I have been working with an SRX650 in a lab trying to get various senarios working. I have one that I need to complete to finish up a project. Its kicking my butt big time. So there are three parts. Network Setup, Juniper Config, and StrongSwan ipsec.conf. I am unable to get this past the proposal.
Network is easy since its a lab:
Outside 172.16.206.0/24 - Juniper at 172.16.206.11 - Host at 172.16.206.50 (Host can ping and reach Juniper)
Trusted Network on the inside is 10.168.205.0/24 - Juniper at 10.168.205.11
J-WEB won't work so its all command line. Stops at the login screen.
**************
IPSEC.CONF
**************
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
#authby=ecdsasig
auth=esp
#esp=aes256gcm16!
#ike=aes256-sha2_384-ecp384!
installpolicy=yes
type=tunnel
conn psk
authby=psk
left=%any
leftid=172.20.206.50
leftsubnet=172.20.206.0/24
right=172.20.206.11
rightid=172.20.206.11
rightsubnet=10.168.205.0/24
esp=aes256-sha256!
ike=aes256-sha1-modp1024!
auto=add
*************
Juniper Configuration with some logs at the end
*************
edit
Entering configuration mode
[edit]
bart@219-AIS-S650-1# show
## Last changed: 2013-02-21 05:48:25 GMT
version 12.1R4.7;
groups {
default-deny-template {
security {
policies {
from-zone <*> to-zone <*> {
policy defult-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
}
}
}
}
}
log-all-policies {
security {
policies {
from-zone <*> to-zone <*> {
policy <*> {
then {
log {
session-init;
}
}
}
}
}
}
}
}
system {
host-name 219-AIS-S650-1;
domain-name ainfosec.com;
time-zone Europe/London;
root-authentication {
encrypted-password "$1$h7WHfMKK$5nlhbbGUl7LAYu9FkRXFl0"; ## SECRET-DATA
}
name-server {
4.2.2.2;
4.2.2.1;
}
login {
---(more)--- user bart {
full-name "Douglas";
uid 2002;
class super-user;
authentication {
encrypted-password "$1$fXjpr4VB$DFWl6nFLgRVKtDm2i9uQc."; ## SECRET-DATA
}
}
}
services {
ssh;
xnm-clear-text;
web-management {
management-url https://10.243.200.251/admin;
https {
port 443;
system-generated-certificate;
interface ge-0/0/2.0;
}
session {
idle-timeout 1440;
session-limit 2;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
processes {
idp-policy disable;
}
ntp {
server 10.243.200.2 prefer;
}
}
interfaces {
---(more 31%)--- ge-0/0/0 {
mtu 8992;
gigether-options {
auto-negotiation;
}
unit 0 {
family inet {
address 172.20.206.11/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.168.205.11/24;
}
}
}
ge-0/0/2 {
unit 0 {
description Management;
family inet {
address 10.243.200.251/24;
}
}
}
ge-0/0/3 {
disable;
unit 0;
}
lo0 {
unit 0 {
family inet {
address 10.0.0.4/32;
}
}
}
st0 {
unit 0 {
family inet {
mtu 1500;
}
}
unit 1 {
family inet;
}
}
}
snmp {
description Junkiper;
location AIS;
contact Douglas;
---(more 47%)--- community "WWNM!1i@";
}
security {
pki {
ca-profile sv_ca {
ca-identity ais.ipsec.net;
revocation-check {
disable;
}
administrator {
email-address "cashinp@ainfosec.com";
}
}
}
ike {
traceoptions {
file strong size 1m;
flag policy-manager;
flag ike;
flag routing-socket;
}
proposal rsa-prop1 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
lifetime-seconds 86400;
}
policy ike-policy1 {
mode main;
pre-shared-key ascii-text "$9$12kISevMX-b28XkPQnpu8X7Nds"; ## SECRET-DATA
}
gateway ike-gate {
ike-policy ike-policy1;
address 0.0.0.0;
external-interface ge-0/0/0.0;
version v2-only;
}
}
ipsec {
proposal juniper_esp {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 86400;
}
policy vpn-policy1 {
perfect-forward-secrecy {
keys group2;
}
proposals juniper_esp;
}
---(more 63%)--- vpn ike-vpn {
bind-interface st0.0;
ike {
gateway ike-gate;
ipsec-policy vpn-policy1;
}
establish-tunnels on-traffic;
}
}
flow {
tcp-mss {
ipsec-vpn;
}
}
policies {
from-zone trust to-zone untrust {
policy vpn {
match {
source-address any-ipv4;
destination-address any-ipv4;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy vpn_o {
match {
source-address any-ipv4;
destination-address any-ipv4;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone untrust {
apply-groups default-deny-template;
}
}
zones {
security-zone trust {
address-book {
address ic3e 10.168.205.0/24;
}
host-inbound-traffic {
system-services {
all;
}
---(more 79%)--- protocols {
all;
}
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
st0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust {
address-book {
address jwics 172.20.206.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
