VPN with Juniper

JohnAgora · ‎01-18-2016

Hello,

We are trying to establish a VPN between a Fortigate 900D and a Juniper. It must be a DialUp VPN since the Juniper has PPPoE (not a static IP) and the version of JUNOS the device has don't support dynamicdns.

The Juniper has the following configuration:

security { ike { proposal ike-phase1-proposal { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm 3des-cbc; lifetime-seconds 28800; } policy ike-phase1-policy { mode aggressive; proposals ike-phase1-proposal; pre-shared-key ascii-text "12345678"; } gateway gw-test { ike-policy ike-phase1-policy; address 189.1.1.1; local-identity hostname TEST; external-interface fe-0/0/0.0; } } ipsec { proposal ipsec-phase2-proposal { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; lifetime-seconds 3600; } policy ipsec-phase2-policy { perfect-forward-secrecy { keys group2; } proposals ipsec-phase2-proposal; } vpn ike-vpn-test { bind-interface st0.0; ike { gateway gw-test; proxy-identity { local 10.10.10.0/0; remote 0.0.0.0/0; service any; } ipsec-policy ipsec-phase2-policy; } establish-tunnels immediately; } }

On the Fortigate I can do an good diagnose. The VPN gets stablished (phase 1 and phase 2 OK), but immediately it receives a package to take down the connection.

Here are some logs:

ike 0:test_0:285: recv ISAKMP SA delete eab487019033cffc/3a86ccc15b3ea1a5 ike 0:test_0: deleting ike 0:test_0: flushing ike 0:test_0:test: sending SNMP tunnel DOWN trap ike 0:test_0:241: del route 0.0.0.0/0.0.0.0 oif test_0(305) metric 15 priority 0 ike 0:test_0: flushed ike 0:test_0: delete dynamic ike 0:test_0: reset NAT-T ike 0:test_0: deleted

Any ideas?

Any commands so I can do a debug on the Juniper?

Thanks

JohnAgora · ‎01-19-2016

Fortigate's logs (edited so they are easier to read):

