[j-nsp] SRX to vshield lan2lan

bizza bizzam at gmail.com
Tue Jun 25 12:54:11 EDT 2013 

Hi all,
I tried to setup a VPN and now it works (almost) fine.
Tunnel goes up, traffic are allowed, but after 20-24 hours I was not able
to reach remote lan, show security ike security-association is empty, and
only rebooting the SRX the vpn start working again.
This is the config:

root# show security ike
proposal p1-1 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}
policy ike_pol_A_to_B {
mode main;
proposals p1-1;
pre-shared-key ascii-text "XXX"; ## SECRET-DATA
}
gateway gw_A_to_B {
ike-policy ike_pol_A_to_B;
address X.Y.W.Z;
external-interface ge-0/0/0.0;
}


root# show security ipsec
proposal p2-1 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy ipsec_pol_A_to_B {
perfect-forward-secrecy {
keys group2;
}
proposals p2-1;
}
vpn A_to_B {
bind-interface st0.0;
ike {
gateway gw_A_to_B;
ipsec-policy ipsec_pol_A_to_B;
}
establish-tunnels immediately;
}

In /var/log/kmd i found:

[Jun 24 09:07:27]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg
received
[Jun 25 09:54:45]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg
received
[Jun 25 10:41:22]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg
received


Any hint?

Regards


On Sat, Jun 22, 2013 at 5:16 AM, Farrukh Haroon <farrukhharoon at gmail.com>wrote:

> Hello Bizza
>
> Please try to match the configuration settings mentioned in the following
> KB Article, it seems they are looking for 3DES/SHA1 by default which is not
> mentioned in your list.  The lifetime (28800) seems to be same as the SRX
> default value, so that should be fine.
>
>
> http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=2016891&sliceId=1&docTypeID=DT_KB_1_1&dialogID=951914608&stateId=1%200%20951934785
>
> Also as other folks have mentioned, I would re-check the PSK on both
> sides, as that can usually be the cause for the error mentioned in your
> email.
>
> Regards
> Farrukh Haroon
> CCIE-SEC(#20184), JNCIE-SEC (#91)
>
>
> On Thu, Jun 20, 2013 at 7:33 PM, bizza <bizzam at gmail.com> wrote:
>
>> Hi all,
>> does anyone has setup a lan to lan ipsec vpn between juniper srx and
>> vmware
>> vshield?
>> I tried various configuration, but I still have some problems.
>>
>> [...]
>>
>> root at srx210h-fw1# show ike
>> proposal 1 {
>>     authentication-method pre-shared-keys;
>>     authentication-algorithm sha-256;
>>     encryption-algorithm aes-256-cbc;
>> }
>> proposal 2 {
>>     authentication-method pre-shared-keys;
>>     authentication-algorithm md5;
>>     encryption-algorithm 3des-cbc;
>> }
>> proposal  3 {
>>     authentication-method pre-shared-keys;
>>     authentication-algorithm md5;
>>     encryption-algorithm aes-256-cbc;
>> }
>> proposal 4 {
>>     authentication-method pre-shared-keys;
>>     authentication-algorithm sha-256;
>>     encryption-algorithm 3des-cbc;
>> }
>> proposal 5 {
>>     authentication-method pre-shared-keys;
>>     authentication-algorithm sha1;
>>     encryption-algorithm aes-256-cbc;
>> }
>> policy ike_pol_lan_to_remote {
>>     mode main;
>>     proposals [ 1 2 3 4 5 ];
>>     pre-shared-key ascii-text "xxx"; ## SECRET-DATA
>> }
>> gateway gw_lan_to_remote {
>>     ike-policy ike_pol_lan_to_remote;
>>     address x.y.w.z;
>>     local-identity inet my.ip.add.res;
>>     external-interface reth2.0;
>> }
>>
>> [...]
>>
>> root at srx210h-fw1# show ipsec
>> policy ipsec_pol_lan_to_remote {
>>     proposal-set compatible;
>> }
>> vpn lan_to_remote {
>>     bind-interface st0.0;
>>     ike {
>>         gateway gw_lan_to_remote;
>>         ipsec-policy ipsec_pol_lan_to_remote;
>>     }
>>     establish-tunnels immediately;
>> }
>>
>>
>> In /var/log/kmd i found
>>
>> Jun 20 18:25:50   IKEv1 Error : Payload malformed
>> Jun 20 18:26:50   IKEv1 Error : Payload malformed
>> Jun 20 18:27:50   IKEv1 Error : Payload malformed
>> Jun 20 18:28:50   IKEv1 Error : Payload malformed
>> Jun 20 18:29:50   IKEv1 Error : Payload malformed
>> Jun 20 18:30:50   IKEv1 Error : Payload malformed
>> Jun 20 18:31:50   IKEv1 Error : Payload malformed
>>
>>
>>
>> Any help?
>>
>> Regards
>> bizza
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>


-- 
bizza
http://www.rm-rf.eu/

More information about the juniper-nsp mailing list