Avatar of FireBall
FireBall
 asked on

Juniper SRX IPSec Tunnel is up but traffic not passing

We have complete the tunnel between cisco and juniper but it does not send  / get any packages

Some of our prints  as seen below

root@srx3600.spd.net.tr> show route 192.168.90.90

inet.0: 28 destinations, 28 routes (28 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.90.0/24    *[Static/5] 00:32:09
                    > via st0.1

root@srx3600.spd.net.tr> show route 192.168.70.1

inet.0: 28 destinations, 28 routes (28 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.70.1/32    *[Local/0] 00:24:29
                      Local via xe-1/0/1.0

root@srx3600.spd.net.tr> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    down
gr-0/0/0                up    up
ip-0/0/0                up    up
lt-0/0/0                up    up
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     192.168.1.95/24
                                   multiservice
ge-0/0/2                up    down
ge-0/0/3                up    down
ge-0/0/4                up    down
ge-0/0/5                up    down
ge-0/0/6                up    down
ge-0/0/7                up    down
ge-0/0/8                up    down
ge-0/0/9                up    down
ge-0/0/10               up    down
ge-0/0/11               up    down
xe-1/0/0                up    up
xe-1/0/0.0              up    up   inet     10.1.0.2/30
                                            37.123.100.122/29
                                   multiservice
xe-1/0/1                up    up
xe-1/0/1.0              up    up   inet     37.123.96.145/28
                                            37.123.98.225/27
                                            37.123.101.225/27
                                            178.20.229.33/27
                                            178.20.229.65/27
                                            178.20.229.225/27
                                            178.20.231.1/24
                                            185.9.157.1/27
                                            185.9.158.1/24
                                            192.168.70.1/24
                                   multiservice
xe-4/0/0                up    down
xe-4/0/1                up    down
mt-12/0/0               up    up
avs0                    up    up
avs1                    up    up
avs1.0                  up    up   inet     254.0.0.254         --> 0/0
                                   inet6    fe80::199
dsc                     up    up
em0                     up    up
em0.0                   up    up   inet     10.0.0.1/8
                                            10.0.0.4/8
                                            128.0.0.1/2
                                            128.0.0.4/2
                                   inet6    fe80::200:ff:fe00:4/64
                                            fec0::a:0:0:4/64
                                   tnp      0x4
em1                     up    down
em1.0                   up    down inet     10.0.0.1/8
                                            10.0.0.4/8
                                            128.0.0.1/2
                                            128.0.0.4/2
                                   inet6    fe80::200:1ff:fe00:4/64
                                            fec0::a:0:0:4/64
                                   tnp      0x4
fxp0                    up    down
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
st0.1                   up    up   inet
tap                     up    up

root@srx3600.spd.net.tr> show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
3229295851 UP  750201f2533b6d2b  362ccc922889e6d7  Main           95.0.214.195

root@srx3600.spd.net.tr> show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:3des/md5  60d9c766 1532/  4607949 -  root 500   95.0.214.195
  >131073 ESP:3des/md5  ff7cdff2 1532/  4607949 -  root 500   95.0.214.195

root@srx3600.spd.net.tr> monitor traffic interface st0.1 no-resolve
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on st0.1, capture size 96 bytes






^C
0 packets received by filter
0 packets dropped by kernel

root@srx3600.spd.net.tr> ping 192.168.90.90 source 192.168.70.1
PING 192.168.90.90 (192.168.90.90): 56 data bytes





^C
--- 192.168.90.90 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

root@srx3600.spd.net.tr> show security ipsec security-associations index 131073
  ID: 131073 Virtual-system: root, VPN Name: ipsec-vpn-cfgr
  Local Gateway: 37.123.96.145, Remote Gateway: 95.0.214.195
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv1
    DF-bit: copy
    Bind-interface: st0.1

  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 600a21
  Tunnel Down Reason: Config Change
    Location: FPC 12, PIC 0, KMD-Instance 1
    Direction: inbound, SPI: 60d9c766, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 1487 seconds
    Lifesize Remaining:  4607949 kilobytes
    Soft lifetime: Expires in 897 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc
    Anti-replay service: disabled
    Location: FPC 12, PIC 0, KMD-Instance 1
    Direction: outbound, SPI: ff7cdff2, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 1487 seconds
    Lifesize Remaining:  4607949 kilobytes
    Soft lifetime: Expires in 897 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc
    Anti-replay service: disabled