ike 0:1f58e705dcb8c10b/0000000000000000:60877: negotiation result ike 0:1f58e705dcb8c10b/0000000000000000:60877: proposal id = 1: ike 0:1f58e705dcb8c10b/0000000000000000:60877: protocol id = ISAKMP: ike 0:1f58e705dcb8c10b/0000000000000000:60877: trans_id = KEY_IKE. ike 0:1f58e705dcb8c10b/0000000000000000:60877: encapsulation = IKE/none ike 0:1f58e705dcb8c10b/0000000000000000:60877: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC. ike 0:1f58e705dcb8c10b/0000000000000000:60877: type=OAKLEY_HASH_ALG, val=SHA. ike 0:1f58e705dcb8c10b/0000000000000000:60877: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:1f58e705dcb8c10b/0000000000000000:60877: type=OAKLEY_GROUP, val=MODP1024. ike 0:1f58e705dcb8c10b/0000000000000000:60877: ISAKMP SA lifetime=28800 ike 0:1f58e705dcb8c10b/0000000000000000:60877: SA proposal chosen, matched gateway test ike 0:test:60877: received peer identifier FQDN 'test' ike 0:test:60877: DPD negotiated ike 0:test:60877: selected NAT-T version: RFC 3947 ike 0:test:60877: cookie 1f58e705dcb8c10b/964eafb1c899f729 ... ike 0: IKEv1 exchange=Aggressive id=1f58e705dcb8c10b/964eafb1c899f729 len=100 ... ike 0:test:60877: received NAT-D payload type 20 ike 0:test:60877: received NAT-D payload type 20 ike 0:test:60877: PSK authentication succeeded ike 0:test:60877: authentication OK ike 0:test:60877: NAT detected: PEER ike 0:test:60877: remote port change 61451 -> 60813 ike 0:test: adding new dynamic tunnel for 189.1.1.2:60813 ike 0:test_0: added new dynamic tunnel for 189.1.1.2:60813 ike 0:test_0:60877: established IKE SA 1f58e705dcb8c10b/964eafb1c899f729 ike 0:test_0:60877: no pending Quick-Mode negotiations ... ike 0:test_0:60877:85174: peer proposal is: peer:0:10.10.10.0-10.10.10.255:0, me:0:0.0.0.0-255.255.255.255:0 ike 0:test_0:60877:test:85174: trying ike 0:test_0:60877:test:85174: matched phase2 ike 0:test_0:60877:test:85174: dynamic client ike 0:test_0:60877:test:85174: my proposal: ike 0:test_0:60877:test:85174: proposal id = 1: ike 0:test_0:60877:test:85174: protocol id = IPSEC_ESP: ike 0:test_0:60877:test:85174: PFS DH group = 2 ike 0:test_0:60877:test:85174: trans_id = ESP_3DES ike 0:test_0:60877:test:85174: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:test_0:60877:test:85174: type = AUTH_ALG, val=SHA1 ike 0:test_0:60877:test:85174: incoming proposal: ike 0:test_0:60877:test:85174: proposal id = 1: ike 0:test_0:60877:test:85174: protocol id = IPSEC_ESP: ike 0:test_0:60877:test:85174: PFS DH group = 2 ike 0:test_0:60877:test:85174: trans_id = ESP_3DES ike 0:test_0:60877:test:85174: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947 ike 0:test_0:60877:test:85174: type = AUTH_ALG, val=SHA1 ike 0:test_0:60877:test:85174: negotiation result ike 0:test_0:60877:test:85174: proposal id = 1: ike 0:test_0:60877:test:85174: protocol id = IPSEC_ESP: ike 0:test_0:60877:test:85174: PFS DH group = 2 ike 0:test_0:60877:test:85174: trans_id = ESP_3DES ike 0:test_0:60877:test:85174: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:test_0:60877:test:85174: type = AUTH_ALG, val=SHA1 ike 0:test_0:60877:test:85174: set pfs=MODP1024 ike 0:test_0:60877:test:85174: using udp tunnel mode. ike 0:test_0:60877:test:85174: replay protection enabled ike 0:test_0:60877:test:85174: SA life soft seconds=3591. ike 0:test_0:60877:test:85174: SA life hard seconds=3600. ike 0:test_0:60877:test:85174: IPsec SA selectors #src=1 #dst=1 ike 0:test_0:60877:test:85174: src 0 7 0:0.0.0.0-255.255.255.255:0 ike 0:test_0:60877:test:85174: dst 0 7 0:10.10.10.0-10.10.10.255:0 ike 0:test_0:60877:test:85174: add dynamic IPsec SA selectors ike 0:test_0:85174: add route 10.10.10.0/255.255.255.0 oif test_0(53403) metric 15 priority 0 ike 0:test_0:60877:test:85174: tunnel 1 of VDOM limit 0/0 ike 0:test_0:60877:test:85174: add IPsec SA: SPIs=d4148620/8bf0c36a ... ike 0:test_0:60877:test:85174: sending SNMP tunnel UP trap ... ike 0:test_0:60877: sent IKE msg (quick_r1send): 189.1.1.1:4500->189.1.1.2:60813, len=300, id=1f58e705dcb8c10b/964eafb1c899f729:ba36efa2 ike 0: comes 189.1.1.2:60813->189.1.1.1:4500,ifindex=39.... ike 0: IKEv1 exchange=Informational id=1f58e705dcb8c10b/964eafb1c899f729:c2f1f199 len=84 ike 0: in 1F58E705DCB8C10B964EAFB1C899F72908100501C2F1F19900000054C17A3F6BC68CBA17CD4158A7B830C3770F42ABB4F10E2AD4DD0CBD8E56935D98E9E5B6B6EDD3553F426D976CFADC08C8A6E28949721CFFFB ike 0:test_0:60877: dec 1F58E705DCB8C10B964EAFB1C899F72908100501C2F1F199000000540C000018A570DF1920431447AE975EB46D500C8CB05F839C0000001C00000001011000011F58E705DCB8C10B964EAFB1C899F72900000000 ike 0:test_0:60877: recv ISAKMP SA delete 1f58e705dcb8c10b/964eafb1c899f729 ike 0:test_0: deleting ike 0:test_0: flushing

The line on bold is the one that send the tunnel down. Any ideas?

Thanks!!

View solution in original post

JohnAgora · ‎01-20-2016

I found out the problem. It was completly on Juniper.

Here are the logs:

Jan 19 13:37:24 ikev2_fb_idv2_to_idv1: Converting the IKEv2 payload ID ID(type = keyid (11), len = 4, value = 74657374) to IKEv1 ID Jan 19 13:37:24 ikev2_fb_idv2_to_idv1: IKEv2 payload ID converted to IKEv1 payload ID key_id(any:0,[0..3]=74 65 73 74 ) Jan 19 13:37:24 iked_pm_id_validate called with id key_id(any:0,[0..3]=74 65 73 74 ) Jan 19 13:37:24 iked_pm_id_validate Use default id [ipv4(any:0,[0..3]=189.1.1.1)] Jan 19 13:37:24 iked_pm_id_validate id NOT matched. Jan 19 13:37:24 iked_pm_ike_sa_done ID validation fails

Basically the key was "test", but it didn't validate it (I don't know if it was fortinet sending it wrong or Juniper reading it wrong).

