29.0.1/2048 -> 172.16.100.1/36818 proto 1
May 27 09:22:03 09:22:03.076444:CID-0:RT:  app 0, timeout 60s, curr ageout 60s
May 27 09:22:03 09:22:03.076444:CID-0:RT:  permitted by policy self-traffic-policy(1)
May 27 09:22:03 09:22:03.076444:CID-0:RT:  packet passed, Permitted by policy.
May 27 09:22:03 09:22:03.076444:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
May 27 09:22:03 09:22:03.076444:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.
May 27 09:22:03 09:22:03.076444:CID-0:RT:  dip id = 0/0, 172.29.0.1/1->172.29.0.1/1 protocol 0
May 27 09:22:03 09:22:03.076444:CID-0:RT:  choose interface .local..0 as outgoing phy if
May 27 09:22:03 09:22:03.076444:CID-0:RT:is_loop_pak: No loop: ifp doesnt match .local..0 vs looked-up: ge-0/0/1.0, addr: 172.16.100.1, rtt_idx: 0, addr_type:0x3
May 27 09:22:03 09:22:03.076444:CID-0:RT:-jsf : Alloc sess plugin info for session 385417
May 27 09:22:03 09:22:03.076444:CID-0:RT:[JSF]Normal interest check. regd plugins 19, enabled impl mask 0x0
May 27 09:22:03 09:22:03.076444:CID-0:RT:-jsf int check: plugin id  2, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:03 09:22:03.076444:CID-0:RT:-jsf int check: plugin id  3, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:03 09:22:03.076444:CID-0:RT:-jsf int check: plugin id  5, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:03 09:22:03.076444:CID-0:RT:-jsf int check: plugin id  6, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:03 09:22:03.076444:CID-0:RT:-jsf int check: plugin id  7, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:03 09:22:03.076444:CID-0:RT:-jsf int check: plugin id  8, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:03 09:22:03.076859:CID-0:RT:-jsf int check: plugin id 12, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:03 09:22:03.076859:CID-0:RT:-jsf int check: plugin id 15, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:03 09:22:03.076859:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3
May 27 09:22:03 09:22:03.076859:CID-0:RT:-jsf int check: plugin id 16, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:03 09:22:03.076859:CID-0:RT:-jsf int check: plugin id 22, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:03 09:22:03.076859:CID-0:RT:-jsf int check: plugin id 23, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:03 09:22:03.076859:CID-0:RT:-jsf int check: plugin id 26, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:03 09:22:03.076859:CID-0:RT:-jsf int check: plugin id 27, svc_req 0x0, impl mask 0x0. rc 2
May 27 09:22:03 09:22:03.076859:CID-0:RT:-jsf int check: plugin id 28, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:03 09:22:03.076859:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 1597432708, impli mask(0x0), post_nat cnt 385417 svc req(0x0)
May 27 09:22:03 09:22:03.076859:CID-0:RT:-jsf : no plugin interested for session 385417, free sess plugin info
May 27 09:22:03 09:22:03.076859:CID-0:RT:flow_first_service_lookup(): natp(0x5f36e2e8): app_id, 0(0).
May 27 09:22:03 09:22:03.076859:CID-0:RT:  service lookup identified service 0.
May 27 09:22:03 09:22:03.076859:CID-0:RT:  flow_first_final_check: in <ge-0/0/1.0>, out <.local..0>
May 27 09:22:03 09:22:03.076859:CID-0:RT:flow_first_complete_session, pak_ptr: 0x50cc9460, nsp: 0x5f36e2e8, in_tunnel: 0x54bd2928
May 27 09:22:03 09:22:03.076859:CID-0:RT:construct v4 vector for nsp2
May 27 09:22:03 09:22:03.076859:CID-0:RT:  existing vector list 0x204-0x48c0ae50.
May 27 09:22:03 09:22:03.076859:CID-0:RT:  Session (id:385417) created for first pak 204
May 27 09:22:03 09:22:03.076859:CID-0:RT:nsp:0x5f36e120, 172.29.0.1/1 -> 172.16.100.1/59909:1,
 If: st0.6, nsp-flag: 0x21 tok: 0x6, nh:0x0
May 27 09:22:03 09:22:03.076859:CID-0:RT:nsp:0x5f36e1a0, 172.16.100.1/59909 -> 172.29.0.1/1:1,
 If: ge-0/0/1.0, nsp-flag: 0x8 tok: 0x6, nh:0xfffb0006
May 27 09:22:03 09:22:03.076859:CID-0:RT:nsp:0x5f36e2e8, 172.29.0.1/1 -> 172.16.100.1/59909:1,
 If: ge-0/0/1.0, nsp-flag: 0x1 tok: 0x6, nh:0x0
May 27 09:22:03 09:22:03.076859:CID-0:RT:nsp:0x5f36e368, 172.16.100.1/59909 -> 172.29.0.1/1:1,
