We have a IPsec site-to-site VPN from a SRX300 to a sonicwall. The VPN connection is working but after x hours the VPN got dropped and re-established after 5 minutes. I have investigated the logs of the Sonicwall and the SRX300 device and I found the following error logs in the kmd-logs
Apr 1 14:28:36 i3d-r1 kmd[1902]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: ipsec-vpn-cfgr, Peer Proposed traffic-selector local-ip: none(), Peer Proposed traffic-selector remote-ip: none()
Apr 1 14:28:36 i3d-r1 kmd[1902]: IPSec negotiation failed with error: TS unacceptable. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: LOCAL-PUBLIC-IP, Remote IKE-ID: REMOTE-SIDE-PUBLIC-IP, VR-ID: 0
Apr 1 14:28:40 i3d-r1 kmd[1902]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: ipsec-vpn-cfgr, Peer Proposed traffic-selector local-ip: none(), Peer Proposed traffic-selector remote-ip: none()
Apr 1 14:28:40 i3d-r1 kmd[1902]: IPSec negotiation failed with error: TS unacceptable. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: LOCAL-PUBLIC-IP, Remote IKE-ID: REMOTE-SIDE-PUBLIC-IP, VR-ID: 0
Apr 1 14:28:44 i3d-r1 kmd[1902]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: ipsec-vpn-cfgr, Peer Proposed traffic-selector local-ip: none(), Peer Proposed traffic-selector remote-ip: none()
Apr 1 14:28:44 i3d-r1 kmd[1902]: IPSec negotiation failed with error: TS unacceptable. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: LOCAL-PUBLIC-IP, Remote IKE-ID: REMOTE-SIDE-PUBLIC-IP, VR-ID: 0
Apr 1 14:28:48 i3d-r1 kmd[1902]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: ipsec-vpn-cfgr, Peer Proposed traffic-selector local-ip: none(), Peer Proposed traffic-selector remote-ip: none()
Apr 1 14:28:48 i3d-r1 kmd[1902]: IPSec negotiation failed with error: TS unacceptable. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: LOCAL-PUBLIC-IP, Remote IKE-ID: REMOTE-SIDE-PUBLIC-IP, VR-ID: 0
Apr 1 14:28:52 i3d-r1 kmd[1902]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: ipsec-vpn-cfgr, Peer Proposed traffic-selector local-ip: none(), Peer Proposed traffic-selector remote-ip: none()
Apr 1 14:28:52 i3d-r1 kmd[1902]: IPSec negotiation failed with error: TS unacceptable. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: LOCAL-PUBLIC-IP, Remote IKE-ID: REMOTE-SIDE-PUBLIC-IP, VR-ID: 0
Apr 1 14:29:53 i3d-r1 kmd[1902]: IKE negotiation failed with error: Timed out. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: LOCAL-PUBLIC-IP, Remote IKE-ID: REMOTE-SIDE-PUBLIC-IP, VR-ID: 0: Role: Responder
Apr 1 14:29:53 i3d-r1 kmd[1902]: KMD_VPN_DOWN_ALARM_USER: VPN ipsec-vpn-cfgr from REMOTE-SIDE-PUBLIC-IP is down. Local-ip: LOCAL-PUBLIC-IP, gateway name: ike-gate-cfgr, vpn name: ipsec-vpn-cfgr, tunnel-id: 131074, local tunnel-if: st0.1, remote tunnel-ip: Not-Available, Local IKE-ID: ^EÈ^_^T, Remote IKE-ID: REMOTE-SIDE-PUBLIC-IP, AAA username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type: Static, Reason: IPSec SAs cleared as corresponding IKE SA deleted
Apr 1 14:30:00 i3d-r1 kmd[1902]: IKE negotiation failed with error: Invalid syntax. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Initiator
Apr 1 14:30:00 i3d-r1 kmd[1902]: IPSec negotiation failed with error: Invalid syntax. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Apr 1 14:31:00 i3d-r1 kmd[1902]: IKE negotiation failed with error: Invalid syntax. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Initiator
Apr 1 14:31:00 i3d-r1 kmd[1902]: IPSec negotiation failed with error: Invalid syntax. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Apr 1 14:32:00 i3d-r1 kmd[1902]: IKE negotiation failed with error: Invalid syntax. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Initiator
Apr 1 14:32:00 i3d-r1 kmd[1902]: IPSec negotiation failed with error: Invalid syntax. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Apr 1 14:33:00 i3d-r1 kmd[1902]: IKE negotiation failed with error: Invalid syntax. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Initiator