I put the following option on Juniper's VPN:

set gateway gw-test general-ikeid

and it was solved. :D

Thanks a lot for your help!

View solution in original post

emnoc · ‎01-18-2016

Are you 100% sure the Juniper has phase1 and phase2 established? If they are the tunnels are being torn down, than I would review and post the fortigate side configurations to include the lifetime settings ( bytes or time )

I would also execute show security ike security-associations and show security ipsec security-associations on the juniper side of things .These should match the fortigate's diag vpn ike gateway and diag vpn tunnel list

http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html

PCNSE

NSE

StrongSwan

JohnAgora · ‎01-18-2016

I'm not 100% sure about the Juniper since I don't know how to debug it there.

But on the Fortigate I see both phases stablished.

Let me run those commands and see what happens.

And yes, in both devices the configuration is the same.

Any more ideas?

Thanks

emnoc · ‎01-18-2016

yes , provide the fortigate config & to debug on the JunOS srx it's vey simple by using traceoptions for ike and ipsec.

set security ike traceoptions

set file ike

set flag all

set security ipsec traceoptions

set file ipsec

set flag all

commit

run show log ike

run show log ipsec

PCNSE

NSE

StrongSwan

JohnAgora · ‎01-19-2016

Hello,

I've try to run the debug on the Juniper, but I can't.

Here's some info about the device:

Software Version: JUNOS Software Release [11.4R7.5]Bios Version: 2.1

When I do an ssh, this is what I get:

root@JUN-OAX% set security ike traceoptions root@JUN-OAX% set file ike root@JUN-OAX% set flag all root@JUN-OAX% set security ipsec traceoptions root@JUN-OAX% set file ipsec root@JUN-OAX% set flag all root@JUN-OAX% commit commit: Command not found. root@JUN-OAX% run show log ike run: Command not found. root@JUN-OAX% run show log ipsec run: Command not found. root@JUN-OAX% root@JUN-OAX% root@JUN-OAX% root@JUN-OAX% root@JUN-OAX% root@JUN-OAX% cli root@JUN-OAX> set security ^ syntax error, expecting <command>. root@JUN-OAX> set securityike ^ syntax error, expecting <command>. root@JUN-OAX> set securityiketraceoptions ^ syntax error, expecting <command>.

root@JUN-OAX> commit ^ unknown command.

root@JUN-OAX> run ^ unknown command. root@JUN-OAX> runshow ^ unknown command. root@JUN-OAX> runshowlog ^ unknown command. root@JUN-OAX> runshowlogike ^ unknown command.

root@JUN-OAX>

And I've double check everything in the Fortigate (phase1 and phase2, everything looks the same).

In the Fortigate I had two options for phase 1(3des-sha1 3des-md5) and on the Juniper just one (3des-sha1), I leave just one on both devices. Anyhow that didn't solve the problem.

My main issue (and the TAC confirm it) is this:

ike 0:test_0:60769: recv ISAKMP SA delete 5201db04fdb2971b/939286960b4c5e00

I believe the reason why that happens Juniper's debug must show it.

Appreciate the help!

emnoc · ‎01-19-2016

You need to be in the config mode to set the "set" commands.

e.g

configure

PCNSE

NSE

StrongSwan

JohnAgora · ‎01-19-2016

I've found that on Juniper the phase 1 is not being stablished (anyhow on Fortinet's debug it appears it does).

Here are some logs:

Jan 19 12:52:35 ike_init_info_exchange: Created random message id = 3607983b Jan 19 12:52:35 ike_init_info_exchange: Phase 1 done, use HASH and N or D payload Jan 19 12:52:35 <none>:4500 (Initiator) <-> 189.1.1.1:4500 { a19448c2 6d46630f - 390008be 8287d4bf [1] / 0x3607983b } Info; Sending delete notify back Jan 19 12:52:35 ike_encode_packet: Start, SA = { 0xa19448c2 6d46630f - 390008be 8287d4bf } / 3607983b, nego = 1 Jan 19 12:52:35 <none>:4500 (Initiator) <-> 189.1.1.1:4500 { a19448c2 6d46630f - 390008be 8287d4bf [1] / 0x3607983b } Info; Encode packet, version = 1.0, flags = 0x00000001 Jan 19 12:52:35 <none>:4500 (Initiator) <-> 189.1.1.1:4500 { a19448c2 6d46630f - 390008be 8287d4bf [1] / 0x3607983b } Info; Encode HASH: hash[20] = 0x00000000 00000000 00000000 00000000 00000000 Jan 19 12:52:35 ike_encode_packet: Payload length = 24 Jan 19 12:52:35 <none>:4500 (Initiator) <-> 189.1.1.1:4500 { a19448c2 6d46630f - 390008be 8287d4bf [1] / 0x3607983b } Info; Encode D: doi = 1, proto = 1, # spis = 1 Jan 19 12:52:35 <none>:4500 (Initiator) <-> 189.1.1.1:4500 { a19448c2 6d46630f - 390008be 8287d4bf [1] / 0x3607983b } Info; Encode D: spi[0][16] = 0xa19448c2 6d46630f 390008be 8287d4bf Jan 19 12:52:35 ike_encode_packet: Payload length = 28 Jan 19 12:52:35 ike_encode_packet: Packet length = 84 Jan 19 12:52:35 ike_encode_packet: Calling finalizing function for payload[0].type = 8 Jan 19 12:52:35 <none>:4500 (Initiator) <-> 189.1.1.1:4500 { a19448c2 6d46630f - 390008be 8287d4bf [1] / 0x3607983b } Info; HASH hash .= M-ID[4] = 0x3607983b Jan 19 12:52:35 <none>:4500 (Initiator) <-> 189.1.1.1:4500 { a19448c2 6d46630f - 390008be 8287d4bf [1] / 0x3607983b } Info; Output of HASH hash[20] = 0x73228c1a 77e45d2d 92418eeb 44ae48cd bf7cc06b Jan 19 12:52:35 <none>:4500 (Initiator) <-> 189.1.1.1:4500 { a19448c2 6d46630f - 390008be 8287d4bf [1] / 0x3607983b } Info; Encoded packet[84] = 0xa19448c2 6d46630f 390008be 8287d4bf 08100501 3607983b 00000054 0c000018 73228c1a 77e45d2d 92418eeb 44ae48cd bf7cc06b 000 Jan 19 12:52:35 ike_encode_packet: Encrypting packet Jan 19 12:52:35 <none>:4500 (Initiator) <-> 189.1.1.1:4500 { a19448c2 6d46630f - 390008be 8287d4bf [1] / 0x3607983b } Info; dec->enc IV[8] = 0x98d19a7e d2c4fa95 Jan 19 12:52:35 <none>:4500 (Initiator) <-> 189.1.1.1:4500 { a19448c2 6d46630f - 390008be 8287d4bf [1] / 0x3607983b } Info; enc->dec IV[8] = 0x83c7b473 a3c415a8 Jan 19 12:52:35 <none>:4500 (Initiator) <-> 189.1.1.1:4500 { a19448c2 6d46630f - 390008be 8287d4bf [1] / 0x3607983b } Info; Encrypted packet[84] = 0xa19448c2 6d46630f 390008be 8287d4bf 08100501 3607983b 00000054 3916167e a0a15450 0661334b 73e7224e 679bdabf cd5dbe7f 0 Jan 19 12:52:35 ike_encode_packet: Final length = 84 Jan 19 12:52:35 ike_expire_callback: Sending notification to 189.1.1.1:4500 Jan 19 12:52:35 ike_send_packet: Start, send SA = { a19448c2 6d46630f - 390008be 8287d4bf}, nego = 1, dst = 189.1.1.1:4500, routing table id = 0 Jan 19 12:52:35 <none>:4500 (Initiator) <-> 189.1.1.1:4500 { a19448c2 6d46630f - 390008be 8287d4bf [1] / 0x3607983b } Info; Sending packet[84] = 0xa19448c2 6d46630f 390008be 8287d4bf 08100501 3607983b 00000054 3916167e a0a15450 0661334b 73e7224e 679bdabf cd5dbe7f 064 Jan 19 12:52:35 ike_free_packet: Start Jan 19 12:52:35 ike_delete_negotiation: Start, SA = { a19448c2 6d46630f - 390008be 8287d4bf}, nego = 1 Jan 19 12:52:35 <none>:4500 (Initiator) <-> 189.1.1.1:4500 { a19448c2 6d46630f - 390008be 8287d4bf [1] / 0x3607983b } Info; Deleting negotiation Jan 19 12:52:35 ike_free_negotiation_info: Start, nego = 1 Jan 19 12:52:35 ike_free_negotiation: Start, nego = 1 Jan 19 12:52:35 ikev2_fb_phase_ii_sa_freed: Phase-II free Entered Jan 19 12:52:35 ssh_set_debug_gw_info: ssh_set_debug_gw_info: set gw debug info - local 192.168.1.253 remote 189.1.1.1 Jan 19 12:52:35 ike_remove_callback: Start, delete SA = { a19448c2 6d46630f - 390008be 8287d4bf}, nego = -1 Jan 19 12:52:35 192.168.1.253:4500 (Initiator) <-> 189.1.1.1:4500 { a19448c2 6d46630f - 390008be 8287d4bf [-1] / 0x00000000 } Aggr; Removing negotiation Jan 19 12:52:35 ike_delete_negotiation: Start, SA = { a19448c2 6d46630f - 390008be 8287d4bf}, nego = -1 Jan 19 12:52:35 192.168.1.253:4500 (Initiator) <-> 189.1.1.1:4500 { a19448c2 6d46630f - 390008be 8287d4bf [-1] / 0x00000000 } Aggr; Deleting negotiation Jan 19 12:52:35 ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table Jan 19 12:52:35 ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table Jan 19 12:52:35 ike_sa_delete: Start, SA = { a19448c2 6d46630f - 390008be 8287d4bf } Jan 19 12:52:35 ikev2_fb_negotiation_done_qm: Entered IKE error code Aborted notification (8199) (neg c18800) Jan 19 12:52:35 ikev2_fb_i_ipsec_negotiation_cb: Connect IPSec done callback, status Aborted notification (neg c18800) Jan 19 12:52:35 ike_free_negotiation_qm: Start, nego = 0 Jan 19 12:52:35 ike_free_negotiation: Start, nego = 0 Jan 19 12:52:35 ike_free_packet: Start Jan 19 12:52:35 ikev2_fb_qm_sa_freed: QM free Entered Jan 19 12:52:35 ikev2_fb_phase_qm_clear_pm_data: Clearing FB negotiation c18800 from qm_info c2ae80 Jan 19 12:52:35 ikev2_fallback_negotiation_free: Fallback negotiation c18800 has still 1 references Jan 19 12:52:35 ike_free_id_payload: Start, id type = 4 Jan 19 12:52:35 ike_free_id_payload: Start, id type = 4 Jan 19 12:52:35 ike_free_negotiation_isakmp: Start, nego = -1 Jan 19 12:52:35 ike_free_negotiation: Start, nego = -1 Jan 19 12:52:35 ike_free_packet: Start Jan 19 12:52:35 ike_free_packet: Start Jan 19 12:52:35 ike_free_packet: Start Jan 19 12:52:35 ikev2_fb_isakmp_sa_freed: Received notification from the ISAKMP library that the IKE SA c13400 is freed Jan 19 12:52:35 ikev2_fb_isakmp_sa_freed: Clearing p1_info from fallback negotiation c18800 Jan 19 12:52:35 ikev2_fb_isakmp_sa_freed: FB; Calling v2 policy function ike_sa_delete Jan 19 12:52:35 IKE SA delete called for p1 sa 5029495 (ref cnt 2) local:192.168.1.253, remote:189.1.1.1, IKEv1 Jan 19 12:52:35 P1 SA 5029495 stop timer. timer duration 0, reason 0. Jan 19 12:52:35 ikev2_fb_sa_abort: Aborting QM negotiation c18800 Jan 19 12:52:35 ikev2_fb_sa_abort: Finishing IKE SA negotiation (neg c18800) Jan 19 12:52:35 ikev2_free_exchange_data: Freeing exchange data from SA c13400, ED c29028 (2) Jan 19 12:52:35 Freeing reference to P1 SA 5029495 to ref count 1 Jan 19 12:52:35 P1 SA 5029495 reference count is not zero (1). Delaying deletion of SA Jan 19 12:52:35 ike_free_id_payload: Start, id type = 2 Jan 19 12:52:35 ike_free_id_payload: Start, id type = 2 Jan 19 12:52:35 ike_free_sa: Start Jan 19 12:52:35 ikev2_fb_i_p1_negotiation_result: Phase I negotiation result Jan 19 12:52:35 ikev2_fb_i_p1_negotiation_result: Phase I negotiation was aborted (neg c18800) Jan 19 12:52:35 ikev2_fb_p1_negotiation_destructor: Freeing fallback negotiation context Jan 19 12:52:35 ikev2_fallback_negotiation_free: Freeing fallback negotiation c18800 Jan 19 12:52:35 ikev2_free_exchange_data: Freeing exchange data from SA c13400, ED c29028 (1) Jan 19 12:52:35 ikev2_free_exchange_data_ipsec: Freeing IPsec exchange data from SA c13400 Jan 19 12:52:35 ssh_ikev2_ts_free: ts 0xb94f20, ref_cnt 1 Jan 19 12:52:35 ssh_ikev2_ts_free: ts 0xb94f60, ref_cnt 1 Jan 19 12:52:35 ikev2_free_exchange_data_ipsec: Successfully freed IPsec exchange data from SA c13400 