Open in new window



what should cause of this  ?




we have generated the code from https://www.juniper.net/support/tools/vpnconfig/#advancedSettings



    ike {
        policy ike-policy-cfgr {
            mode main;
            proposal-set compatible;
            pre-shared-key ascii-text "$9$DlkfzFnC0OR6/vWLxsYGDik5F69p";
        }
        gateway ike-gate-cfgr {
            ike-policy ike-policy-cfgr;
            address 95.0.214.195;
            external-interface xe-1/0/1;
            version v1-only;
        }
    }
    ipsec {
        traceoptions {
            flag all;
        }
        proposal ipsec-proposal-cfgr {
            protocol esp;
        }
        policy ipsec-policy-cfgr {
            perfect-forward-secrecy {
                keys group2;
            }
            proposal-set compatible;
        }
        vpn ipsec-vpn-cfgr {
            bind-interface st0.1;
            df-bit copy;
            ike {
                gateway ike-gate-cfgr;
                no-anti-replay;
                ipsec-policy ipsec-policy-cfgr;
            }
            establish-tunnels immediately;
        }
    }




       security-zone UgurVPN {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            address-book {
                address net-cfgr_192-168-90-0--24 192.168.90.0/24;
            }
            interfaces {
                st0.1;
            }
        }
        security-zone spdotomasyon {
            address-book {
                address net-cfgr_192-168-70-0--24 192.168.70.0/24;
            }
        }

Open in new window

Internet Protocol SecurityVPNCiscoNetworkingNetworking Hardware-Other

Avatar of undefined
Last Comment
John

8/22/2022 - Mon
John

I suggest checking a couple of things (I think they may be ok in the configuration):

Main mode: you have that set.
Phase 1:  3DES or what you use, DH Group 2, SHA-1 or what you use.
PFS: OFF
Phase 2: As above but do not set DH - just the other two and same as Phase 1.
Then in advanced settings: Try NAT Traversal ON.

Make sure the other end is set the same way.
FireBall

ASKER
Then in advanced settings: Try NAT Traversal ON.   -> Nothing changed

Phase 1:  3DES or what you use, DH Group 2, SHA-1 or what you use.  3Des / MD5 -> it is correct

Main mode: you have that set.  -> correct


PFS: OFF  --> I dont know how to do it
what is DH ?
John

3DES, DH Group 2 and SHA-1 are all Phase 1 settings. Look in that part of your setup.  (DH Group 2 is one setting - Diffe Helman Group 2).
In Juniper, PFS (Perfect Forward Secrecy) is a check box. I leave it unchecked.
Phase 2 should be similar to Phase 1.

Check for one tunnel and look again at the logs when you make changes.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
FireBall

ASKER
evertything seems correct but as far as i see i am not the one

http://www.blackhole-networks.com/SRXNAT/ipsec_natt.html

root@srx3600.spd.net.tr> show security ike security-associations detail
IKE peer 95.0.214.195, Index 3229295962, Gateway Name: ike-gate-cfgr
  Location: FPC 12, PIC 0, KMD-Instance 1
  Role: Responder, State: UP
  Initiator cookie: e20e6f153f888c65, Responder cookie: 68a9cb90fedb43f6
  Exchange type: Main, Authentication method: Pre-shared-keys
  Local: 37.123.96.145:500, Remote: 95.0.214.195:500
  Lifetime: Expires in 28684 seconds
  Peer ike-id: 95.0.214.195
  Xauth user-name: not available
  Xauth assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha1-96
   Encryption            : 3des-cbc
   Pseudo random function: hmac-sha1
   Diffie-Hellman group  : DH-group-2
  Traffic statistics:
   Input  bytes  :                 1156
   Output bytes  :                  752
   Input  packets:                    5
   Output packets:                    4
  IPSec security associations: 1 created, 0 deleted
  Phase 2 negotiations in progress: 0


root@srx3600.spd.net.tr> show security ipsec security-associations detail
  ID: 131073 Virtual-system: root, VPN Name: ipsec-vpn-cfgr
  Local Gateway: 37.123.96.145, Remote Gateway: 95.0.214.195
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv1
    DF-bit: copy
    Bind-interface: st0.1

