Quantcast
Channel: All SRX Services Gateway posts
Viewing all articles
Browse latest Browse all 17645

Re: Replacing a SSG5 with SRX100H2 in branch office

$
0
0

thank you, i added IKE to the interface:

     security-zone Internet {
            host-inbound-traffic {
                system-services {
                    ike;
                }
            }
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            https;
                            ssh;
                            ike;
                        }
                    }
                }
            }
        }

But i still dont think the SRX is receiving anything from the SSG:

 

aaaaaa@Dallas_SRX> show security ike security-associations detail
IKE peer 1.1.1.1, Index 3505536, Gateway Name: gw_Colo_VPN
  Role: Initiator, State: DOWN
  Initiator cookie: 6c6bbc7cdb25fcf2, Responder cookie: 0000000000000000
  Exchange type: Main, Authentication method: Pre-shared-keys
  Local: 2.2.2.2:500, Remote: 1.1.1.1:500
  Peer ike-id: not available
  Xauth user-name: not available
  Xauth assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : (null)
   Encryption            : (null)
   Pseudo random function: (null)
   Diffie-Hellman group  : unknown
  Traffic statistics:
   Input  bytes  :                  444
   Output bytes  :                  416
   Input  packets:                    3
   Output packets:                    3
  Flags: Waiting for doneWaiting for remove
  IPSec security associations: 0 created, 0 deleted
  Phase 2 negotiations in progress: 0

    Flags: Waiting for doneWaiting for remove

attached is another KMD log. I see something like:

 

[May 22 09:34:56][2.2.2.2 <-> 1.1.1.1]  <none>:500 (Responder) <-> 1.1.1.1:500 { ad2a2219 3d763722 - 6a32ea36 94f9d80d [0] / 0xf501a37f } Info; Trying to decrypt, but no decryption context initialized

then what seems like a bunch of chattering and this?

 

[May 22 09:35:26][2.2.2.2 <-> 1.1.1.1]  2.2.2.2:500 (Initiator) <-> 1.1.1.1:500 { ad2a2219 3d763722 - 6a32ea36 94f9d80d [-1] / 0x00000000 } IP; Connection timed out or error, calling callback
[May 22 09:35:26][2.2.2.2 <-> 1.1.1.1]  ikev2_fb_negotiation_done_isakmp: Entered IKE error code Timeout (8197), IKE SA eea400 (neg eee800)

 

Thanks


Viewing all articles
Browse latest Browse all 17645

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>