Hi Folks,

Please go through the below topic; I t can provide you with some hints,

http://forums.juniper.net/t5/SRX-Services-Gateway/IP-in-IP-tunnel-dynamic-source-address/td-p/65660

bummer. thanks

good eveninig 

i need some help in setting up vpn tunnel between srx and asa ike in juniper wont came up at all and give me this log message 

[Jan 22 20:56:15]10.10.10.38:500 (Initiator) <-> 40.40.219.2:500 { 96603848 9e448113 - 01d26445 ef56e0b7 [-1] / 0x00000000 } IP; MESSAGE: Phase 1 version = 1.0, auth_method = Pre shared keys, cipher = 3des-cbc, hash = sha1, prf = hmac-sh
[Jan 22 20:56:15]ike_send_notify: Connected, SA = { 96603848 9e448113 - 01d26445 ef56e0b7}, nego = -1
[Jan 22 20:56:15]iked_pm_ike_sa_done: local:10.10.10.38, remote:40.40.219.2 IKEv1
[Jan 22 20:56:15]IKE negotiation done for local:10.10.10.38, remote:40.40.219.2 IKEv1 with status: Error ok
[Jan 22 20:56:15]ssh_ike_connect_ipsec: Start, remote_name = :500, flags = 00000000
[Jan 22 20:56:15]ssh_ike_connect_ipsec: SA = { 96603848 9e448113 - 01d26445 ef56e0b7}, nego = 0
[Jan 22 20:56:15]ike_st_o_qm_hash_1: Start
[Jan 22 20:56:15]ike_st_o_qm_sa_proposals: Start
[Jan 22 20:56:15]ike_st_o_qm_nonce: Start
[Jan 22 20:56:15]ike_policy_reply_qm_nonce_data_len: Start
[Jan 22 20:56:15]ike_st_o_qm_optional_ke: Start
[Jan 22 20:56:15]ike_st_o_qm_optional_ids: Start
[Jan 22 20:56:15]ike_st_qm_optional_id: Start
[Jan 22 20:56:15]ike_st_qm_optional_id: Start
[Jan 22 20:56:15]ike_st_o_private: Start
[Jan 22 20:56:15]Construction NHTB payload for local:10.10.10.38, remote:40.40.219.2 IKEv1 P1 SA index 7584821 sa-cfg GT-ncb-ipsec-vpn_t10
[Jan 22 20:56:15]Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg GT-ncb-ipsec-vpn_t10, p1_sa=7584821
[Jan 22 20:56:15]ike_policy_reply_private_payload_out: Start
[Jan 22 20:56:15]ike_st_o_encrypt: Marking encryption for packet
[Jan 22 20:56:15]ike_finalize_qm_hash_1: Hash[0..20] = aa0aa4fd b125ac6f ...
[Jan 22 20:56:15]ike_send_packet: <-------- sending SA = { 96603848 9e448113 - 01d26445 ef56e0b7}, len = 156, nego = 0, local ip= 10.10.10.38, dst = 40.40.219.2:500, routing table id = 0
[Jan 22 20:56:16]---------> Received from 40.40.219.2:500 to 10.10.10.38:0, VR 0, length 196 on IF
[Jan 22 20:56:16]---------> Received from 40.40.219.2:500 to 10.10.10.38:0, VR 0, length 84 on IF
[Jan 22 20:56:16]ike_sa_find: Found SA = { 96603848 9e448113 - 01d26445 ef56e0b7 }
[Jan 22 20:56:16]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 22 20:56:16]ike_get_sa: Start, SA = { 96603848 9e448113 - 01d26445 ef56e0b7 } / c3f5e9b9, remote = 40.40.219.2:500
[Jan 22 20:56:16]ike_sa_find: Found SA = { 96603848 9e448113 - 01d26445 ef56e0b7 }
[Jan 22 20:56:16]ike_st_o_done: ISAKMP SA negotiation done
[Jan 22 20:56:16]ike_send_notify: Connected, SA = { 96603848 9e448113 - 01d26445 ef56e0b7}, nego = -1
[Jan 22 20:56:16]ike_st_i_encrypt: Check that packet was encrypted succeeded
[Jan 22 20:56:16]ike_st_i_gen_hash: Start, hash[0..20] = 7f2926e2 5db829c8 ...
[Jan 22 20:56:16]ike_st_i_n: Start, doi = 1, protocol = 3, code = Invalid ID information (18), spi[0..4] = 00000000 00000000 ..., data[0..128] = 01000018 aa0aa4fd ...
[Jan 22 20:56:16]Authenticated Phase-2 notification `Invalid ID information' (18) (size 128 bytes) from 40.40.219.2 for protocol ESP spi[0...4]=00 00 00 00 causes IKE SA deletion and QM abort
[Jan 22 20:56:16]ike_st_i_private: Start
[Jan 22 20:56:16]ike_send_notify: Connected, SA = { 96603848 9e448113 - 01d26445 ef56e0b7}, nego = 1
[Jan 22 20:56:16]ikev2_packet_st_input_v1_get_sa: Checking if unauthenticated IKEv1 notify is for an IKEv2 SA
[Jan 22 20:56:16]ikev2_packet_st_input_v1_create_sa: [113e800/0] No IKE SA for packet; requesting permission to create one.
[Jan 22 20:56:16]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 22 20:56:16]ike_get_sa: Start, SA = { 96603848 9e448113 - 01d26445 ef56e0b7 } / 7bc1b92a, remote = 40.40.219.2:500
[Jan 22 20:56:16]ike_sa_find_half: Not found half SA = { 96603848 9e448113 - 00000000 00000000 }
[Jan 22 20:56:16]ike_get_sa: Invalid cookie, no sa found, SA = { 96603848 9e448113 - 01d26445 ef56e0b7 } / 7bc1b92a, remote = 40.40.219.2:500
[Jan 22 20:56:16]unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 40.40.219.2:500
[Jan 22 20:56:16]ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
[Jan 22 20:56:16]ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
[Jan 22 20:56:16]ike_sa_delete: Start, SA = { 96603848 9e448113 - 01d26445 ef56e0b7 }
[Jan 22 20:56:16]IKE SA delete called for p1 sa 7584821 (ref cnt 2) local:10.10.10.38, remote:40.40.219.2, IKEv1
[Jan 22 20:56:16]P1 SA 7584821 reference count is not zero (1). Delaying deletion of SA
[Jan 22 20:56:16]iked_pm_p1_sa_destroy: p1 sa 7584821 (ref cnt 0), waiting_for_del 0x10b1420
[Jan 22 20:56:16]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)