Jan 19 12:52:35 ikev2_free_exchange_data_ike: Freeing IKE exchange data from SA c13400 Jan 19 12:52:35 ikev2_free_exchange_data_ike: Successfully freed IKE exchange data from SA c13400 Jan 19 12:52:35 ikev2_free_exchange_data: Calling exchange_data_free Jan 19 12:52:35 Freeing P2 Ed for sa-cfg ike-vpn-test Jan 19 12:52:35 iked_pm_ike_exchange_data_free: Successfully removed pm_ed bef200 from list for sa_cfg ike-vpn-test Jan 19 12:52:35 ikev2_free_exchange_data: Successfully freed exchange data from SA c13400 Jan 19 12:52:35 ssh_ikev2_ike_sa_free: Calling ike_sa_free_ref Jan 19 12:52:35 Freeing reference to P1 SA 5029495 to ref count 0 Jan 19 12:52:35 No more references to IKE SA 5029495 and waiting for delete. Deleting IKE SA Jan 19 12:52:35 iked_pm_p1_sa_destroy: p1 sa 5029495 (ref cnt 0), waiting_for_del 0xb94f40 Jan 19 12:52:35 iked_peer_remove_p1sa_entry: Remove p1 sa 5029495 from peer entry 0xc16200 Jan 19 12:52:35 iked_dist_table_entry_update : Dist table entry creation not needed Jan 19 12:52:35 iked_peer_entry_patricia_delete:Peer entry c16200 deleted for local 192.168.1.253:1f4 and remote 189.1.1.1:1f4 Jan 19 12:52:35 Deleting p1 sa (5029495) node from IKE p1 SA P-tree Jan 19 12:52:35 The tunnel id: 5029495 doesn't exist in P1 SA P-tree Jan 19 12:52:35 ikev2_udp_window_uninit: Freeing transmission windows for SA c13400 Jan 19 12:52:35 iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s) Jan 19 12:52:35 ikev2_packet_allocate: Allocated packet bd2400 from freelist Jan 19 12:52:35 ikev2_packet_allocate: [bd2400/0] Allocating Jan 19 12:52:35 *** Processing received packet from 189.1.1.1:4500 to 192.168.1.253:0 VR 0 Jan 19 12:52:35 ikev2_packet_st_input_start: [bd2400/0] Processing received Jan 19 12:52:35 ike_sa_find: Start, SA = { a19448c2 6d46630f - 390008be 8287d4bf } Jan 19 12:52:35 ike_sa_find: Not found SA = { a19448c2 6d46630f - 390008be 8287d4bf } Jan 19 12:52:35 Failed to find IKEv1 SA for given spi Jan 19 12:52:35 ikev2_packet_st_input_v1_create_sa: [bd2400/0] No IKE SA for packet; requesting permission to create one. Jan 19 12:52:35 iked_pm_ike_rate_limit: Soft limit for p1 negotiation 100.Current active p1 negotiations 0 Jan 19 12:52:35 New connection from 189.1.1.1:4500 allowed Jan 19 12:52:35 ikev2_packet_st_connect_decision: [bd2400/0] Pad allows connection Jan 19 12:52:35 ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library Jan 19 12:52:35 ike_udp_callback_common: Packet from 189.1.1.1:4500, use_natt=1 data[0..304] = 00000000 a19448c2 6d46630f 390008be ... Jan 19 12:52:35 ike_get_sa: Start, SA = { a19448c2 6d46630f - 390008be 8287d4bf } / c257e3be, remote = 189.1.1.1:4500 Jan 19 12:52:35 ike_sa_find: Start, SA = { a19448c2 6d46630f - 390008be 8287d4bf } Jan 19 12:52:35 ike_sa_find: Not found SA = { a19448c2 6d46630f - 390008be 8287d4bf } Jan 19 12:52:35 ike_sa_find_half: Start, SA = { a19448c2 6d46630f - 00000000 00000000 } Jan 19 12:52:35 ike_sa_find_half: Not found half SA = { a19448c2 6d46630f - 00000000 00000000 } Jan 19 12:52:35 ike_get_sa: Invalid cookie, no sa found, SA = { a19448c2 6d46630f - 390008be 8287d4bf } / c257e3be, remote = 189.1.1.1:4500 Jan 19 12:52:35 iked_pv_audit_callback: Empty SSH audit event Jan 19 12:52:35 unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 189.1.1.1:4500 Jan 19 12:52:35 unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Received packet[300] = 0xa19448c2 6d46630f 390008be 8287d4bf 08102001 c257e3be 0000012c da320168 55ea83c3 46a6ff61 b5393fc0 d1b07cda 7773f5cb fec7cb2c ed79344a... Jan 19 12:52:35 ikev2_packet_destroy: [bd2400/0] Destructor Jan 19 12:52:35 ikev2_packet_free: [bd2400/0] Freeing