  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 600a21
  Tunnel Down Reason: SA not initiated
    Location: FPC 12, PIC 0, KMD-Instance 1
    Direction: inbound, SPI: 60fda2ed, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3479 seconds
    Lifesize Remaining:  4608000 kilobytes
    Soft lifetime: Expires in 2915 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc
    Anti-replay service: disabled
    Location: FPC 12, PIC 0, KMD-Instance 1
    Direction: outbound, SPI: 50952f05, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3479 seconds
    Lifesize Remaining:  4608000 kilobytes
    Soft lifetime: Expires in 2915 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc
    Anti-replay service: disabled

root@srx3600.spd.net.tr> show security ipsec statistics
ESP Statistics:
  Encrypted bytes:           231168
  Decrypted bytes:                0
  Encrypted packets:           1703
  Decrypted packets:              0
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

Open in new window

John

Thanks. Phase 1 succeeded and Phase 2 did not succeed.

The settings for Phase 1 are the same as Phase 1 (2 settings in Phase 2 with PFS OFF).

Then the settings must mirror at the other end.

You are using a Pre-Shared key - make sure it is correct. You are not using Xauth user name / password. I think this is correct.
FireBall

ASKER
both are the same but when i checked logs there is a strange error

 This is NOT anchoring instance  what should be that :S



[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]  iked_ipsec_is_ifl_installed: Bind interface st0.1, index<73>, IFL ext is up
[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]    SA CFG Name: ipsec-vpn-cfgr
[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]    Interface name: xe-1/0/1, Unit: 0, AF: 2, ksa_cfg_ifl_index: 72
[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]    Local gateway: 37.123.96.145
[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]    Remote gateway: 95.0.214.195
[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]  Inside iked_get_primary_addr_by_intf_name... AF = 2
[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]    iked_get_primary_addr_by_intf_name:2264 intf_name xe-1/0/1.0, af=inet, addr_len=4
[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]    iked_get_primary_addr_by_intf_name:2268 ip address = 37.123.96.145 ifam_flags = 0xc0
[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]  Got address 37.123.96.145 as prefered address for interface xe-1/0/1.0
[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]  iked_ipsec_is_ifl_installed: Found ip address for external interface 37.123.96.145. Marking sa-cfg ipsec-vpn-cfgr as ifa up
[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]  iked_check_if_sa_cfg_ready: SA-CFG is ready
[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]  iked_sa_cfg_add_to_hash_table: Failed to add sa_cfg ipsec-vpn-cfgr to sadb hash tbl
[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]  iked_is_anchoring_instance sa_dist_id=96, self_dist_id=199
[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]  iked_is_anchoring_instance: This is NOT anchoring instance

[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]  (iked_sa_cfg_deactivate_nhtb) SA-CFG ipsec-vpn-cfgr is not anchred here. Skipping deactivate NHTB request
[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]  In iked_ipsec_sa_config_add: if:xe-1/0/1 flags = 0x600a21 UP

[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]  iked_ipsec_sa_config_add: No need to install SA Config on RE
[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]  Ignoring the ifa preferred address add/change message as previous local address is the same
[Apr  8 15:05:10 KMD-RE]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received
[Apr  8 15:05:19 KMD-RE][37.123.96.145 <-> 95.0.214.195]  iked_re_ike_sa_db_entry_add: Recevied IKE-SA add request for index 3229295966
[Apr  8 15:05:19 KMD-RE][37.123.96.145 <-> 95.0.214.195]  iked_re_ipsec_sa_add sa_cfg->dist_id=96
[Apr  8 15:05:19 KMD-RE][37.123.96.145 <-> 95.0.214.195]  Creating a SA spi=0x601137d2, proto=ESP pair_index = 1
[Apr  8 15:05:19 KMD-RE][37.123.96.145 <-> 95.0.214.195]  Added (spi=0x601137d2, protocol=ESP dst=37.123.96.145) entry to the peer hash table
[Apr  8 15:05:19 KMD-RE][37.123.96.145 <-> 95.0.214.195]  iked_re_ipsec_sa_add sa_cfg->dist_id=96
[Apr  8 15:05:19 KMD-RE][37.123.96.145 <-> 95.0.214.195]  Creating a SA spi=0x9f810056, proto=ESP pair_index = 1
[Apr  8 15:05:19 KMD-RE][37.123.96.145 <-> 95.0.214.195]  Added (spi=0x9f810056, protocol=ESP dst=95.0.214.195) entry to the peer hash table
[Apr  8 15:05:19 KMD-RE][37.123.96.145 <-> 95.0.214.195]  iked_is_anchoring_instance sa_dist_id=96, self_dist_id=199
[Apr  8 15:05:19 KMD-RE][37.123.96.145 <-> 95.0.214.195]  iked_is_anchoring_instance: This is NOT anchoring instance