and this is juniper configuration

root@bbb-dahra-ly# show |display set |no-more
set version 12.3X48-D35.7
set system host-name bbb-dahra-ly
set system root-authentication encrypted-password "$1$1tBoYfRI$ZdOtY2ggiMhZFmaZnDro301"
set system name-server 8.8.8.8
set system name-server 8.8.4.4
set system login class ssh idle-timeout 60
set system services ssh
set system services web-management https system-generated-certificate
set system syslog file kmd-logs daemon info
set chassis alarm ethernet link-down ignore
set security ike traceoptions file vpnloog
set security ike traceoptions file size 10m
set security ike traceoptions file files 2
set security ike traceoptions file world-readable
set security ike traceoptions flag all
set security ike proposal bbb-visa authentication-method pre-shared-keys
set security ike proposal bbb-visa dh-group group2
set security ike proposal bbb-visa authentication-algorithm sha1
set security ike proposal bbb-visa encryption-algorithm 3des-cbc
set security ike proposal bbb-visa lifetime-seconds 86400
set security ike policy bbb-visa-policy mode main
set security ike policy bbb-visa-policy proposals bbb-visa
set security ike policy bbb-visa-policy pre-shared-key ascii-text "$9$DrHm5F3/At0zF1EhSleWLdxdVYaZD.mTN-qf"
set security ike gateway bbb-visa-gw ike-policy bbb-visa-policy
set security ike gateway bbb-visa-gw address 40.40.219.2
set security ike gateway bbb-visa-gw dead-peer-detection interval 10
set security ike gateway bbb-visa-gw dead-peer-detection threshold 5
set security ike gateway bbb-visa-gw external-interface ge-0/0/0
set security ike gateway bbb-visa-gw general-ikeid
set security ipsec traceoptions flag all
set security ipsec proposal bbb-ipsec-prop protocol esp
set security ipsec proposal bbb-ipsec-prop authentication-algorithm hmac-sha1-96
set security ipsec proposal bbb-ipsec-prop encryption-algorithm 3des-cbc
set security ipsec proposal bbb-ipsec-prop lifetime-seconds 86400
set security ipsec policy bbb-ipsec-pol proposals bbb-ipsec-prop
set security ipsec vpn bbb-ipsec-vpn bind-interface st0.0
set security ipsec vpn bbb-ipsec-vpn ike gateway bbb-visa-gw
set security ipsec vpn bbb-ipsec-vpn ike ipsec-policy bbb-ipsec-pol
set security ipsec vpn bbb-ipsec-vpn traffic-selector t1 local-ip 30.30.30.0/24
set security ipsec vpn bbb-ipsec-vpn traffic-selector t1 remote-ip 20.20.20.206/32
set security ipsec vpn bbb-ipsec-vpn traffic-selector t3 local-ip 30.30.30.0/24
set security ipsec vpn bbb-ipsec-vpn traffic-selector t3 remote-ip 20.20.20.207/32
set security ipsec vpn bbb-ipsec-vpn traffic-selector t4 local-ip 30.30.30.0/24
set security ipsec vpn bbb-ipsec-vpn traffic-selector t4 remote-ip 20.20.20.214/32
set security ipsec vpn bbb-ipsec-vpn traffic-selector t5 local-ip 30.30.30.0/24
set security ipsec vpn bbb-ipsec-vpn traffic-selector t5 remote-ip 20.20.20.201/32
set security ipsec vpn bbb-ipsec-vpn traffic-selector t6 local-ip 30.30.30.0/24
set security ipsec vpn bbb-ipsec-vpn traffic-selector t6 remote-ip 20.20.20.202/32
set security ipsec vpn bbb-ipsec-vpn traffic-selector t7 local-ip 30.30.30.0/24
set security ipsec vpn bbb-ipsec-vpn traffic-selector t7 remote-ip 20.20.20.210/32
set security ipsec vpn bbb-ipsec-vpn traffic-selector t8 local-ip 30.30.30.0/24
set security ipsec vpn bbb-ipsec-vpn traffic-selector t8 remote-ip 20.20.20.211/32
set security ipsec vpn bbb-ipsec-vpn traffic-selector t9 local-ip 30.30.30.0/24
set security ipsec vpn bbb-ipsec-vpn traffic-selector t9 remote-ip 40.40.219.5/32
set security ipsec vpn bbb-ipsec-vpn traffic-selector t10 local-ip 30.30.30.0/24
set security ipsec vpn bbb-ipsec-vpn traffic-selector t10 remote-ip 40.40.219.20/32
set security ipsec vpn bbb-ipsec-vpn establish-tunnels immediately
set security address-book local address lan-1 30.30.30.0/24
set security address-book local attach zone trust
set security address-book remote address eyg-visa 20.20.20.0/24
set security address-book remote address visa-214 20.20.20.214/32
set security address-book remote address visa-211 20.20.20.211/32