 If: .local..0, nsp-flag: 0x10 tok: 0x2, nh:0xfffb0006
May 27 09:22:03 09:22:03.076859:CID-0:RT:  existing vector list 0x204-0x48c0ae50.
May 27 09:22:03 09:22:03.076859:CID-0:RT:nsp:0x5f36e120, 172.29.0.1/1 -> 172.16.100.1/59909:1,
 If: st0.6, nsp-flag: 0x21 tok: 0x6, nh:0x0
May 27 09:22:03 09:22:03.076859:CID-0:RT:nsp:0x5f36e1a0, 172.16.100.1/59909 -> 172.29.0.1/1:1,
 If: .local..0, nsp-flag: 0x10 tok: 0x2, nh:0xfffb0006
May 27 09:22:03 09:22:03.077350:CID-0:RT:  make_nsp_ready_no_resolve()
May 27 09:22:03 09:22:03.077350:CID-0:RT:  route lookup: dest-ip 172.29.0.1 orig ifp st0.6 output_ifp st0.6 orig-zone 6 out-zone 6 vsd 0
May 27 09:22:03 09:22:03.077350:CID-0:RT:  route to 172.29.0.1
May 27 09:22:03 09:22:03.077350:CID-0:RT:no need update ha
May 27 09:22:03 09:22:03.077350:CID-0:RT:Installing s2c NP session wing
May 27 09:22:03 09:22:03.077350:CID-0:RT:  flow got session.
May 27 09:22:03 09:22:03.077350:CID-0:RT:  flow session id 385416
May 27 09:22:03 09:22:03.077350:CID-0:RT: vector bits 0x204 vector 0x48c0ae50
May 27 09:22:03 09:22:03.077350:CID-0:RT:pre-frag not needed: ipsize: 84, mtu: 9188, nsp2->pmtu: 9188
May 27 09:22:03 09:22:03.077350:CID-0:RT:  encap vector
May 27 09:22:03 09:22:03.077350:CID-0:RT:  no more encapping needed
May 27 09:22:03 09:22:03.077350:CID-0:RT:mbuf 0x4367d980, exit nh 0xfffb0006 
May 27 09:22:03 09:22:03.077350:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x50a2ee38 associated with mbuf 0x4367d980
May 27 09:22:03 09:22:03.077350:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
May 27 09:22:03 09:22:03.077350:CID-0:RT:<172.16.100.1/59909->172.29.0.1/1;1> matched filter out:
May 27 09:22:03 09:22:03.077350:CID-0:RT:packet [84] ipid = 0, @0x4367dbc0
May 27 09:22:03 09:22:03.077350:CID-0:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 0, common flag 0x0, mbuf 0x4367d980, rtbl_idx = 0
May 27 09:22:03 09:22:03.077350:CID-0:RT: in_ifp <junos-host:.local..0>
May 27 09:22:03 09:22:03.077350:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 0x68111f90
May 27 09:22:03 09:22:03.077350:CID-0:RT:  .local..0:172.16.100.1->172.29.0.1, icmp, (0/0)
May 27 09:22:03 09:22:03.077350:CID-0:RT: find flow: table 0x510e0f70, hash 4492(0xffff), sa 172.16.100.1, da 172.29.0.1, sp 59909, dp 1, proto 1, tok 2 
May 27 09:22:03 09:22:03.077350:CID-0:RT:  flow got session.
May 27 09:22:03 09:22:03.077350:CID-0:RT:  flow session id 385416
May 27 09:22:03 09:22:03.077350:CID-0:RT: vector bits 0x204 vector 0x48c0ae50
May 27 09:22:03 09:22:03.077350:CID-0:RT:ttl vector, out_tunnel = 0x54bd2928
May 27 09:22:03 09:22:03.077350:CID-0:RT:pre-frag not needed: ipsize: 84, mtu: 1438, nsp2->pmtu: 1438
May 27 09:22:03 09:22:03.077350:CID-0:RT:  encap vector
May 27 09:22:03 09:22:03.077350:CID-0:RT:  going into tunnel 131079 (nsp_tunnel=0x54bd2928).
May 27 09:22:03 09:22:03.077350:CID-0:RT:  flow_encrypt: tun 0x54bd2928, type 1
May 27 09:22:03 09:22:03.077350:CID-0:RT:mbuf 0x4367d980, exit nh 0x310010 
May 27 09:22:03 09:22:03.077350:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x50a2ed38 associated with mbuf 0x4367d980
May 27 09:22:03 09:22:03.077844:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
May 27 09:22:05 09:22:05.100235:CID-0:RT:jsf sess close notify
May 27 09:22:05 09:22:05.100235:CID-0:RT:flow_ipv4_del_flow: sess 385416, in hash 32
May 27 09:22:05 09:22:05.100235:CID-0:RT:flow_ipv4_del_flow: sess 385416, in hash 32
May 27 09:22:05 09:22:05.500307:CID-0:RT:<172.29.0.1/1->172.16.100.239/60165;1> matched filter in:
May 27 09:22:05 09:22:05.500307:CID-0:RT:packet [84] ipid = 0, @0x436940c0
May 27 09:22:05 09:22:05.500307:CID-0:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 1, common flag 0x0, mbuf 0x43693e80, rtbl_idx = 0
May 27 09:22:05 09:22:05.500307:CID-0:RT: in_ifp <trust:st0.6>
May 27 09:22:05 09:22:05.500307:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 0x68111f90
May 27 09:22:05 09:22:05.500307:CID-0:RT:pkt out of tunnel.Proceed normally
May 27 09:22:05 09:22:05.500307:CID-0:RT:  st0.6:172.29.0.1->172.16.100.239, icmp, (8/0)