[Apr  8 15:05:19 KMD-RE][37.123.96.145 <-> 95.0.214.195]  SA-CFG ipsec-vpn-cfgr is not anchred here. Skipping activate NHTB request
[Apr  8 15:06:54 KMD-RE]KMD_INTERNAL_ERROR: kmd_show_sa_tunnel_info: 1299: sending show info for SA: ipsec-vpn-cfgr
[Apr  8 15:08:03 KMD-RE]KMD_INTERNAL_ERROR: kmd_show_sa_tunnel_info: 1299: sending show info for SA: ipsec-vpn-cfgr
[Apr  8 15:08:38 KMD-RE]KMD_INTERNAL_ERROR: kmd_show_sa_tunnel_info: 1299: sending show info for SA: ipsec-vpn-cfgr
[Apr  8 15:10:38 KMD-RE]KMD_INTERNAL_ERROR: kmd_show_sa_tunnel_info: 1299: sending show info for SA: ipsec-vpn-cfgr
[Apr  8 15:16:06 KMD-RE]KMD_INTERNAL_ERROR: kmd_show_sa_tunnel_info: 1299: sending show info for SA: ipsec-vpn-cfgr

Open in new window

⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
FireBall

ASKER
very strangely when i change routing from st0.1 to an ip on it everything has changed but not resolved yet



root@srx3600.spd.net.tr> show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
3229295975 UP  b6ea1fe1de2c475f  18a8bf9aeb23bd16  Main           95.0.214.195

root@srx3600.spd.net.tr> show security ike security-associations detail
IKE peer 95.0.214.195, Index 3229295975, Gateway Name: ike-gate-cfgr
  Location: FPC 12, PIC 0, KMD-Instance 1
  Role: Responder, State: UP
  Initiator cookie: b6ea1fe1de2c475f, Responder cookie: 18a8bf9aeb23bd16
  Exchange type: Main, Authentication method: Pre-shared-keys
  Local: 37.123.96.145:500, Remote: 95.0.214.195:500
  Lifetime: Expires in 28488 seconds
  Peer ike-id: 95.0.214.195
  Xauth user-name: not available
  Xauth assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha1-96
   Encryption            : 3des-cbc
   Pseudo random function: hmac-sha1
   Diffie-Hellman group  : DH-group-2
  Traffic statistics:
   Input  bytes  :                 1068
   Output bytes  :                  616
   Input  packets:                    5
   Output packets:                    4
  IPSec security associations: 1 created, 0 deleted
  Phase 2 negotiations in progress: 0


root@srx3600.spd.net.tr> show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:3des/sha1 6022e4a7 3273/  4608000 -  root 500   95.0.214.195
  >131073 ESP:3des/sha1 1f084d06 3273/  4608000 -  root 500   95.0.214.195

root@srx3600.spd.net.tr> show security ipsec security-associations detail
  ID: 131073 Virtual-system: root, VPN Name: ipsec-vpn-cfgr
  Local Gateway: 37.123.96.145, Remote Gateway: 95.0.214.195
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv1
    DF-bit: copy
    Bind-interface: st0.1

  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 600a21
  Tunnel Down Reason: SA config deactivated
    Location: FPC 12, PIC 0, KMD-Instance 1
    Direction: inbound, SPI: 6022e4a7, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3271 seconds
    Lifesize Remaining:  4608000 kilobytes
    Soft lifetime: Expires in 2691 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: disabled
    Location: FPC 12, PIC 0, KMD-Instance 1
    Direction: outbound, SPI: 1f084d06, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3271 seconds
    Lifesize Remaining:  4608000 kilobytes
    Soft lifetime: Expires in 2691 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: disabled