set security address-book remote address visa-210 20.20.20.210/32
set security address-book remote address visa-202 20.20.20.202/32
set security address-book remote address visa-206 20.20.20.206/32
set security address-book remote address visa-207 20.20.20.207/32
set security address-book remote address visa-201 20.20.20.201/32
set security address-book remote address-set egypt-visa address visa-201
set security address-book remote address-set egypt-visa address visa-202
set security address-book remote address-set egypt-visa address visa-206
set security address-book remote address-set egypt-visa address visa-207
set security address-book remote address-set egypt-visa address visa-210
set security address-book remote address-set egypt-visa address visa-211
set security address-book remote address-set egypt-visa address visa-214
set security address-book remote attach zone untrust
set security flow traceoptions file trace-vpn
set security flow traceoptions file size 5m
set security flow traceoptions file files 20
set security flow traceoptions file world-readable
set security flow traceoptions flag basic-datapath
set security flow traceoptions flag all
set security flow traceoptions packet-filter to source-prefix 30.30.30.2/32
set security flow traceoptions packet-filter to destination-prefix 20.20.20.207/32
set security flow traceoptions packet-filter to destination-port 22
set security flow traceoptions packet-filter from source-prefix 20.20.20.206/32
set security flow traceoptions packet-filter from destination-prefix 30.30.30.2/32
set security flow traceoptions packet-filter from source-port 22
set security policies from-zone trust to-zone untrust policy local-to-remote match source-address lan-1
set security policies from-zone trust to-zone untrust policy local-to-remote match destination-address egypt-visa
set security policies from-zone trust to-zone untrust policy local-to-remote match application any
set security policies from-zone trust to-zone untrust policy local-to-remote then permit
set security policies from-zone untrust to-zone trust policy remote-to-local match source-address egypt-visa
set security policies from-zone untrust to-zone trust policy remote-to-local match destination-address lan-1
set security policies from-zone untrust to-zone trust policy remote-to-local match application any
set security policies from-zone untrust to-zone trust policy remote-to-local then permit
set security traceoptions file vpnloog
set security traceoptions file size 10m
set security traceoptions file files 2
set security traceoptions file world-readable
set security traceoptions flag all
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone trust interfaces lo0.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust interfaces st0.0
set interfaces ge-0/0/0 unit 0 family inet address 10.10.10.38/29
set interfaces ge-0/0/1 unit 0 family inet address 30.30.30.1/24
set interfaces ge-0/0/15 unit 0 family inet address 192.168.4.1/24
set interfaces lo0 unit 0 family inet address 30.30.30.2/24
set interfaces st0 description vpn-tunnel
set interfaces st0 unit 0 family inet mtu 1500
set routing-options static route 0.0.0.0/0 next-hop 10.10.10.1
set routing-options static route 20.20.20.206/32 next-hop st0.0
set routing-options static route 20.20.20.201/32 next-hop st0.0
set routing-options static route 20.20.20.202/32 next-hop st0.0
set routing-options static route 20.20.20.207/32 next-hop st0.0
set routing-options static route 20.20.20.210/32 next-hop st0.0
set routing-options static route 20.20.20.211/32 next-hop st0.0
set routing-options static route 20.20.20.214/32 next-hop st0.0
set routing-options static route 20.20.20.221/32 next-hop st0.0
set routing-options static route 40.40.219.5/32 next-hop st0.0
set routing-options static route 40.40.219.20/32 next-hop st0.0

Yes, many 3rd party optic companies support connecting to Juniper gear.  This can be a great resource for many expanded choices in connections.

