SRX Services Gateway
Highlighted
SRX Services Gateway

st0.6 interface not coming up IPSEC VPN

‎10-10-2019 04:51 AM

I have attached configuration in SRX 5800, in order to prepare the VPN with AWS.

i used st0.6 this time, from st0.0 to st0.5 are already working with other tunnels.

st0.6 is little different to other tunnel interface, it has reth2.2410 as outside interface, 

and routing-instance is SGi-VR.

Can anyone help in spoting the config mistake I am making here, unless st0.6 coming UP, I can't establish tunnel

Thanks

Attachments

8 REPLIES 8
Highlighted
SRX Services Gateway

Re: st0.6 interface not coming up IPSEC VPN

‎10-10-2019 07:26 AM

under zone configuration of untrust, you have

Highlighted
SRX Services Gateway

Re: st0.6 interface not coming up IPSEC VPN

‎10-10-2019 05:59 PM

Just curious, Is reth2.2410 configured in default instance and part of a security zone with ike enabled for the host bound services ?


 

Highlighted
SRX Services Gateway

Re: st0.6 interface not coming up IPSEC VPN

‎10-11-2019 01:28 AM

set security zones security-zone vpn-TESCO interfaces st0.6
set security zones security-zone vpn-TESCO interfaces st0.6 host-inbound-traffic system-services all
set security zones security-zone vpn-TESCO interfaces st0.6 host-inbound-traffic protocols all
set security zones security-zone vpn-TESCO interfaces st0.6 host-inbound-traffic system-services ike

 

set security zones security-zone inside description "Gi Inside Traffic "
set security zones security-zone inside screen ATTACK-SCAN
set security zones security-zone inside host-inbound-traffic system-services ping
set security zones security-zone inside host-inbound-traffic system-services traceroute
set security zones security-zone inside host-inbound-traffic protocols ospf
set security zones security-zone inside interfaces reth1.410

Highlighted
SRX Services Gateway

Re: st0.6 interface not coming up IPSEC VPN

‎10-11-2019 01:29 AM

My zone configuration

trust zone

set security zones security-zone inside description "Gi Inside Traffic "
set security zones security-zone inside screen ATTACK-SCAN
set security zones security-zone inside host-inbound-traffic system-services ping
set security zones security-zone inside host-inbound-traffic system-services traceroute
set security zones security-zone inside host-inbound-traffic protocols ospf
set security zones security-zone inside interfaces reth1.410

 

vpn zone or untrust zone

set security zones security-zone vpn-TESCO interfaces st0.6
set security zones security-zone vpn-TESCO interfaces st0.6 host-inbound-traffic system-services all
set security zones security-zone vpn-TESCO interfaces st0.6 host-inbound-traffic protocols all
set security zones security-zone vpn-TESCO interfaces st0.6 host-inbound-traffic system-services ike

Highlighted
SRX Services Gateway

Re: st0.6 interface not coming up IPSEC VPN

‎10-11-2019 02:00 AM

set security zones security-zone Internet description "ISP Internet "
set security zones security-zone Internet screen ATTACK-SCAN
set security zones security-zone Internet host-inbound-traffic system-services ike
set security zones security-zone Internet interfaces reth2.2410

 

set routing-instances SGi-VR interface reth1.281
set routing-instances SGi-VR interface reth1.410
set routing-instances SGi-VR interface reth2.2410
set routing-instances SGi-VR interface reth3.280

 

set routing-instances SGi-VR instance-type virtual-router
set routing-instances SGi-VR interface reth1.281
set routing-instances SGi-VR interface reth1.410
set routing-instances SGi-VR interface reth2.2410
set routing-instances SGi-VR interface reth3.280

Highlighted
SRX Services Gateway

Re: st0.6 interface not coming up IPSEC VPN

‎10-11-2019 09:52 AM

The config on SRX side looks good. 
i would suggest the following as next steps to troubleshoot such issues:

1.  Remove the vpn-monitor and check if the ike and ipsec SAs stays up. Also check if st0.6 stays up

2. Use the trceoptions feature to analyze the issue further.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB19943&actp=METADATA&act=login