Apr 1 14:33:00 i3d-r1 kmd[1902]: IPSec negotiation failed with error: Invalid syntax. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Apr 1 14:33:56 i3d-r1 kmd[1902]: KMD_PM_SA_ESTABLISHED: Local gateway: LOCAL-PUBLIC-IP, Remote gateway: REMOTE-SIDE-PUBLIC-IP, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 0x8ebfc7b, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:
Apr 1 14:33:56 i3d-r1 kmd[1902]: KMD_PM_SA_ESTABLISHED: Local gateway: LOCAL-PUBLIC-IP, Remote gateway: REMOTE-SIDE-PUBLIC-IP, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0x647814a1, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:
Apr 1 14:33:56 i3d-r1 kmd[1902]: KMD_VPN_UP_ALARM_USER: VPN ipsec-vpn-cfgr from REMOTE-SIDE-PUBLIC-IP is up. Local-ip: LOCAL-PUBLIC-IP, gateway name: ike-gate-cfgr, vpn name: ipsec-vpn-cfgr, tunnel-id: 131074, local tunnel-if: st0.1, remote tunnel-ip: Not-Available, Local IKE-ID: ^EÈ^_^T, Remote IKE-ID: REMOTE-SIDE-PUBLIC-IP, AAA username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type: Static
Apr 1 14:33:56 i3d-r1 kmd[1902]: IKE negotiation successfully completed. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: LOCAL-PUBLIC-IP, Remote IKE-ID: REMOTE-SIDE-PUBLIC-IP, VR-ID: 0, Role: Responder
Apr 1 19:10:01 i3d-r1 kmd[1902]: KMD_VPN_DOWN_ALARM_USER: VPN ipsec-vpn-cfgr from REMOTE-SIDE-PUBLIC-IP is down. Local-ip: LOCAL-PUBLIC-IP, gateway name: ike-gate-cfgr, vpn name: ipsec-vpn-cfgr, tunnel-id: 131074, local tunnel-if: st0.1, remote tunnel-ip: Not-Available, Local IKE-ID: ^EÈ^_^T, Remote IKE-ID: REMOTE-SIDE-PUBLIC-IP, AAA username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type: Static, Reason: IPSec SAs cleared as corresponding IKE SA deleted
Apr 1 19:10:01 i3d-r1 kmd[1902]: KMD_PM_SA_ESTABLISHED: Local gateway: LOCAL-PUBLIC-IP, Remote gateway: REMOTE-SIDE-PUBLIC-IP, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 0x13177f86, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:
Apr 1 19:10:01 i3d-r1 kmd[1902]: KMD_PM_SA_ESTABLISHED: Local gateway: LOCAL-PUBLIC-IP, Remote gateway: REMOTE-SIDE-PUBLIC-IP, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0xc7a8757a, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:
Apr 1 19:10:01 i3d-r1 kmd[1902]: KMD_VPN_UP_ALARM_USER: VPN ipsec-vpn-cfgr from REMOTE-SIDE-PUBLIC-IP is up. Local-ip: LOCAL-PUBLIC-IP, gateway name: ike-gate-cfgr, vpn name: ipsec-vpn-cfgr, tunnel-id: 131074, local tunnel-if: st0.1, remote tunnel-ip: Not-Available, Local IKE-ID: ^EÈ^_^T, Remote IKE-ID: REMOTE-SIDE-PUBLIC-IP, AAA username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type: Static
Apr 1 19:10:01 i3d-r1 kmd[1902]: IKE negotiation successfully completed. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: LOCAL-PUBLIC-IP, Remote IKE-ID: REMOTE-SIDE-PUBLIC-IP, VR-ID: 0, Role: Responder
My config is:
security {
ike {
proposal ike-proposal-cfgr {
authentication-method pre-shared-keys;
dh-group group20;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}
policy ike-policy-cfgr {
mode main;
proposals ike-proposal-cfgr;
pre-shared-key ascii-text "hidden"; ## SECRET-DATA
}
gateway ike-gate-cfgr {
ike-policy ike-policy-cfgr;
address PUBLIC-IP-REMOTE-SIDE;
local-identity inet PUBLIC-IP-LOCAL;
external-interface lo0.0;
general-ikeid;
version v2-only;
}
}
ipsec {
proposal ipsec-proposal-cfgr {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}
policy ipsec-policy-cfgr {
perfect-forward-secrecy {
keys group19;
}
proposals ipsec-proposal-cfgr;
}
vpn ipsec-vpn-cfgr {
bind-interface st0.1;
ike {
gateway ike-gate-cfgr;
ipsec-policy ipsec-policy-cfgr;
}
establish-tunnels immediately;
}
}
from-zone trust to-zone vpn {
policy trust-vpn-cfgr {
match {
source-address lokaalSubnet;
destination-address [ remoteSubnet1 remoteSubnet2 ];
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone trust {
policy vpn-trust-cfgr {
match {
source-address [ remoteSubnet1 remoteSubnet2 ];
destination-address lokaalSubnet;
application any;
}
then {
permit;
}
}
}
#vpn