But you will need to get optic / physical link support from that vendor then.

Hi Elbeshti,

We are getting the below error as "Invalid ID information (18)" which is causing the VPN Phase-2 to fail.

Most probably it is failing may be due to Proxy id mismatch between Juniper and Cisco end.

Proxy-id's is nothing but subnets used across vpn devices as you have mentioned in the traffic selector.

Local subnets of SRX needs to match remote subnets of ASA on the secyurity policy and vice versa.

Please also check that you are not using the 0.0.0.0/0 or "any" on the cisco end.

-Regards,

Rishi

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]

Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg GT-ncb-ipsec-vpn_t10, p1_sa=7584821

Do you have another VPN tunnel also using the st0.0 interface?

NHTB (next hop tunnel binding) typically kicks in when you terminate more than one VPN on the same st0 sub interface.  NHTB deteremines which tunnel to send the traffic into of the multiple applied there.  This process is typically not compatible cross vendors.

no i donot have another VPN just 10 IP need to pass through VPN tunnel in interface st0.0 

Hi,

I'm trying to setup a S2S IPSec VPN between two hosts with dynamic IP addresses based on FQDN.

One node (HUB) is an SRX220 with 12.1X46-D60, second node (SPOKE) is a Cisco router with 12.4T IOS.

Both nodes have a Public Internet IP address got from DHCP on following interfaces:

ge-0/0/0 on SRX (added to the Internet zone)

Fa4 on Cisco IOS Router

I have attached the relevant configuration.

The problem is, that it looks like noone is initiating phase 1. KMD logs shows nothing on the SRX, debug crypto isakmp & ipsec shows nothing on Cisco.

This is why I'm assuming, that noone is starting phase 1.

And of course there are no ike SAs.

Any ideas on that setup?

Buenos dias, les consulto porque tengo un router juniper srx100, el cual tengo algunos incomvenientes con la configuracion. el problema es que si yo realizo toda la configuracion inicial, luego si yo lo desconecto de la energia o simplemente lo apago, se resetea y ya no puedo volver a ingresar a la configuracion que tenia. 

Alguna ayuda que me puedan brindar para esto, ya que necesito entregar el router configurado a un cliente.

Aguardo su respuesta

Saludos

Patricia Rojo 

Hi Patricia,

I think that google-translate tells me that you want to reset your SRX-100 so here you go:

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/task/operational/reset-config-button-srx100-using.html

Can someone please send me the script to parse these session flow logs?  Or has it been posted somewhere?

alexanderfoxnyc@outlook.com

Thanks

Did you ever get the osx version?  If so, please share!

Thanks

In addition, 12.1R6 is EOL code ... it has been since 2014.  IDP signatures are updated supported code, so it is recommended to upgrade to current supported JUNOS.

Hello,

Can we create e3/e1 interface as reth interface for chassis cluster in srx 650?

If Yes, Can any one please share the configuration for this . how can we create e3/e1 interface as reth interface in SRX 650

Thanks & Regards

I have gone throught this example and get the result

https://www.juniper.net/techpubs/en_US/junos12.3x48/topics/example/security-https-traffic-to-trigger-web-authentication-configuring.html

Hi Folks,

I am not personally aware of using e1 as reth interfaces; since reth is supposed to be redundant Ethernet interfaces as per my understanding.

Is there are any option instead of reth for chassis cluster(HA) in srx for aggregate the e1/e3 interfaces?

Hello, I managed succesfully to configure an IPSEC VPN from our Central Office to our branch. VPN was created over a VPN of the ISP so public IP on both ends are not really public. VPN is working, communication is done without a problem except for Internet access. The idea is all requests from Branch go through VPN to Central Office and from there to internal servers or Internet.

When I try to ping or trace route an Internet server from branch I get no response.

Configurations are in the attachment.

Branch

Juniper SRX300

Local IP : 10.123.9.n

Public IP: aaa.aaa..208.194

Central Office

Fortigate 100

Local IP: 10.123.3.n

Public IP: bbb.bbb.48.21

I cant identify my error in configuration. Any help will be useful.

TIA

As far as i know, there is no way - unfortunately