Re: ipsec vpn config on MX80 MIC card

Hi,

Thanks aarseniev, I set that as you mentined, so I have: 

run show configuration services

...

        policy all-ca-level-l1 {
            mode main;
            version 1;
            proposals Feve3-TT_ike_proposal;
            local-certificate CA_Level_L1a;
        }
        policy all-ca-level-l2 {
            mode main;
            version 1;
            proposals Feve3-TT_ike_proposal;
            local-certificate CA_Level_L2a;
        }
        policy all-ca-level-l3 {
            mode main;
            version 1;
            proposals Feve3-TT_ike_proposal;
            local-certificate CA_Level_L3a;


...

    }
    establish-tunnels immediately;

I get some logs, however tunnel has some other issue - I am not sure why logs is calling ikv2 if I specified ikev1 in policy config ( " ikev2_fb_request_certificates_cb: No certificates foun " ): 

Sep 19 14:52:17 [10.42.131.81 <-> 10.42.147.32] <none>:500 (Responder) <-> 10.42.147.32:500 { e5ef3dc7 272c4b49 - feb00ff9 ede95a23 [0] / 0xeb377c66 } Info; Trying to decrypt, but no decryption context initialized
Sep 19 14:52:17 [10.42.131.81 <-> 10.42.147.32] <none>:500 (Responder) <-> 10.42.147.32:500 { e5ef3dc7 272c4b49 - feb00ff9 ede95a23 [0] / 0xeb377c66 } Info; Error = No SA established (8194)
Sep 19 14:52:17 [10.42.131.81 <-> 10.42.147.32] ike_send_notify: Notification to informational exchange ignored
Sep 19 14:52:21 [10.42.131.81 <-> 10.42.147.32] <none>:500 (Responder) <-> 10.42.147.32:500 { e5ef3dc7 272c4b49 - feb00ff9 ede95a23 [0] / 0x43cc1eac } Info; Trying to decrypt, but no decryption context initialized
Sep 19 14:52:21 [10.42.131.81 <-> 10.42.147.32] <none>:500 (Responder) <-> 10.42.147.32:500 { e5ef3dc7 272c4b49 - feb00ff9 ede95a23 [0] / 0x43cc1eac } Info; Error = No SA established (8194)
Sep 19 14:52:21 [10.42.131.81 <-> 10.42.147.32] ike_send_notify: Notification to informational exchange ignored
Sep 19 14:52:23 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet <1> ca parsing pos <4>, in len<6458>.
Sep 19 14:52:23 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet ca <0> cert<0> parsing pos <8>.
Sep 19 14:52:23 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet ca <0> cert<1> parsing pos <1097>.
Sep 19 14:52:23 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet ca <0> cert<2> parsing pos <2899>.
Sep 19 14:52:23 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet ca <0> cert<3> parsing pos <4996>.
Sep 19 14:52:23 [10.42.131.81 <-> 10.42.147.32] kmd_policy_request_certificates: got certificate info