May 27 09:22:05 09:22:05.500307:CID-0:RT: find flow: table 0x510e0f70, hash 9655(0xffff), sa 172.29.0.1, da 172.16.100.239, sp 1, dp 60165, proto 1, tok 6 
May 27 09:22:05 09:22:05.500307:CID-0:RT:  no session found, start first path. in_tunnel - 0x54bd2928, from_cp_flag - 0
May 27 09:22:05 09:22:05.500307:CID-0:RT:  flow_first_create_session
May 27 09:22:05 09:22:05.500307:CID-0:RT:  flow_first_in_dst_nat: in <st0.6>, out <N/A> dst_adr 172.16.100.239, sp 1, dp 60165
May 27 09:22:05 09:22:05.500307:CID-0:RT:  chose interface st0.6 as incoming nat if.
May 27 09:22:05 09:22:05.500307:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 172.16.100.239(60165)
May 27 09:22:05 09:22:05.500307:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 172.29.0.1, x_dst_ip 172.16.100.239, in ifp st0.6, out ifp N/A sp 1, dp 60165, ip_proto 1, tos 0
May 27 09:22:05 09:22:05.500307:CID-0:RT:Doing DESTINATION addr route-lookup
May 27 09:22:05 09:22:05.500307:CID-0:RT:  routed (x_dst_ip 172.16.100.239) from trust (st0.6 in 0) to ge-0/0/1.0, Next-hop: 172.16.100.239
May 27 09:22:05 09:22:05.500307:CID-0:RT:flow_first_policy_search: policy search from zone trust-> zone trust (0x0,0x1eb05,0xeb05)
May 27 09:22:05 09:22:05.500307:CID-0:RT:Policy lkup: vsys 0 zone(6:trust) -> zone(6:trust) scope:0
May 27 09:22:05 09:22:05.500307:CID-0:RT:             172.29.0.1/2048 -> 172.16.100.239/28246 proto 1
May 27 09:22:05 09:22:05.500751:CID-0:RT:  app 0, timeout 60s, curr ageout 60s
May 27 09:22:05 09:22:05.500751:CID-0:RT:  permitted by policy vpn-interconnect(6)
May 27 09:22:05 09:22:05.500751:CID-0:RT:  packet passed, Permitted by policy.
May 27 09:22:05 09:22:05.500751:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
May 27 09:22:05 09:22:05.500751:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.
May 27 09:22:05 09:22:05.500751:CID-0:RT:  dip id = 0/0, 172.29.0.1/1->172.29.0.1/1 protocol 0
May 27 09:22:05 09:22:05.500751:CID-0:RT:  choose interface ge-0/0/1.0 as outgoing phy if
May 27 09:22:05 09:22:05.500751:CID-0:RT:is_loop_pak: No loop: on ifp: ge-0/0/1.0, addr: 172.16.100.239, rtt_idx:0
May 27 09:22:05 09:22:05.500751:CID-0:RT:-jsf : Alloc sess plugin info for session 385460
May 27 09:22:05 09:22:05.500751:CID-0:RT:[JSF]Normal interest check. regd plugins 19, enabled impl mask 0x0
May 27 09:22:05 09:22:05.500751:CID-0:RT:-jsf int check: plugin id  2, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:05 09:22:05.500751:CID-0:RT:-jsf int check: plugin id  3, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:05 09:22:05.500751:CID-0:RT:-jsf int check: plugin id  5, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:05 09:22:05.500751:CID-0:RT:-jsf int check: plugin id  6, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:05 09:22:05.500751:CID-0:RT:-jsf int check: plugin id  7, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:05 09:22:05.500751:CID-0:RT:-jsf int check: plugin id  8, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:05 09:22:05.500751:CID-0:RT:-jsf int check: plugin id 12, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:05 09:22:05.500751:CID-0:RT:-jsf int check: plugin id 15, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:05 09:22:05.500751:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3
May 27 09:22:05 09:22:05.500751:CID-0:RT:-jsf int check: plugin id 16, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:05 09:22:05.500751:CID-0:RT:-jsf int check: plugin id 22, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:05 09:22:05.500751:CID-0:RT:-jsf int check: plugin id 23, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:05 09:22:05.500751:CID-0:RT:-jsf int check: plugin id 26, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:05 09:22:05.500751:CID-0:RT:-jsf int check: plugin id 27, svc_req 0x0, impl mask 0x0. rc 2
May 27 09:22:05 09:22:05.500751:CID-0:RT:-jsf int check: plugin id 28, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:05 09:22:05.500751:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 1597452316, impli mask(0x0), post_nat cnt 385460 svc req(0x0)