Highlighted
SRX Services Gateway

Re: st0.6 interface not coming up IPSEC VPN

‎10-16-2019 03:11 AM

SPC0_PIC2 kmd[184]: IKE negotiation failed with error: Invalid syntax. IKE Version: 1, VPN: ipsec-vpn-TESCO Gateway: gw-TESCO, Local: 185.16.71.132/4500, Remote: 34.250.189.60/4500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 6: Role: Initiator

 

[Oct 15 11:03:00 PIC 1/0/2 KMD1]ssh_ike_connect: Start, remote_name = 34.250.189.60:500, xchg = 2, flags = 00090000
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_sa_allocate: Start, SA = { 61ccdef0 4d2dd809 - 00000000 00000000 }
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ssh_ike_connect: SA = { 61ccdef0 4d2dd809 - 00000000 00000000}, nego = -1
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_st_o_sa_proposal: Start
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_policy_reply_isakmp_vendor_ids: Start
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_st_o_private: Start
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_policy_reply_private_payload_out: Start
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_send_packet: <-------- sending SA = { 61ccdef0 4d2dd809 - 00000000 00000000}, len = 288, nego = -1, local ip= 185.16.71.132, dst = 34.250.189.60:500, routing table id = 6
[Oct 15 11:03:00 PIC 1/0/2 KMD1]---------> Received from 34.250.189.60:500 to 185.16.71.132:0, VR 6, length 128 on IF
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_sa_find: Not found SA = { 61ccdef0 4d2dd809 - 41f56fed 0a018db8 }
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ikev2_packet_st_input_v1_create_sa: [100c6a800/0] No IKE SA for packet; requesting permission to create one.
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_get_sa: Start, SA = { 61ccdef0 4d2dd809 - 41f56fed 0a018db8 } / 00000000, remote = 34.250.189.60:500
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_sa_find: Not found SA = { 61ccdef0 4d2dd809 - 41f56fed 0a018db8 }
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_sa_find_half: Found half SA = { 61ccdef0 4d2dd809 - 00000000 00000000 }
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_sa_upgrade: Start, SA = { 61ccdef0 4d2dd809 - 00000000 00000000 } -> { ... - 41f56fed 0a018db8 }
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_st_i_sa_value: Start
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_st_i_cr: Start
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_st_i_cert: Start
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_st_i_private: Start
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_st_o_ke: Start
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_st_o_nonce: Start
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_policy_reply_isakmp_nonce_data_len: Start
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_st_o_private: Start
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_policy_reply_private_payload_out: Start
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_policy_reply_private_payload_out: Start
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_policy_reply_private_payload_out: Start
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_send_packet: <-------- sending SA = { 61ccdef0 4d2dd809 - 41f56fed 0a018db8}, len = 228, nego = -1, local ip= 185.16.71.132, dst = 34.250.189.60:500, routing table id = 6
[Oct 15 11:03:00 PIC 1/0/2 KMD1]---------> Received from 34.250.189.60:500 to 185.16.71.132:0, VR 6, length 228 on IF
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_sa_find: Found SA = { 61ccdef0 4d2dd809 - 41f56fed 0a018db8 }
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_get_sa: Start, SA = { 61ccdef0 4d2dd809 - 41f56fed 0a018db8 } / 00000000, remote = 34.250.189.60:500
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_sa_find: Found SA = { 61ccdef0 4d2dd809 - 41f56fed 0a018db8 }
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_st_i_nonce: Start, nonce[0..16] = 1e85d1ec 78c781b3 ...
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_st_i_ke: Ke[0..128] = 3f319b81 8496670e ...
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_st_i_cr: Start
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_st_i_cert: Start
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_st_i_private: Start
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_st_o_id: Start