Any ideas why it is turning down the tunnel?

JohnAgora · ‎01-19-2016

My VPN's configs:

Juniper:

root@Juniper# show security ike traceoptions { file ike-test size 5m files 5 world-readable; flag all; flag ike; flag general; level 15; } proposal ike-phase1-proposal { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm 3des-cbc; lifetime-seconds 28800; } policy ike-phase1-policy { mode aggressive; proposals ike-phase1-proposal; pre-shared-key ascii-text "$9$2g4GDHqmTFnkqBIhSeKGDjifT"; ## SECRET-DATA; here's "test" } gateway gw-yoloxochitlan { ike-policy ike-phase1-policy; address 189.1.1.1; dead-peer-detection { always-send; interval 10; threshold 3; } nat-keepalive 10; local-identity hostname test; external-interface fe-0/0/0.0; version v1-only; }

Fortigate

Fortinet (phase1-interface) # edit test

Fortinet (test) # get name : test type : dynamic interface : port16 ip-version : 4 ike-version : 1 local-gw : 0.0.0.0 nattraversal : enable keylife : 28800 authmethod : psk mode : aggressive peertype : one mode-cfg : disable proposal : 3des-sha1 add-route : enable localid : test localid-type : auto negotiate-timeout : 30 fragmentation : enable dpd : enable forticlient-enforcement: disable comments : VPN_test npu-offload : enable dhgrp : 2 wizard-type : custom xauthtype : disable peerid : test default-gw : 0.0.0.0 default-gw-priority : 0 psksecret : * keepalive : 10 distance : 15 priority : 0 dpd-retrycount : 3 dpd-retryinterval : 10

JohnAgora · ‎01-19-2016

Fortigate's logs (edited so they are easier to read):