May 27 09:22:05 09:22:05.500751:CID-0:RT:-jsf : no plugin interested for session 385460, free sess plugin info
May 27 09:22:05 09:22:05.500751:CID-0:RT:flow_first_service_lookup(): natp(0x5f372f80): app_id, 0(0).
May 27 09:22:05 09:22:05.500751:CID-0:RT:  service lookup identified service 0.
May 27 09:22:05 09:22:05.500751:CID-0:RT:  flow_first_final_check: in <st0.6>, out <ge-0/0/1.0>
May 27 09:22:05 09:22:05.500751:CID-0:RT:flow_first_complete_session, pak_ptr: 0x50a2ee38, nsp: 0x5f372f80, in_tunnel: 0x54bd2928
May 27 09:22:05 09:22:05.500751:CID-0:RT:construct v4 vector for nsp2
May 27 09:22:05 09:22:05.500751:CID-0:RT:  existing vector list 0x204-0x48c0ae50.
May 27 09:22:05 09:22:05.500751:CID-0:RT:  Session (id:385460) created for first pak 204
May 27 09:22:05 09:22:05.500751:CID-0:RT:  flow_first_install_session======> 0x5f372f80
May 27 09:22:05 09:22:05.500751:CID-0:RT: nsp 0x5f372f80, nsp2 0x5f373000
May 27 09:22:05 09:22:05.501244:CID-0:RT:  make_nsp_ready_no_resolve()
May 27 09:22:05 09:22:05.501244:CID-0:RT:  route lookup: dest-ip 172.29.0.1 orig ifp st0.6 output_ifp st0.6 orig-zone 6 out-zone 6 vsd 0
May 27 09:22:05 09:22:05.501244:CID-0:RT:  route to 172.29.0.1
May 27 09:22:05 09:22:05.501244:CID-0:RT:no need update ha
May 27 09:22:05 09:22:05.501244:CID-0:RT:Installing s2c NP session wing
May 27 09:22:05 09:22:05.501244:CID-0:RT:  flow got session.
May 27 09:22:05 09:22:05.501244:CID-0:RT:  flow session id 385460
May 27 09:22:05 09:22:05.501244:CID-0:RT: vector bits 0x204 vector 0x48c0ae50
May 27 09:22:05 09:22:05.501244:CID-0:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0
May 27 09:22:05 09:22:05.501244:CID-0:RT:  encap vector
May 27 09:22:05 09:22:05.501244:CID-0:RT:  no more encapping needed
May 27 09:22:05 09:22:05.501244:CID-0:RT:mbuf 0x43693e80, exit nh 0x1a0010 
May 27 09:22:05 09:22:05.501244:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x50a2ee38 associated with mbuf 0x43693e80
May 27 09:22:05 09:22:05.501244:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
May 27 09:22:05 09:22:05.501837:CID-0:RT:<172.16.100.239/60165->172.29.0.1/1;1> matched filter out:
May 27 09:22:05 09:22:05.501837:CID-0:RT:packet [84] ipid = 49408, @0x4369e21c
May 27 09:22:05 09:22:05.501837:CID-0:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 15, common flag 0x0, mbuf 0x4369e000, rtbl_idx = 0
May 27 09:22:05 09:22:05.501837:CID-0:RT: flow process pak fast ifl 77 in_ifp ge-0/0/1.0
May 27 09:22:05 09:22:05.501837:CID-0:RT:  ge-0/0/1.0:172.16.100.239->172.29.0.1, icmp, (0/0)
May 27 09:22:05 09:22:05.501837:CID-0:RT: find flow: table 0x510e0f70, hash 19417(0xffff), sa 172.16.100.239, da 172.29.0.1, sp 60165, dp 1, proto 1, tok 6 
May 27 09:22:05 09:22:05.501837:CID-0:RT:  flow got session.
May 27 09:22:05 09:22:05.501837:CID-0:RT:  flow session id 385460
May 27 09:22:05 09:22:05.501837:CID-0:RT: vector bits 0x204 vector 0x48c0ae50
May 27 09:22:05 09:22:05.501837:CID-0:RT:ttl vector, out_tunnel = 0x54bd2928
May 27 09:22:05 09:22:05.501837:CID-0:RT:pre-frag not needed: ipsize: 84, mtu: 1438, nsp2->pmtu: 1438
May 27 09:22:05 09:22:05.502121:CID-0:RT:  encap vector
May 27 09:22:05 09:22:05.502121:CID-0:RT:  going into tunnel 131079 (nsp_tunnel=0x54bd2928).
May 27 09:22:05 09:22:05.502121:CID-0:RT:  flow_encrypt: tun 0x54bd2928, type 1
May 27 09:22:05 09:22:05.502121:CID-0:RT:mbuf 0x4369e000, exit nh 0x310010 
May 27 09:22:05 09:22:05.502121:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
May 27 09:22:06 09:22:06.502835:CID-0:RT:<172.16.100.239/60165->172.29.0.1/2;1> matched filter out:
May 27 09:22:06 09:22:06.502835:CID-0:RT:packet [84] ipid = 49409, @0x43697c1c
May 27 09:22:06 09:22:06.502835:CID-0:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 15, common flag 0x0, mbuf 0x43697a00, rtbl_idx = 0
May 27 09:22:06 09:22:06.502835:CID-0:RT: flow process pak fast ifl 77 in_ifp ge-0/0/1.0
May 27 09:22:06 09:22:06.502835:CID-0:RT:  ge-0/0/1.0:172.16.100.239->172.29.0.1, icmp, (0/0)
