hi,
i am fighting with a second ipsec vpn tunnel since winter. we got a bigger internet line in the office, i configured a port for this on the office-srx100, all our internet traffic is using this now. we have a vpn to our data center, there is a cluster of two srx100/100H2 vpn endpoint. now i wanted to make a second tunnel to the data center over the new line, transfer all routes and then switch off the old tunnel. i did this before with pf-senses, but on juniper i just cannot understand how this should be done.
i copied the secrets from the config of the first to the second firewall, so this should be ok. what i dont understand is why tunnel1 endpoint from firewall 1 has a completely different secret than tunnel 1 endpoint on firewall2 and it still works. ???
my ( cleaned ) config at the moment, there were so many tries and changes the last 1/2 year i tried this that i cannot recall everything i did until now, i did not push every time:
firewall office:
interfaces {
fe-0/0/0 {
unit 0 {
encapsulation ppp-over-ether;
}
}
fe-0/0/7 {
description Telekom;
speed 100m;
mtu 1492;
link-mode full-duplex;
fastether-options {
no-auto-negotiation;
}
unit 0 {
description "Feste IP";
family inet {
address 172.10.10.10/29;
}
}
pp0 {
traceoptions;
unit 0 {
apply-macro "telekom dsl";
ppp-options {
chap {
default-chap-secret "$9$/somesecretchap"";
local-name "fixed-ip-telekom";
no-rfc2486;
passive;
}
pap {
local-name "fixed-ip-telekom";
no-rfc2486;
local-password "$9$/somesecretchap";
passive;
}
}
pppoe-options {
underlying-interface fe-0/0/0.0;
idle-timeout 0;
auto-reconnect 10;
}
family inet {
mtu 1492;
negotiate-address;
}
}
}
st0 {
unit 0 {
family inet {
address 192.168.210.20/24;
}
}
unit 1 {
description MunichII;
family inet {
address 192.168.210.21/24;
}
}
}
ike {
traceoptions {
flag all;
level 0;
}
policy ike_pol_wizard_dyn_vpn {
mode aggressive;
proposal-set compatible;
pre-shared-key ascii-text "$9$xxxxxverylongpassword1";
}
policy ike-policy-cfgr {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$notsolongpassword1";
}
policy ike-policy-sdsl {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$notsolongpassword1";
}
gateway gw_wizard_dyn_vpn {
ike-policy ike_pol_wizard_dyn_vpn;
dynamic {
hostname rt1;
connections-limit 50;
ike-user-type group-ike-id;
}
external-interface pp0.0;
xauth access-profile remote_access_profile;
}
gateway ike-gate-cfgr {
ike-policy ike-policy-cfgr;
address 172.10.11.146;
external-interface pp0.0;
}
gateway ike-gate-sdsl {
ike-policy ike-policy-sdsl;
address 172.10.11.146;
external-interface fe-0/0/7.0;
}
}
ipsec {
policy ipsec_pol_wizard_dyn_vpn {
proposal-set compatible;
}
policy ipsec-policy-cfgr {
proposal-set standard;
}
policy ipsec-policy-sdsl {
proposal-set standard;
}
vpn wizard_dyn_vpn {
ike {
gateway gw_wizard_dyn_vpn;
ipsec-policy ipsec_pol_wizard_dyn_vpn;
}
}
vpn ipsec-vpn-cfgr {
bind-interface st0.0;
ike {
gateway ike-gate-cfgr;
ipsec-policy ipsec-policy-cfgr;
}
establish-tunnels immediately;
}
vpn ipsec-vpn-sdsl {
bind-interface st0.1;
ike {
gateway ike-gate-sdsl;
ipsec-policy ipsec-policy-sdsl;
}
establish-tunnels immediately;
}
}firewall data center
interfaces {
reth2 {
description "UPLINK IPX";
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 172.10.11.146/29;
}
}
}
st0 {
unit 0 {
family inet {
address 192.168.210.10/24;
}
}
unit 1 {
family inet {
address 192.168.210.11/24;
}
family inet6;
}
}
ike {
policy ike-policy-cfgr {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$somecompletelydifferentpasswordthentheothers";
}
policy ike_pol_sdsl {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$thesecreticopiedfromotherfirewall";
}
gateway ike-gate-cfgr {
ike-policy ike-policy-cfgr;
address 172.old.ppoe.address;
external-interface reth2.0;
}
gateway gw_sdsl {
ike-policy ike_pol_sdsl;
address 172.10.10.62;
external-interface reth2.0;
}
}
ipsec {
policy ipsec-policy-cfgr {
proposal-set standard;
}
policy ipsec_pol_sdsl {
proposal-set standard;
}
vpn ipsec-vpn-cfgr {
bind-interface st0.0;
ike {
gateway ike-gate-cfgr;
ipsec-policy ipsec-policy-cfgr;
}
establish-tunnels immediately;
}
vpn sdsl {
bind-interface st0.1;
ike {
gateway gw_sdsl;
ipsec-policy ipsec_pol_sdsl;
}
establish-tunnels immediately;
}
}i do change the config in the webinterface cli editor. always.
i enabled kmd logs on both firewalls.
logs say tunnel from RZ to old gateway established perfectly, from new gateway to RZ office log says:
Jul 9 16:40:14 rt1 kmd[65052]: IKE negotiation failed with error: Timed out. IKE Version: 1, VPN: ipsec-vpn-sdsl Gateway: ike-gate-sdsl, Local: 172.10.10.62/500, Remote: 172.10.11.146/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0 Jul 9 16:41:09 rt1 kmd[65052]: Config download: Processed 4 - 5 messages Jul 9 16:41:09 rt1 kmd[65052]: Config download time: 0 seconds
i really tried everything now. using the same policy and gateway on RZ ( its the same gate anyway ), making a st0.1 with same ip and different gateway name, using the same policy on office firewall, make a new one....
i am out of options. i tried the
https://www.juniper.net/support/tools/vpnconfig/#remoteSite
configurator and copied the relevant portions into the config, committed and it did not work. i even went as far as making a backdoor around the firewall in datacenter to not lose connectivity and tried the cli set thing, to no avail except the tunnel really went down then. luckily the commit confirmed brought it back after 10 minutes.
so what to do?