Problems bringing up policy-based VPN tunnel on ISG 2000
Our ISG 2000 is running 6.3. We were trying to get a route-based VPN set up to Azure, but we couldn't get that resolved, so now we're trying a policy-based VPN. It sure looks simple enough, but we can't get that tunnel up. I've attached the configuration, and the logging information in the following repeats over and over.
2019-07-27 01:20:09 system info 00536 IKE <DEST IP> IKEV2 packet: Retransmission limit has been reached. 2019-07-27 01:19:29 system info 00536 <LOCAL IP> <DEST IP> IKESA: Initiated negotiations.
I'm not well versed in Juniper, but the tunnels won't go active.
nsisg2000-> get sa total configured sa: 2 HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys 00000002< <DEST IP> 500 esp:a256/s256 00000000 expir unlim I/I 2 0 00000002> <DEST IP> 500 esp:a256/s256 00000000 expir unlim I/I 1 0
I'm not certain what else might help, but if anyone can provide guidance, I'd be grateful. Thank you.
Re: Problems bringing up policy-based VPN tunnel on ISG 2000
This is a generic message, stating that the IKE negotiation is failing, and when it tries to retransmit, it fails. It repeats that cycle over and over. This is regardless of if you use route based vpn, or policy based vpn. You will need to verify if the proposals are actually matching with whatever Azure is listening for. With any VPN, you need to troubleshoot by looking at all messages from both sides of the VPN, and not just one side.