May 27 09:22:06 09:22:06.502835:CID-0:RT: find flow: table 0x510e0f70, hash 19416(0xffff), sa 172.16.100.239, da 172.29.0.1, sp 60165, dp 2, proto 1, tok 6 
May 27 09:22:06 09:22:06.502835:CID-0:RT:  flow got session.
May 27 09:22:06 09:22:06.502835:CID-0:RT:  flow session id 385469
May 27 09:22:06 09:22:06.502835:CID-0:RT: vector bits 0x204 vector 0x48c0ae50
May 27 09:22:06 09:22:06.502835:CID-0:RT:ttl vector, out_tunnel = 0x54bd2928
May 27 09:22:06 09:22:06.503123:CID-0:RT:pre-frag not needed: ipsize: 84, mtu: 1438, nsp2->pmtu: 1438
May 27 09:22:06 09:22:06.503123:CID-0:RT:  encap vector
May 27 09:22:06 09:22:06.503123:CID-0:RT:  going into tunnel 131079 (nsp_tunnel=0x54bd2928).
May 27 09:22:06 09:22:06.503123:CID-0:RT:  flow_encrypt: tun 0x54bd2928, type 1
May 27 09:22:06 09:22:06.503123:CID-0:RT:mbuf 0x43697a00, exit nh 0x310010 
May 27 09:22:06 09:22:06.503192:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
May 27 09:22:06 09:22:06.500544:CID-0:RT:<172.29.0.1/2->172.16.100.239/60165;1> matched filter in:
May 27 09:22:06 09:22:06.500544:CID-0:RT:packet [84] ipid = 0, @0x436a0440
May 27 09:22:06 09:22:06.500544:CID-0:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 1, common flag 0x0, mbuf 0x436a0200, rtbl_idx = 0
May 27 09:22:06 09:22:06.500544:CID-0:RT: in_ifp <trust:st0.6>
May 27 09:22:06 09:22:06.500544:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 0x68111f90
May 27 09:22:06 09:22:06.500544:CID-0:RT:pkt out of tunnel.Proceed normally
May 27 09:22:06 09:22:06.500544:CID-0:RT:  st0.6:172.29.0.1->172.16.100.239, icmp, (8/0)
May 27 09:22:06 09:22:06.500544:CID-0:RT: find flow: table 0x510e0f70, hash 6599(0xffff), sa 172.29.0.1, da 172.16.100.239, sp 2, dp 60165, proto 1, tok 6 
May 27 09:22:06 09:22:06.500544:CID-0:RT:  no session found, start first path. in_tunnel - 0x54bd2928, from_cp_flag - 0
May 27 09:22:06 09:22:06.500544:CID-0:RT:  flow_first_create_session
May 27 09:22:06 09:22:06.500544:CID-0:RT:  flow_first_in_dst_nat: in <st0.6>, out <N/A> dst_adr 172.16.100.239, sp 2, dp 60165
May 27 09:22:06 09:22:06.500544:CID-0:RT:  chose interface st0.6 as incoming nat if.
May 27 09:22:06 09:22:06.500806:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 172.16.100.239(60165)
May 27 09:22:06 09:22:06.500806:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 172.29.0.1, x_dst_ip 172.16.100.239, in ifp st0.6, out ifp N/A sp 2, dp 60165, ip_proto 1, tos 0
May 27 09:22:06 09:22:06.500806:CID-0:RT:Doing DESTINATION addr route-lookup
May 27 09:22:06 09:22:06.500806:CID-0:RT:  routed (x_dst_ip 172.16.100.239) from trust (st0.6 in 0) to ge-0/0/1.0, Next-hop: 172.16.100.239
May 27 09:22:06 09:22:06.500806:CID-0:RT:flow_first_policy_search: policy search from zone trust-> zone trust (0x0,0x2eb05,0xeb05)
May 27 09:22:06 09:22:06.500806:CID-0:RT:Policy lkup: vsys 0 zone(6:trust) -> zone(6:trust) scope:0
May 27 09:22:06 09:22:06.500806:CID-0:RT:             172.29.0.1/2048 -> 172.16.100.239/4949 proto 1
May 27 09:22:06 09:22:06.500806:CID-0:RT:  app 0, timeout 60s, curr ageout 60s
May 27 09:22:06 09:22:06.500806:CID-0:RT:  permitted by policy vpn-interconnect(6)
May 27 09:22:06 09:22:06.500806:CID-0:RT:  packet passed, Permitted by policy.
May 27 09:22:06 09:22:06.500806:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
May 27 09:22:06 09:22:06.500806:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.
May 27 09:22:06 09:22:06.500806:CID-0:RT:  dip id = 0/0, 172.29.0.1/2->172.29.0.1/2 protocol 0
May 27 09:22:06 09:22:06.500806:CID-0:RT:  choose interface ge-0/0/1.0 as outgoing phy if
May 27 09:22:06 09:22:06.500806:CID-0:RT:is_loop_pak: No loop: on ifp: ge-0/0/1.0, addr: 172.16.100.239, rtt_idx:0
May 27 09:22:06 09:22:06.500806:CID-0:RT:-jsf : Alloc sess plugin info for session 385469
May 27 09:22:06 09:22:06.500806:CID-0:RT:[JSF]Normal interest check. regd plugins 19, enabled impl mask 0x0