ike 0:1f58e705dcb8c10b/0000000000000000:60877: negotiation result ike 0:1f58e705dcb8c10b/0000000000000000:60877: proposal id = 1: ike 0:1f58e705dcb8c10b/0000000000000000:60877: protocol id = ISAKMP: ike 0:1f58e705dcb8c10b/0000000000000000:60877: trans_id = KEY_IKE. ike 0:1f58e705dcb8c10b/0000000000000000:60877: encapsulation = IKE/none ike 0:1f58e705dcb8c10b/0000000000000000:60877: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC. ike 0:1f58e705dcb8c10b/0000000000000000:60877: type=OAKLEY_HASH_ALG, val=SHA. ike 0:1f58e705dcb8c10b/0000000000000000:60877: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:1f58e705dcb8c10b/0000000000000000:60877: type=OAKLEY_GROUP, val=MODP1024. ike 0:1f58e705dcb8c10b/0000000000000000:60877: ISAKMP SA lifetime=28800 ike 0:1f58e705dcb8c10b/0000000000000000:60877: SA proposal chosen, matched gateway test ike 0:test:60877: received peer identifier FQDN 'test' ike 0:test:60877: DPD negotiated ike 0:test:60877: selected NAT-T version: RFC 3947 ike 0:test:60877: cookie 1f58e705dcb8c10b/964eafb1c899f729 ... ike 0: IKEv1 exchange=Aggressive id=1f58e705dcb8c10b/964eafb1c899f729 len=100 ... ike 0:test:60877: received NAT-D payload type 20 ike 0:test:60877: received NAT-D payload type 20 ike 0:test:60877: PSK authentication succeeded ike 0:test:60877: authentication OK ike 0:test:60877: NAT detected: PEER ike 0:test:60877: remote port change 61451 -> 60813 ike 0:test: adding new dynamic tunnel for 189.1.1.2:60813 ike 0:test_0: added new dynamic tunnel for 189.1.1.2:60813 ike 0:test_0:60877: established IKE SA 1f58e705dcb8c10b/964eafb1c899f729 ike 0:test_0:60877: no pending Quick-Mode negotiations ... ike 0:test_0:60877:85174: peer proposal is: peer:0:10.10.10.0-10.10.10.255:0, me:0:0.0.0.0-255.255.255.255:0 ike 0:test_0:60877:test:85174: trying ike 0:test_0:60877:test:85174: matched phase2 ike 0:test_0:60877:test:85174: dynamic client ike 0:test_0:60877:test:85174: my proposal: ike 0:test_0:60877:test:85174: proposal id = 1: ike 0:test_0:60877:test:85174: protocol id = IPSEC_ESP: ike 0:test_0:60877:test:85174: PFS DH group = 2 ike 0:test_0:60877:test:85174: trans_id = ESP_3DES ike 0:test_0:60877:test:85174: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:test_0:60877:test:85174: type = AUTH_ALG, val=SHA1 ike 0:test_0:60877:test:85174: incoming proposal: ike 0:test_0:60877:test:85174: proposal id = 1: ike 0:test_0:60877:test:85174: protocol id = IPSEC_ESP: ike 0:test_0:60877:test:85174: PFS DH group = 2 ike 0:test_0:60877:test:85174: trans_id = ESP_3DES ike 0:test_0:60877:test:85174: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947 ike 0:test_0:60877:test:85174: type = AUTH_ALG, val=SHA1 ike 0:test_0:60877:test:85174: negotiation result ike 0:test_0:60877:test:85174: proposal id = 1: ike 0:test_0:60877:test:85174: protocol id = IPSEC_ESP: ike 0:test_0:60877:test:85174: PFS DH group = 2 ike 0:test_0:60877:test:85174: trans_id = ESP_3DES ike 0:test_0:60877:test:85174: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:test_0:60877:test:85174: type = AUTH_ALG, val=SHA1 ike 0:test_0:60877:test:85174: set pfs=MODP1024 ike 0:test_0:60877:test:85174: using udp tunnel mode. ike 0:test_0:60877:test:85174: replay protection enabled ike 0:test_0:60877:test:85174: SA life soft seconds=3591. ike 0:test_0:60877:test:85174: SA life hard seconds=3600. ike 0:test_0:60877:test:85174: IPsec SA selectors #src=1 #dst=1 ike 0:test_0:60877:test:85174: src 0 7 0:0.0.0.0-255.255.255.255:0 ike 0:test_0:60877:test:85174: dst 0 7 0:10.10.10.0-10.10.10.255:0 ike 0:test_0:60877:test:85174: add dynamic IPsec SA selectors ike 0:test_0:85174: add route 10.10.10.0/255.255.255.0 oif test_0(53403) metric 15 priority 0 ike 0:test_0:60877:test:85174: tunnel 1 of VDOM limit 0/0 ike 0:test_0:60877:test:85174: add IPsec SA: SPIs=d4148620/8bf0c36a ... ike 0:test_0:60877:test:85174: sending SNMP tunnel UP trap ... ike 0:test_0:60877: sent IKE msg (quick_r1send): 189.1.1.1:4500->189.1.1.2:60813, len=300, id=1f58e705dcb8c10b/964eafb1c899f729:ba36efa2 ike 0: comes 189.1.1.2:60813->189.1.1.1:4500,ifindex=39.... ike 0: IKEv1 exchange=Informational id=1f58e705dcb8c10b/964eafb1c899f729:c2f1f199 len=84 ike 0: in 1F58E705DCB8C10B964EAFB1C899F72908100501C2F1F19900000054C17A3F6BC68CBA17CD4158A7B830C3770F42ABB4F10E2AD4DD0CBD8E56935D98E9E5B6B6EDD3553F426D976CFADC08C8A6E28949721CFFFB ike 0:test_0:60877: dec 1F58E705DCB8C10B964EAFB1C899F72908100501C2F1F199000000540C000018A570DF1920431447AE975EB46D500C8CB05F839C0000001C00000001011000011F58E705DCB8C10B964EAFB1C899F72900000000 ike 0:test_0:60877: recv ISAKMP SA delete 1f58e705dcb8c10b/964eafb1c899f729 ike 0:test_0: deleting ike 0:test_0: flushing

The line on bold is the one that send the tunnel down. Any ideas?

Thanks!!

emnoc · ‎01-19-2016

Post your configs but you need to read the site2site vpn t-shoot. I would double check ikev2 is not enabled also.

Ken

PCNSE

NSE

StrongSwan