Open in new window

John

Let me look for a bit and come back in 3 or 4 hours.  Meantime perhaps another VPN expert will look in.
John

iked_ipsec_is_ifl_installed: Found ip address for external interface 37.123.96.145. Marking sa-cfg ipsec-vpn-cfgr as ifa up
iked_check_if_sa_cfg_ready: SA-CFG is ready
iked_sa_cfg_add_to_hash_table: Failed to add sa_cfg ipsec-vpn-cfgr to sadb hash tbl
iked_is_anchoring_instance sa_dist_id=96, self_dist_id=199
iked_is_anchoring_instance: This is NOT anchoring instance

Is your configuration trying to do Xauth?  

===================================

very strangely when i change routing from st0.1 to an ip on it everything has changed but not resolved yet

This looks more like the first set of logs with Phase 2 failing. Also, it says Xauth user name not available. Is Xauth set up?
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
FireBall

ASKER
Is your configuration trying to do Xauth?  
  no

   ike {
        proposal ugur {
            authentication-method pre-shared-keys;
            authentication-algorithm md5;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 86400;
        }
        policy ike-policy-cfgr {
            mode main;
            proposal-set compatible;
            pre-shared-key ascii-text "$9$DlkfzFnC0OR6/vWLxsYGDik5F69p";
        }
        gateway ike-gate-cfgr {
            ike-policy ike-policy-cfgr;
            address 95.0.214.195;
            #no-nat-traversal;
            external-interface xe-1/0/1;
            version v1-only;
        }
    }
    ipsec {
        traceoptions {
            flag all;
        }
        proposal ipsec-proposal-cfgr {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm 3des-cbc;
        }
        policy ipsec-policy-cfgr {
            proposal-set compatible;
        }
        vpn ipsec-vpn-cfgr {
            bind-interface st0.1;
            df-bit copy;
            ike {
                gateway ike-gate-cfgr;
                no-anti-replay;
                ipsec-policy ipsec-policy-cfgr;
            }
            establish-tunnels immediately;
        }
    }

Open in new window

John

I am not sure. The basic setup for one tunnel is as follows:

Phase 1: 3 variables like 3DES, DH Group 2, SHA-1
PFS: OFF
Phase 2: 2 variables like 3DES,  SHA-1  (PFS OFF mandates 2 variables in Phase 2)
Pre-shared key.
Then under Advanced:
Main mode:  Aggressive mode unchecked.
Keep Alive
NAT Traversal: normally checked, but depends
Dead Peer Detect: 10 seconds.
All other advanced variables unchecked.

Make sure external IP is IP only, but internal IP is Subnet with a mask of 255.255.255.0

This is all for Cisco RV325 but the same variables are used in Juniper Netscreen. This is for working tunnels.
FireBall

ASKER
Make sure external IP is IP only, but internal IP is Subnet with a mask of 255.255.255.0
there are multiple subnets but selected ip declared on other side

and all variables same
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
John

Try a one to one tunnel to see if you can make this work. I use different tunnels for different arrangements.
FireBall

ASKER
which one is better for  policy based ipsec or routed
John

I would have one end with one end point and the other end with a max of one subnet for multiple machines on the subnet. I would use (and do use) policy based IPsec.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
FireBall

ASKER
dear john i have sent you setup commands of our ipsec via message i tryed policy based but result same i hope you to help me :(
ASKER CERTIFIED SOLUTION
John

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
John

I read the messages and the detailed settings are beyond my level of expertise. What I cannot find is Phase 2 and Phase 2 is failing in your tests.
FireBall

ASKER
we have change it as policy based but still the same result  :

  Tunnel Down Reason: SA not initiated

Open in new window



That is the part for phrase 2 :
    ipsec {
        proposal ipsec-proposal-cfgr {
            protocol esp;
        }
        policy ipsec-policy-cfgr {
            proposal-set compatible;
        }
        vpn ipsec-vpn-cfgr {
            ike {
                gateway ike-gate-cfgr;
                no-anti-replay;
                ipsec-policy ipsec-policy-cfgr;
            }
            establish-tunnels immediately;
        }
    }

Open in new window

⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
FireBall

ASKER
thank you
John

@Cahit Eyigunlu  - You are very welcome and I was happy to work with you.