May 27 09:22:06 09:22:06.500806:CID-0:RT:-jsf int check: plugin id  2, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:06 09:22:06.500806:CID-0:RT:-jsf int check: plugin id  3, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:06 09:22:06.500806:CID-0:RT:-jsf int check: plugin id  5, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:06 09:22:06.500806:CID-0:RT:-jsf int check: plugin id  6, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:06 09:22:06.500806:CID-0:RT:-jsf int check: plugin id  7, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:06 09:22:06.500806:CID-0:RT:-jsf int check: plugin id  8, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:06 09:22:06.500806:CID-0:RT:-jsf int check: plugin id 12, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:06 09:22:06.500806:CID-0:RT:-jsf int check: plugin id 15, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:06 09:22:06.500806:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3
May 27 09:22:06 09:22:06.500806:CID-0:RT:-jsf int check: plugin id 16, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:06 09:22:06.500806:CID-0:RT:-jsf int check: plugin id 22, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:06 09:22:06.500806:CID-0:RT:-jsf int check: plugin id 23, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:06 09:22:06.500806:CID-0:RT:-jsf int check: plugin id 26, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:06 09:22:06.501298:CID-0:RT:-jsf int check: plugin id 27, svc_req 0x0, impl mask 0x0. rc 2
May 27 09:22:06 09:22:06.501298:CID-0:RT:-jsf int check: plugin id 28, svc_req 0x0, impl mask 0x0. rc 4
May 27 09:22:06 09:22:06.501298:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 1597456420, impli mask(0x0), post_nat cnt 385469 svc req(0x0)
May 27 09:22:06 09:22:06.501298:CID-0:RT:-jsf : no plugin interested for session 385469, free sess plugin info
May 27 09:22:06 09:22:06.501298:CID-0:RT:flow_first_service_lookup(): natp(0x5f373f88): app_id, 0(0).
May 27 09:22:06 09:22:06.501298:CID-0:RT:  service lookup identified service 0.
May 27 09:22:06 09:22:06.501298:CID-0:RT:  flow_first_final_check: in <st0.6>, out <ge-0/0/1.0>
May 27 09:22:06 09:22:06.501298:CID-0:RT:flow_first_complete_session, pak_ptr: 0x50a4ee38, nsp: 0x5f373f88, in_tunnel: 0x54bd2928
May 27 09:22:06 09:22:06.501298:CID-0:RT:construct v4 vector for nsp2
May 27 09:22:06 09:22:06.501298:CID-0:RT:  existing vector list 0x204-0x48c0ae50.
May 27 09:22:06 09:22:06.501298:CID-0:RT:  Session (id:385469) created for first pak 204
May 27 09:22:06 09:22:06.501298:CID-0:RT:  flow_first_install_session======> 0x5f373f88
May 27 09:22:06 09:22:06.501298:CID-0:RT: nsp 0x5f373f88, nsp2 0x5f374008
May 27 09:22:06 09:22:06.501298:CID-0:RT:  make_nsp_ready_no_resolve()
May 27 09:22:06 09:22:06.501298:CID-0:RT:  route lookup: dest-ip 172.29.0.1 orig ifp st0.6 output_ifp st0.6 orig-zone 6 out-zone 6 vsd 0
May 27 09:22:06 09:22:06.501298:CID-0:RT:  route to 172.29.0.1
May 27 09:22:06 09:22:06.501298:CID-0:RT:no need update ha
May 27 09:22:06 09:22:06.501298:CID-0:RT:Installing s2c NP session wing
May 27 09:22:06 09:22:06.501298:CID-0:RT:  flow got session.
May 27 09:22:06 09:22:06.501298:CID-0:RT:  flow session id 385469
May 27 09:22:06 09:22:06.501298:CID-0:RT: vector bits 0x204 vector 0x48c0ae50
May 27 09:22:06 09:22:06.501298:CID-0:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0
May 27 09:22:06 09:22:06.501298:CID-0:RT:  encap vector
May 27 09:22:06 09:22:06.501298:CID-0:RT:  no more encapping needed
May 27 09:22:06 09:22:06.501298:CID-0:RT:mbuf 0x436a0200, exit nh 0x1a0010 
May 27 09:22:06 09:22:06.501298:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x50a4ee38 associated with mbuf 0x436a0200
May 27 09:22:06 09:22:06.501298:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
May 27 09:22:09 09:22:09.100077:CID-0:RT:jsf sess close notify
May 27 09:22:09 09:22:09.100077:CID-0:RT:flow_ipv4_del_flow: sess 385460, in hash 32
May 27 09:22:09 09:22:09.100077:CID-0:RT:flow_ipv4_del_flow: sess 385460, in hash 32
May 27 09:22:09 09:22:09.100148:CID-0:RT:jsf sess close notify
May 27 09:22:09 09:22:09.100148:CID-0:RT:flow_ipv4_del_flow: sess 385469, in hash 32
May 27 09:22:09 09:22:09.100148:CID-0:RT:flow_ipv4_del_flow: sess 385469, in hash 32

