ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Problems bringing up policy-based VPN tunnel on ISG 2000

‎07-26-2019 05:28 PM

Our ISG 2000 is running 6.3. We were trying to get a route-based VPN set up to Azure, but we couldn't get that resolved, so now we're trying a policy-based VPN. It sure looks simple enough, but we can't get that tunnel up. I've attached the configuration, and the logging information in the following repeats over and over.

 

2019-07-27 01:20:09 system info 00536 IKE <DEST IP> IKEV2 packet:
Retransmission limit has been reached.
2019-07-27 01:19:29 system info 00536 <LOCAL IP> <DEST IP> IKESA:
Initiated negotiations.

 

I'm not well versed in Juniper, but the tunnels won't go active.

 

nsisg2000-> get sa
total configured sa: 2
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000002< <DEST IP> 500 esp:a256/s256 00000000 expir unlim I/I 2 0
00000002> <DEST IP> 500 esp:a256/s256 00000000 expir unlim I/I 1 0

 

I'm not certain what else might help, but if anyone can provide guidance, I'd be grateful. Thank you.

Attachments

2 REPLIES 2
ScreenOS Firewalls (NOT SRX)

Re: Problems bringing up policy-based VPN tunnel on ISG 2000

‎07-26-2019 05:41 PM

This is a generic message, stating that the IKE negotiation is failing, and when it tries to retransmit, it fails.  It repeats that cycle over and over.  This is regardless of if you use route based vpn, or policy based vpn.  You will need to verify if the proposals are actually matching with whatever Azure is listening for.  With any VPN, you need to troubleshoot by looking at all messages from both sides of the VPN, and not just one side.

ScreenOS Firewalls (NOT SRX)

Re: Problems bringing up policy-based VPN tunnel on ISG 2000

‎07-27-2019 03:30 AM

The two most common reasons for this message are:

 

the gateway addresses are not matching on both sides

confirm that the ip address the SSG has for Azure and Azure for the SSG are correct

 

The policy crypto packages are not matching between Azure and the ssg

confirm that these selections match what the Azure side has configured

set ike p1-proposal "AZURE-P1_Proposal" preshare group2 esp aes256 sha2-256 hour 8
set ike p2-proposal "AZURE-P2_Proposal" group2 esp aes256 sha2-256 hour 3

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home