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_st_o_hash: Start
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_find_pre_shared_key: Find pre shared key key for 185.16.71.132:500, id = ipv4(any:0,[0..3]=185.16.71.132) -> 34.250.189.60:500, id = No Id
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_policy_reply_find_pre_shared_key: Start
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_calc_mac: Start, initiator = true, local = true
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_st_o_status_n: Start
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_st_o_private: Start
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_policy_reply_private_payload_out: Start
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_st_o_encrypt: Marking encryption for packet
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_send_packet: <-------- sending SA = { 61ccdef0 4d2dd809 - 41f56fed 0a018db8}, len = 92, nego = -1, local ip= 185.16.71.132, dst = 34.250.189.60:4500, routing table id = 6
[Oct 15 11:03:00 PIC 1/0/2 KMD1]---------> Received from 34.250.189.60:500 to 185.16.71.132:0, VR 6, length 40 on IF
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_sa_find: Found SA = { 61ccdef0 4d2dd809 - 41f56fed 0a018db8 }
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_get_sa: Start, SA = { 61ccdef0 4d2dd809 - 41f56fed 0a018db8 } / a105af45, remote = 34.250.189.60:500
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_sa_find: Found SA = { 61ccdef0 4d2dd809 - 41f56fed 0a018db8 }
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ikev2_fb_server_changed: Ignoring server change back to normal IKE port
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_st_i_n: Start, doi = 1, protocol = 1, code = Payload malformed (16), spi[0..0] = 00000000 00000000 ..., data[0..0] = 00000000 00000000 ...
[Oct 15 11:03:00 PIC 1/0/2 KMD1]<none>:500 (Responder) <-> 34.250.189.60:500 { 61ccdef0 4d2dd809 - 41f56fed 0a018db8 [0] / 0xa105af45 } Info; Received notify err = Payload malformed (16) to isakmp sa, delete it
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_st_i_private: Start
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_send_notify: Connected, SA = { 61ccdef0 4d2dd809 - 41f56fed 0a018db8}, nego = 0
[Oct 15 11:03:00 PIC 1/0/2 KMD1]185.16.71.132:4500 (Initiator) <-> 34.250.189.60:4500 { 61ccdef0 4d2dd809 - 41f56fed 0a018db8 [-1] / 0x00000000 } IP; Connection got error = 16, calling callback
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_sa_delete: Start, SA = { 61ccdef0 4d2dd809 - 41f56fed 0a018db8 }
[Oct 15 11:03:00 PIC 1/0/2 KMD1]IKE negotiation fail for local:185.16.71.132, remote:34.250.189.60 IKEv1 with status: Invalid syntax
[Oct 15 11:03:00 PIC 1/0/2 KMD1] IKEv1 Error : Payload malformed
[Oct 15 11:03:00 PIC 1/0/2 KMD1]IPSec Rekey for SPI 0x0 failed
[Oct 15 11:03:00 PIC 1/0/2 KMD1]IPSec SA done callback called for sa-cfg ipsec-vpn-TESCO local:185.16.71.132, remote:34.250.189.60 IKEv1 with status Invalid syntax
[Oct 15 11:03:00 PIC 1/0/2 KMD1]IKE SA delete called for p1 sa 142297377 (ref cnt 2) local:185.16.71.132, remote:34.250.189.60, IKEv1
[Oct 15 11:03:00 PIC 1/0/2 KMD1]P1 SA 142297377 reference count is not zero (1). Delaying deletion of SA
[Oct 15 11:03:00 PIC 1/0/2 KMD1]iked_pm_p1_sa_destroy: p1 sa 142297377 (ref cnt 0), waiting_for_del 0x1027240
[Oct 15 11:03:00 PIC 1/0/2 KMD1]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)

Highlighted
SRX Services Gateway

Re: st0.6 interface not coming up IPSEC VPN

[ Edited ]
‎10-17-2019 11:22 AM

So tunnel fails in IKEv1 phase 1 in packet exchange number 3/4.
Most likely a configuration issue. I would check the configuration on both the peer devices again.

 

Also in the logs i see the SRX trying to use port 4500 indicating NAT-T happening

[Oct 15 11:03:00 PIC 1/0/2 KMD1]ike_send_packet: <-------- sending SA = { 61ccdef0 4d2dd809 - 41f56fed 0a018db8}, len = 92, nego = -1, local ip= 185.16.71.132, dst = 34.250.189.60:4500, routing table id = 6

 

 

Given that the peer device is on AWS, i assume it uses a private IP address which then gets changed to Elastic IP address provided by AWS before going out to internet.

 

May be try using local and remote identities as hostname to verify the identity of the peer device instead of the relying on the IP addresses for verification.