---(more 95%)--- security-zone manage {
address-book {
address manage 10.243.200.0/24;
}
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/2.0;
}
}
}
}
[edit]
bart@219-AIS-S650-1# exit
Exiting configuration mode
bart@219-AIS-S650-1>
bart@219-AIS-S650-1>
bart@219-AIS-S650-1>
bart@219-AIS-S650-1>
bart@219-AIS-S650-1>
bart@219-AIS-S650-1>
bart@219-AIS-S650-1>
bart@219-AIS-S650-1>
bart@219-AIS-S650-1>
bart@219-AIS-S650-1> show log strong
Feb 21 05:48:51 219-AIS-S650-1 clear-log[2192]: logfile cleared
Feb 21 05:49:19 ikev2_packet_allocate: Allocated packet a25c00 from freelist
Feb 21 05:49:19 ikev2_decode_packet: [a25c00/a6f400] Setting ed pkt ctx from VR id 65535 to VR id 0)
Feb 21 05:49:19 Received Unauthenticated notification payload NAT detection source IP from local:172.20.206.11 remote:172.20.206.50 IKEv2 for P1 SA 4584872
Feb 21 05:49:19 Received Unauthenticated notification payload NAT detection destination IP from local:172.20.206.11 remote:172.20.206.50 IKEv2 for P1 SA 4584872
Feb 21 05:49:19 ikev2_decode_packet: [a25c00/a6f400] Received packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP)
Feb 21 05:49:19 iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
Feb 21 05:49:19 ikev2_select_sa_reply: [a25c00/a6f400] Error: SA select failed: 14
Feb 21 05:49:19 ikev2_state_error: [a25c00/a6f400] Negotiation failed because of error No proposal chosen (14)
Feb 21 05:49:19 IKE negotiation fail for local:172.20.206.11, remote:172.20.206.50 IKEv2 with status: No proposal chosen
Feb 21 05:49:19 IKE SA delete called for p1 sa 4584872 (ref cnt 1) local:<none>, remote:172.20.206.50, IKEv2
Feb 21 05:49:19 iked_pm_p1_sa_destroy: p1 sa 4584872 (ref cnt 0), waiting_for_del 0x0
Feb 21 05:49:23 ikev2_packet_allocate: Allocated packet a26000 from freelist
Feb 21 05:49:23 ikev2_decode_packet: [a26000/a6f400] Setting ed pkt ctx from VR id 65535 to VR id 0)
Feb 21 05:49:23 Received Unauthenticated notification payload NAT detection source IP from local:172.20.206.11 remote:172.20.206.50 IKEv2 for P1 SA 4584873
Feb 21 05:49:23 Received Unauthenticated notification payload NAT detection destination IP from local:172.20.206.11 remote:172.20.206.50 IKEv2 for P1 SA 4584873
Feb 21 05:49:23 ikev2_decode_packet: [a26000/a6f400] Received packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP)
Feb 21 05:49:23 iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
Feb 21 05:49:23 ikev2_select_sa_reply: [a26000/a6f400] Error: SA select failed: 14
Feb 21 05:49:23 ikev2_state_error: [a26000/a6f400] Negotiation failed because of error No proposal chosen (14)
Feb 21 05:49:23 IKE negotiation fail for local:172.20.206.11, remote:172.20.206.50 IKEv2 with status: No proposal chosen
Feb 21 05:49:23 IKE SA delete called for p1 sa 4584873 (ref cnt 1) local:<none>, remote:172.20.206.50, IKEv2
Feb 21 05:49:23 iked_pm_p1_sa_destroy: p1 sa 4584873 (ref cnt 0), waiting_for_del 0x0
Feb 21 05:49:30 ikev2_packet_allocate: Allocated packet a26400 from freelist
Feb 21 05:49:30 ikev2_decode_packet: [a26400/a6f400] Setting ed pkt ctx from VR id 65535 to VR id 0)
Feb 21 05:49:30 Received Unauthenticated notification payload NAT detection source IP from local:172.20.206.11 remote:172.20.206.50 IKEv2 for P1 SA 4584874
Feb 21 05:49:30 Received Unauthenticated notification payload NAT detection destination IP from local:172.20.206.11 remote:172.20.206.50 IKEv2 for P1 SA 4584874
Feb 21 05:49:30 ikev2_decode_packet: [a26400/a6f400] Received packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP)
Feb 21 05:49:30 iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
Feb 21 05:49:30 ikev2_select_sa_reply: [a26400/a6f400] Error: SA select failed: 14
Feb 21 05:49:30 ikev2_state_error: [a26400/a6f400] Negotiation failed because of error No proposal chosen (14)
Feb 21 05:49:30 IKE negotiation fail for local:172.20.206.11, remote:172.20.206.50 IKEv2 with status: No proposal chosen
Feb 21 05:49:30 IKE SA delete called for p1 sa 4584874 (ref cnt 1) local:<none>, remote:172.20.206.50, IKEv2
Feb 21 05:49:30 iked_pm_p1_sa_destroy: p1 sa 4584874 (ref cnt 0), waiting_for_del 0x0
Feb 21 05:49:43 ikev2_packet_allocate: Allocated packet a26800 from freelist
Feb 21 05:49:43 ikev2_decode_packet: [a26800/a6f400] Setting ed pkt ctx from VR id 65535 to VR id 0)
Feb 21 05:49:43 Received Unauthenticated notification payload NAT detection source IP from local:172.20.206.11 remote:172.20.206.50 IKEv2 for P1 SA 4584875