 

 

Linux Racoon configuration (/etc/racoon/racoon.conf)

# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
log debug2;

# "padding" defines some padding parameters.  You should not touch these.
padding
{
	maximum_length 20;	# maximum padding length.
	randomize off;		# enable randomize length.
	strict_check off;	# enable strict check.
	exclusive_tail off;	# extract last one octet.
}

# if no listen directive is specified, racoon will listen on all
# available interface addresses.
listen
{
	isakmp 4.1.7.176 [500];
	isakmp_natt 4.1.7.176 [4500];
}

# Specify various default timers.
timer
{
	# These value can be changed per remote node.
	counter 5;		# maximum trying count to send.
	interval 20 sec;	# maximum interval to resend.
	persend 1;		# the number of packets per send.

	# maximum time to wait for completing each phase.
	phase1 30 sec;
	phase2 15 sec;
}

remote 1.1.3.145 {
        exchange_mode main;
        lifetime time 28800 seconds;
        peers_identifier address 1.1.3.145;
     	my_identifier address 4.1.7.176;
	    verify_identifier on;
        proposal {
        	encryption_algorithm 3des;
	        hash_algorithm sha1;
    		authentication_method pre_shared_key;
	    	dh_group 2;
        }
      generate_policy off;
}

sainfo address 172.29.0.0/16 any address 172.16.100.0/24 any {
    pfs_group modp768;
    lifetime time 3600 seconds;
    encryption_algorithm 3des;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;
}

 

Linux Racoon configuration (/etc/racoon/setkey.conf)

 

 First of all flush the SPD database
flush;
spdflush;

spdadd 172.16.100.0/24 172.29.0.0/16 any -P in ipsec esp/tunnel/1.1.3.145-4.1.7.176/require;
spdadd 172.29.0.0/16 172.16.100.0/24 any -P out ipsec esp/tunnel/4.1.7.176-1.1.3.145/require;

Here some additional output from the linux side

oot@vpnka ~]# route -n
Kernel IP Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
4.1.7.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0
172.29.0.0      0.0.0.0         255.255.0.0     U     0      0        0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1003   0        0 eth1
0.0.0.0         4.1.7.1      0.0.0.0         UG    0      0        0 eth0
---------

[root@vpnka ~]# ip xfrm state
src 4.1.7.176 dst 1.1.3.145
	proto esp spi 0xc3f91f47 reqid 0 mode tunnel
	replay-window 4
	auth hmac(sha1) 0x75cead6ab2ee85f071155557682f1514067e55ba
	enc cbc(des3_ede) 0xaeafb734847ae273af0dcb89bb43201380888a0499e436a5
	sel src 0.0.0.0/0 dst 0.0.0.0/0
src 1.1.3.145 dst 4.1.7.176
	proto esp spi 0x079290c4 reqid 0 mode tunnelaw
	replay-window 4
	auth hmac(sha1) 0x3df5404ad929cbcd7c103942c1ade2fdd6874cf0
	enc cbc(des3_ede) 0x170f3c1541a112be2feda2d3e415871cfb758da2bab3c708
	sel src 0.0.0.0/0 dst 0.0.0.0/0
src 1.1.3.145 dst 4.1.7.176
	proto esp spi 0x05fc5ba9 reqid 0 mode tunnel
	replay-window 4
	auth hmac(sha1) 0x639bd4373b598f744500b659272c93c497e878ac
	enc cbc(des3_ede) 0xf730751ea5e2fad2acb1d7a42ad7f85352eff6ef4ea8103b
	sel src 0.0.0.0/0 dst 0.0.0.0/0
	
[root@vpnka ~]# racoonctl -ll show-sa isakmp
Source                                        Destination                                   Cookies                           ST S  V E Created             Phase2
4.1.7.176.500                              1.1.3.145.500                            4d6a13fd2d09da8d:b78f030ad5b5fac1  9 R 10 M 2015-05-27 11:42:15      1