Sep 19 14:52:24 [10.42.131.81 <-> 10.42.147.32] kmd_pm_ike_match_remote_id: Remote ID check failed, Received ID(type = dn (9), len = 82, value = 3050312d 302b0603 55040313 244b3931 34333131 36313434 2e6e6f6b 69617369 656d656e 736e6574 776f726b 732e636f 6d311f30 1d060355 040a1316 4e6f6b69 61205369 656d6
Sep 19 14:52:24 [10.42.131.81 <-> 10.42.147.32] kmd_pm_ike_match_remote_id: remote ID check failed
Sep 19 14:52:24 [10.42.131.81 <-> 10.42.147.32] IKE SA negotiation failed for remote-ip:10.42.147.32,do tunnel failover
Sep 19 14:52:24 [10.42.131.81 <-> 10.42.147.32] Removing DPD server entry for remote peer: 10.42.147.32:500
Sep 19 14:52:24 [10.42.131.81 <-> 10.42.147.32] 10.42.131.81:500 (Initiator) <-> 10.42.147.32:500 { e5ef3dc7 272c4b49 - feb00ff9 ede95a23 [-1] / 0x00000000 } IP; Connection timed out or error, calling callback
Sep 19 14:52:24 [10.42.131.81 <-> 10.42.147.32] kmd_pm_ike_sa_done: UNUSABLE ike sa tunnel_id 24
Sep 19 14:52:24 [10.42.131.81 <-> 10.42.147.32]   IKEv1 Error : Timeout
Sep 19 14:52:24 [10.42.131.81 <-> 10.42.147.32] kmd_pm_ipsec_sa_done_callback:IPSEC SA setup timedout
Sep 19 14:52:24 [10.42.131.81 <-> 10.42.147.32] IKE SA not usable 1ce3400, error 65540
Sep 19 14:52:24 [10.42.131.81 <-> 10.42.147.32] Removing DPD server entry for remote peer: 10.42.147.32:500
Sep 19 14:52:24 [10.42.131.81 <-> 10.42.147.32] ikev2_packet_st_input_v1_get_sa: Checking if unauthenticated IKEv1 notify is for an IKEv2 SA
Sep 19 14:52:24 [10.42.131.81 <-> 10.42.147.32] ike_get_sa: Invalid cookie, no sa found, SA = { b049541b d230b39b - 61009300 b2a9827e } / 8b98eb25, remote = 10.42.147.32:500
Sep 19 14:52:24 [10.42.131.81 <-> 10.42.147.32] unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 10.42.147.32:500
Sep 19 14:52:33 [10.42.131.81 <-> 10.42.147.32] ike_get_sa: Invalid cookie, no sa found, SA = { b049541b d230b39b - 61009300 b2a9827e } / 00000000, remote = 10.42.147.32:500
Sep 19 14:52:33 [10.42.131.81 <-> 10.42.147.32] unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 10.42.147.32:500
Sep 19 14:52:53 [10.42.131.81 <-> 10.42.147.32] ike_get_sa: Invalid cookie, no sa found, SA = { b049541b d230b39b - 61009300 b2a9827e } / 00000000, remote = 10.42.147.32:500
Sep 19 14:52:53 [10.42.131.81 <-> 10.42.147.32] unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 10.42.147.32:500
Sep 19 14:53:00 [10.42.131.81 <-> 10.42.147.32] ikev2_fb_request_certificates_cb: No certificates found
Sep 19 14:53:01 [10.42.131.81 <-> 10.42.147.32] 10.42.131.81:500 (Initiator) <-> 10.42.147.32:500 { 91b57ff4 242162fe - 70b4008c d9472b03 [-1] / 0x00000000 } IP; Warning, junk after packet len = 208, decoded = 205
Sep 19 14:53:01 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet <1> ca parsing pos <4>, in len<6458>.
Sep 19 14:53:01 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet ca <0> cert<0> parsing pos <8>.
Sep 19 14:53:01 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet ca <0> cert<1> parsing pos <1097>.
Sep 19 14:53:01 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet ca <0> cert<2> parsing pos <2899>.
Sep 19 14:53:01 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet ca <0> cert<3> parsing pos <4996>.
Sep 19 14:53:01 [10.42.131.81 <-> 10.42.147.32] kmd_policy_request_certificates: got certificate info

Sep 19 14:53:01 [10.42.131.81 <-> 10.42.147.32] <none>:500 (Responder) <-> 10.42.147.32:500 { 91b57ff4 242162fe - 70b4008c d9472b03 [0] / 0x276075a7 } Info; Trying to decrypt, but no decryption context initialized
Sep 19 14:53:01 [10.42.131.81 <-> 10.42.147.32] <none>:500 (Responder) <-> 10.42.147.32:500 { 91b57ff4 242162fe - 70b4008c d9472b03 [0] / 0x276075a7 } Info; Error = No SA established (8194)
Sep 19 14:53:01 [10.42.131.81 <-> 10.42.147.32] ike_send_notify: Notification to informational exchange ignored
Sep 19 14:53:06 [10.42.131.81 <-> 10.42.147.32] <none>:500 (Responder) <-> 10.42.147.32:500 { 91b57ff4 242162fe - 70b4008c d9472b03 [0] / 0x51f26723 } Info; Trying to decrypt, but no decryption context initialized
Sep 19 14:53:06 [10.42.131.81 <-> 10.42.147.32] <none>:500 (Responder) <-> 10.42.147.32:500 { 91b57ff4 242162fe - 70b4008c d9472b03 [0] / 0x51f26723 } Info; Error = No SA established (8194)
Sep 19 14:53:06 [10.42.131.81 <-> 10.42.147.32] ike_send_notify: Notification to informational exchange ignored