[j-nsp] SRX IPSEC VPN dynamic-to-static

Mauritz Lewies mauritz at three6five.com
Fri Feb 18 05:12:59 EST 2011 

Thanks

I followed that as well and no luck....

Can you see anything glaringly wrong?

----------------------Head Office--------------------------
ike {
    traceoptions {
        file IKE-TEST-2;
        flag all;
    }
    proposal ONEPLAN {
        authentication-method pre-shared-keys;
        dh-group group5;
        authentication-algorithm md5;
        encryption-algorithm des-cbc;
    }
    policy ONEPLAN {
        mode aggressive;
        proposal ONEPLAN;
        pre-shared-key ascii-text "$9$y0/K87ZGifT3jHqfTQ9CuO1hlM8Lx"; ## SECRET-DATA
    }
    gateway ONEPLAN {
        ike-policy ONEPLAN;
        dynamic hostname openplan-srx-1.oneplan.co.za;
        dead-peer-detection;
        nat-keepalive 10;
        external-interface ge-0/0/0.0;
    }
}
ipsec {
    proposal ONEPLAN {
        protocol esp;
        authentication-algorithm hmac-md5-96;
    }
    policy ONEPLAN {
        perfect-forward-secrecy {
            keys group5;
        }
        proposals ONEPLAN;
    }
    vpn ONEPLAN {
        ike {
            gateway ONEPLAN;
            proxy-identity {
                local 192.168.16.0/24;
                remote 192.168.1.0/24;
            }
            ipsec-policy ONEPLAN;
        }
        establish-tunnels on-traffic;
    }
}
-----------------------------------------------------------------


------------------Remote Site-----------------------------
ike {
    traceoptions {
        file ike-test;
        flag all;
    }
    proposal ipsec-ctn-jhb {
        description oneplan-jhb;
        authentication-method pre-shared-keys;
        dh-group group5;
        authentication-algorithm md5;
        encryption-algorithm des-cbc;
        lifetime-seconds 1800;
    }
    policy ipsec-ctn-jhb {
        mode aggressive;
        description ipsec-ctn-jhb;
        proposal ipsec-ctn-jhb;
        pre-shared-key ascii-text "$9$l0yMX-UDkTz6HqmTzFAtO1RSK8XxN"; ## SECRET-DATA
    }
    gateway ipsec-ctn-jhb {
        ike-policy ipsec-ctn-jhb;
        address zzz.zzz.zzz.zzz;
        dead-peer-detection;
        nat-keepalive 10;
        local-identity hostname openplan-srx-1.oneplan.co.za;
        external-interface pp0.1;
    }
}
ipsec {
    proposal ipsec-ctn-jhb {
        description ipsec-ctn-jhb;
        protocol esp;
        authentication-algorithm hmac-md5-96;
        lifetime-kilobytes 1500;
    }
    policy ipsec-ctn-jhb {
        perfect-forward-secrecy {
            keys group5;
        }
        proposals ipsec-ctn-jhb;
    }
    vpn ipsec-ctn-jhb {
        bind-interface st0.0;
        ike {
            gateway ipsec-ctn-jhb;
            proxy-identity {
                local 192.168.1.0/24;
                remote 192.168.16.0/24;
            }
            ipsec-policy ipsec-ctn-jhb;
        }
        establish-tunnels immediately;
    }
}
-----------------------------------------------------------------

The error in the Head Office logs:

----------------------------------------------------------------
Feb 18 12:05:44 Not doing MM check since initiator=FALSE and exch_type=4
Feb 18 12:05:44 Unable to find ike gateway as remote peer:196.215.zzz.zzz is not recognized.
Feb 18 12:05:44 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=10.0.0.10) p1_remote=fqdn(udp:500,[0..27]=openplan-srx-1.oneplan.co.za)
Feb 18 12:05:44 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=10.0.0.10) p1_remote=fqdn(udp:500,[0..27]=openplan-srx-1.oneplan.co.za)
Feb 18 12:05:44 ike_isakmp_sa_reply: Start
Feb 18 12:05:44 ike_st_i_nonce: Start, nonce[0..64] = 0ecbc9f8 fc1d422a ...
Feb 18 12:05:44 ike_st_i_cert: Start
Feb 18 12:05:44 ike_st_i_hash_key: Start, no key_hash
Feb 18 12:05:44 ike_st_i_ke: Ke[0..128] = 51ad806d 497efe51 ...
Feb 18 12:05:44 ike_st_i_cr: Start
Feb 18 12:05:44 ike_st_i_private: Start
Feb 18 12:05:44 ike_st_o_sa_values: Start
Feb 18 12:05:44 10.0.0.10:500 (Responder) <-> 196.215.zzz.zzz:500 { 4b6d2059 bf8ccb39 - 0bf91a18 ab9c5e4c [-1] / 0x00000000 } Aggr; Error = No proposal chosen (14)
------------------------------------------------------------

On 17 Feb 2011, at 4:41 PM, Kevin Vuong wrote:

> This should get you going in the right direction:
> 
> http://forums.juniper.net/t5/SRX-Services-Gateway/Site-to-Site-Tunnel-Dynamic-Peer/td-p/33613
> 
> -Kevin
> 
> 
> 
> On Feb 17, 2011, at 8:28 AM, Mauritz Lewies wrote:
> 
>> Hi
>> 
>> For what ever reason I can't find documentation on this anywhere. (I'm just hoping my google-foo is lacking and that it's not an unsupported feature)
>> 
>> I have 2 x SRX-210's, one with a static public IP and another behind a dynamic ADSL account.
>> I'm trying to get an IPSEC session established from the dynamic site to the static site.
>> 
>> But I can't get a combination of config options to work.
>> 
>> Does anyone know how to get this done or point me in the right direction?
>> 
>> Kind Regards,
>> 
>> Mauritz
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 

Mauritz Lewies
email: mo at three6five.com
mobile: +27 83 647 4901
Skype Phone:  +27 11 08 365 02
three6five network solutions
www.three6five.com

More information about the juniper-nsp mailing list