Quantcast
Channel: SRX Services Gateway topics
Viewing all articles
Browse latest Browse all 3959

ike SA unusable and ike No proposal chosen

January 29, 2016, 8:58 am
$
0
0

Hello, i am trying new Juniper in my branch-office and i can't understad whats wrong (it's 5 branch with ipsev vpn, so i was expecting that everything will smoothly).

I tried to set up to ipsec tunnels, and got two diffrent errors.

1st: 

Jan 29 20:43:07  Moscow-NO kmd[2046]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: ipsec-
vpn-cfgr Gateway: ike-gate-cfgr, Local: 83.234.107.110/500, Remote: 217.12.253.226/500, Local IKE-ID: Not-Availab
le, Remote IKE-ID: Not-Available, VR-ID: 0

2nd: 

Jan 29 20:43:13  Moscow-NO kmd[2046]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN:
vpn-no-pod Gateway: gw-no-pod, Local: 83.234.107.110/500, Remote: 62.176.7.74/500, Local IKE-ID: Not-Available, 
Remote IKE-ID: Not-Available, VR-ID: 0

So, new one can't connect to any on existing routers, but provides diffrent errors for them...

on each host is done...

set security zones security-zone untrust host-inbound-traffic system-services ike

Config on new host:

ike
traceoptions {
    file ike-debug;
    flag all;
}
policy ike-policy-cfgr {
    mode main;
    proposal-set standard;
    pre-shared-key ascii-text "123"; ## SECRET-DATA
}
policy policy-no-pod {
    mode main;
    proposal-set standard;
    pre-shared-key ascii-text "123"; ## SECRET-DATA
}
gateway ike-gate-cfgr {
    ike-policy ike-policy-cfgr;
    address 217.12.253.226;
    dead-peer-detection {
        always-send;
        interval 20;
        threshold 5;
    }
    local-identity inet 83.234.107.110;
    external-interface fe-0/0/0.0;
    version v1-only;
}
gateway gw-no-pod {
    ike-policy policy-no-pod;           
    address 62.176.7.74;                
    dead-peer-detection {               
        always-send;                    
        interval 20;                    
        threshold 5;                    
    }                                   
    external-interface fe-0/0/0.0;      
    version v1-only;                    
}             ipsec
vpn-monitor-options {
    interval 10;
    threshold 10;
}
policy ipsec-policy-cfgr {
    perfect-forward-secrecy {
        keys group2;
    }
    proposal-set standard;
}
policy pol-no-pod {
    perfect-forward-secrecy {
        keys group2;
    }
    proposal-set standard;
}
vpn ipsec-vpn-cfgr {
    bind-interface st0.0;
    vpn-monitor {
        optimized;
    }
    ike {
        gateway ike-gate-cfgr;
        ipsec-policy ipsec-policy-cfgr;
    }
    establish-tunnels immediately;
}
vpn vpn-no-pod {                        
    bind-interface st0.1;               
    vpn-monitor {                       
        optimized;                      
    }                                   
    ike {                               
        gateway gw-no-pod;              
        ipsec-policy pol-no-pod;        
    }                                   
    establish-tunnels immediately;      
}

1st "old host":

 

ike
policy ike-policy-cfgr {
    mode main;
    proposal-set standard;
    pre-shared-key ascii-text "123"; ## SECRET-DATA
}

gateway ike-gate-cfgr {
    ike-policy ike-policy-cfgr;
    address 83.243.107.110;
    dead-peer-detection {
        always-send;
        interval 20;
        threshold 5;
    }
    external-interface vlan.8;          
    version v1-only;                    
}

ipsec
vpn-monitor-options {
    interval 10;
    threshold 10;
}

policy ipsec-policy-cfgr {
    perfect-forward-secrecy {
        keys group2;
    }
    proposal-set standard;
}

vpn ipsec-vpn-cfgr {
    bind-interface st0.1;
    vpn-monitor {
        optimized;                      
    }                                   
    ike {                               
        gateway ike-gate-cfgr;          
        ipsec-policy ipsec-policy-cfgr; 
    }                                   
    establish-tunnels immediately;      
}

2nd old host:

ike

policy policy-pod-no {                  
    mode main;                          
    proposal-set standard;              
    pre-shared-key ascii-text "123"; ## SECRET-DATA
}

gateway gw-pod-no {                     
    ike-policy policy-pod-no;           
    address 83.234.107.110;             
    dead-peer-detection {               
        always-send;                    
        interval 20;                    
        threshold 5;                    
    }                                   
    external-interface fe-0/0/0.0;      
    version v1-only;                    
}    

ipsec

vpn-monitor-options {
    interval 10;
    threshold 10;
}


policy pol-pod-no {                     
    perfect-forward-secrecy {           
        keys group2;                    
    }                                   
    proposal-set standard;              
} 

vpn vpn-pod-no {                        
    bind-interface st0.6;               
    vpn-monitor {                       
        optimized;                      
    }                                   
    ike {                               
        gateway gw-pod-no;              
        ipsec-policy pol-pod-no;        
    }                                   
    establish-tunnels immediately;      
}

Both "old" SRX devices connected through ipsec vpn with each other.

Search
Viewing all articles
Browse latest Browse all 3959

Trending Articles

LAG, Lacp configuration on Mellanox switches

January 28, 2015, 3:27 pm

Karimnagar District Police Office Mobile Numbers List in Telangana State

April 13, 2017, 3:10 am

Griffith faces three more offences

April 20, 2016, 5:00 am

Stories • Goddess Stepmom

January 31, 2025, 1:10 pm

NCERT Solutions for Class 9th Sanskrit Chapter 2 अविवेकः परमापदां पदम्

December 22, 2016, 1:41 am

The 10 Tennessee Cities With The Largest Black Population For 2021

December 21, 2020, 10:12 am

MCKINNEY EMALINE “EMMA” OF WES...

October 16, 2014, 2:00 pm

Skint TV teen to be sentenced

August 30, 2013, 10:45 pm

Grimsby's Mr Big and five others jailed for 24 years for drugs crimes...

October 13, 2014, 11:46 pm

Practice Sheet of Right form of verbs for HSC Students

September 22, 2019, 11:40 pm

FLASHBACK WITH SIRASA FM AT GALGAMUWA 2022

March 5, 2022, 9:29 am

Mp3 Download: Mdu - Mazola

December 7, 2017, 8:15 am

Ifield Avenue closed following crash in Langley Green

November 22, 2013, 3:57 am

Imitation gun was fired at motorist in Leicester road-rage incident

September 9, 2012, 11:32 pm

Rajasthan Board 10th Result 2016 Roll No wise & Name Wise

August 20, 2016, 5:13 pm

Black Angus Grilled Artichokes

July 16, 2016, 4:37 pm

Ndebele names

October 28, 2013, 5:18 pm

Derbyshire jeweller and scrap gold dealer, Jonathan Haag, must pay £57,000...

July 7, 2014, 9:32 am

Moondru Mudichu 19-09-2017 – Polimer tv Serial

September 19, 2017, 9:15 am

YOSVANI JAMES Arrested by Miami-Dade County Corrections on Jan 10, 2017

January 11, 2017, 12:23 am
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>