[root@vpnka ~]# racoonctl -ll show-sa esp
4.1.7.176 1.1.3.145
	esp mode=tunnel spi=3287883591(0xc3f91f47) reqid=0(0x00000000)
	E: 3des-cbc  aeafb734 847ae273 af0dcb89 bb432013 80888a04 99e436a5
	A: hmac-sha1  75cead6a b2ee85f0 71155557 682f1514 067e55ba
	seq=0x00000000 replay=4 flags=0x00000000 state=mature
	created: May 27 13:21:18 2015	current: May 27 13:31:11 2015
	diff: 593(s)	hard: 3600(s)	soft: 2880(s)
	last:                     	hard: 0(s)	soft: 0(s)
	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 0	hard: 0	soft: 0
	sadb_seq=1 pid=2250 refcnt=0
1.1.3.145 4.1.7.176
	esp mode=tunnel spi=127045828(0x079290c4) reqid=0(0x00000000)
	E: 3des-cbc  170f3c15 41a112be 2feda2d3 e415871c fb758da2 bab3c708
	A: hmac-sha1  3df5404a d929cbcd 7c103942 c1ade2fd d6874cf0
	seq=0x00000000 replay=4 flags=0x00000000 state=mature
	created: May 27 13:21:18 2015	current: May 27 13:31:11 2015
	diff: 593(s)	hard: 3600(s)	soft: 2880(s)
	last:                     	hard: 0(s)	soft: 0(s)
	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 0	hard: 0	soft: 0
	sadb_seq=2 pid=2250 refcnt=0
1.1.3.145 4.1.7.176
	esp mode=tunnel spi=100424617(0x05fc5ba9) reqid=0(0x00000000)
	E: 3des-cbc  f730751e a5e2fad2 acb1d7a4 2ad7f853 52eff6ef 4ea8103b
	A: hmac-sha1  639bd437 3b598f74 4500b659 272c93c4 97e878ac
	seq=0x00000000 replay=4 flags=0x00000000 state=dying
	created: May 27 12:31:49 2015	current: May 27 13:31:11 2015
	diff: 3562(s)	hard: 3600(s)	soft: 2880(s)
	last:                     	hard: 0(s)	soft: 0(s)
	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 0	hard: 0	soft: 0
	sadb_seq=0 pid=2250 refcnt=0

[root@vpnka ~]# setkey -DP
(per-socket policy)
	out(socket) none
	created: May 27 11:42:06 2015  lastused: May 27 13:21:18 2015
	lifetime: 0(s) validtime: 0(s)
	spid=140 seq=1 pid=2324
	refcnt=1
(per-socket policy)
	in(socket) none
	created: May 27 11:42:06 2015  lastused: May 27 13:21:23 2015
	lifetime: 0(s) validtime: 0(s)
	spid=131 seq=2 pid=2324
	refcnt=1
(per-socket policy)
	out(socket) none
	created: May 27 11:42:06 2015  lastused:
	lifetime: 0(s) validtime: 0(s)
	spid=124 seq=3 pid=2324
	refcnt=1
(per-socket policy)
	in(socket) none
	created: May 27 11:42:06 2015  lastused:
	lifetime: 0(s) validtime: 0(s)
	spid=115 seq=4 pid=2324
	refcnt=1
172.29.0.0/16[any] 172.16.100.0/24[any] 255
	out prio def ipsec
	esp/tunnel/4.1.7.176-1.1.3.145/require
	created: May 27 11:42:06 2015  lastused:
	lifetime: 0(s) validtime: 0(s)
	spid=105 seq=5 pid=2324
	refcnt=1
172.16.100.0/24[any] 172.29.0.0/16[any] 255
	fwd prio def ipsec
	esp/tunnel/1.1.3.145-4.1.7.176/require
	created: May 27 11:42:06 2015  lastused:
	lifetime: 0(s) validtime: 0(s)
	spid=98 seq=6 pid=2324
	refcnt=1
172.16.100.0/24[any] 172.29.0.0/16[any] 255
	in prio def ipsec
	esp/tunnel/1.1.3.145-4.1.7.176/require
	created: May 27 11:42:06 2015  lastused:
	lifetime: 0(s) validtime: 0(s)
	spid=88 seq=0 pid=2324
	refcnt=1

 

Any Ideas how to get it work? Anything missing?

 

Many thanks in advance...

 

2 REPLIES 2
Highlighted
SRX Services Gateway

Re: VPN SRX240 Racoon Site-to-Site no Traffic

‎06-02-2015 06:11 AM

Hello ,

 

You configuration looks fine and the trace suggest that the packet is forwarded bidirectionally .

 

Please let me know if the issue is seen if you ping from other end also ?

 

Can you paste the output of the session details :

 

>show security flow session destination-prifix  172.29.0.1  protocol ICMP

 

Also Can you try to ping any host behind the gateway 172.29.0.1  . Make sure no NAT is involved . 

 

 

 

 


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
SRX Services Gateway

Re: VPN SRX240 Racoon Site-to-Site no Traffic

‎06-02-2015 08:03 AM

I have had a quick look and don't see a policy allowing traffic comming from you "racoon" side towards your trusted network behind the srx.

You only allow traffic from the trust side towards the racoon side not from the racoon side to the trusted site behind the srx

 

 

Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------