Juniper SRX IPSec Tunnel is up but traffic not passing

We have complete the tunnel between cisco and juniper but it does not send  / get any packages

Some of our prints  as seen below

root@srx3600.spd.net.tr> show route 192.168.90.90

inet.0: 28 destinations, 28 routes (28 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.90.0/24    *[Static/5] 00:32:09
                    > via st0.1

root@srx3600.spd.net.tr> show route 192.168.70.1

inet.0: 28 destinations, 28 routes (28 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.70.1/32    *[Local/0] 00:24:29
                      Local via xe-1/0/1.0

root@srx3600.spd.net.tr> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    down
gr-0/0/0                up    up
ip-0/0/0                up    up
lt-0/0/0                up    up
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     192.168.1.95/24
                                   multiservice
ge-0/0/2                up    down
ge-0/0/3                up    down
ge-0/0/4                up    down
ge-0/0/5                up    down
ge-0/0/6                up    down
ge-0/0/7                up    down
ge-0/0/8                up    down
ge-0/0/9                up    down
ge-0/0/10               up    down
ge-0/0/11               up    down
xe-1/0/0                up    up
xe-1/0/0.0              up    up   inet     10.1.0.2/30
                                            37.123.100.122/29
                                   multiservice
xe-1/0/1                up    up
xe-1/0/1.0              up    up   inet     37.123.96.145/28
                                            37.123.98.225/27
                                            37.123.101.225/27
                                            178.20.229.33/27
                                            178.20.229.65/27
                                            178.20.229.225/27
                                            178.20.231.1/24
                                            185.9.157.1/27
                                            185.9.158.1/24
                                            192.168.70.1/24
                                   multiservice
xe-4/0/0                up    down
xe-4/0/1                up    down
mt-12/0/0               up    up
avs0                    up    up
avs1                    up    up
avs1.0                  up    up   inet     254.0.0.254         --> 0/0
                                   inet6    fe80::199
dsc                     up    up
em0                     up    up
em0.0                   up    up   inet     10.0.0.1/8
                                            10.0.0.4/8
                                            128.0.0.1/2
                                            128.0.0.4/2
                                   inet6    fe80::200:ff:fe00:4/64
                                            fec0::a:0:0:4/64
                                   tnp      0x4
em1                     up    down
em1.0                   up    down inet     10.0.0.1/8
                                            10.0.0.4/8
                                            128.0.0.1/2
                                            128.0.0.4/2
                                   inet6    fe80::200:1ff:fe00:4/64
                                            fec0::a:0:0:4/64
                                   tnp      0x4
fxp0                    up    down
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
st0.1                   up    up   inet
tap                     up    up

root@srx3600.spd.net.tr> show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
3229295851 UP  750201f2533b6d2b  362ccc922889e6d7  Main           95.0.214.195

root@srx3600.spd.net.tr> show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:3des/md5  60d9c766 1532/  4607949 -  root 500   95.0.214.195
  >131073 ESP:3des/md5  ff7cdff2 1532/  4607949 -  root 500   95.0.214.195

root@srx3600.spd.net.tr> monitor traffic interface st0.1 no-resolve
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on st0.1, capture size 96 bytes






^C
0 packets received by filter
0 packets dropped by kernel

root@srx3600.spd.net.tr> ping 192.168.90.90 source 192.168.70.1
PING 192.168.90.90 (192.168.90.90): 56 data bytes





^C
--- 192.168.90.90 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

root@srx3600.spd.net.tr> show security ipsec security-associations index 131073
  ID: 131073 Virtual-system: root, VPN Name: ipsec-vpn-cfgr
  Local Gateway: 37.123.96.145, Remote Gateway: 95.0.214.195
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv1
    DF-bit: copy
    Bind-interface: st0.1

  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 600a21
  Tunnel Down Reason: Config Change
    Location: FPC 12, PIC 0, KMD-Instance 1
    Direction: inbound, SPI: 60d9c766, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 1487 seconds
    Lifesize Remaining:  4607949 kilobytes
    Soft lifetime: Expires in 897 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc
    Anti-replay service: disabled
    Location: FPC 12, PIC 0, KMD-Instance 1
    Direction: outbound, SPI: ff7cdff2, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 1487 seconds
    Lifesize Remaining:  4607949 kilobytes
    Soft lifetime: Expires in 897 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc
    Anti-replay service: disabled

Open in new window



what should cause of this  ?




we have generated the code from https://www.juniper.net/support/tools/vpnconfig/#advancedSettings



    ike {
        policy ike-policy-cfgr {
            mode main;
            proposal-set compatible;
            pre-shared-key ascii-text "$9$DlkfzFnC0OR6/vWLxsYGDik5F69p";
        }
        gateway ike-gate-cfgr {
            ike-policy ike-policy-cfgr;
            address 95.0.214.195;
            external-interface xe-1/0/1;
            version v1-only;
        }
    }
    ipsec {
        traceoptions {
            flag all;
        }
        proposal ipsec-proposal-cfgr {
            protocol esp;
        }
        policy ipsec-policy-cfgr {
            perfect-forward-secrecy {
                keys group2;
            }
            proposal-set compatible;
        }
        vpn ipsec-vpn-cfgr {
            bind-interface st0.1;
            df-bit copy;
            ike {
                gateway ike-gate-cfgr;
                no-anti-replay;
                ipsec-policy ipsec-policy-cfgr;
            }
            establish-tunnels immediately;
        }
    }




       security-zone UgurVPN {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            address-book {
                address net-cfgr_192-168-90-0--24 192.168.90.0/24;
            }
            interfaces {
                st0.1;
            }
        }
        security-zone spdotomasyon {
            address-book {
                address net-cfgr_192-168-70-0--24 192.168.70.0/24;
            }
        }

Open in new window

FireBallITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
I suggest checking a couple of things (I think they may be ok in the configuration):

Main mode: you have that set.
Phase 1:  3DES or what you use, DH Group 2, SHA-1 or what you use.
PFS: OFF
Phase 2: As above but do not set DH - just the other two and same as Phase 1.
Then in advanced settings: Try NAT Traversal ON.

Make sure the other end is set the same way.
0
FireBallITAuthor Commented:
Then in advanced settings: Try NAT Traversal ON.   -> Nothing changed

Phase 1:  3DES or what you use, DH Group 2, SHA-1 or what you use.  3Des / MD5 -> it is correct

Main mode: you have that set.  -> correct


PFS: OFF  --> I dont know how to do it
what is DH ?
0
JohnBusiness Consultant (Owner)Commented:
3DES, DH Group 2 and SHA-1 are all Phase 1 settings. Look in that part of your setup.  (DH Group 2 is one setting - Diffe Helman Group 2).
In Juniper, PFS (Perfect Forward Secrecy) is a check box. I leave it unchecked.
Phase 2 should be similar to Phase 1.

Check for one tunnel and look again at the logs when you make changes.
0
How the Cloud Can Help You as an MSSP

Today, every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. Register today to learn more!

FireBallITAuthor Commented:
evertything seems correct but as far as i see i am not the one

http://www.blackhole-networks.com/SRXNAT/ipsec_natt.html

root@srx3600.spd.net.tr> show security ike security-associations detail
IKE peer 95.0.214.195, Index 3229295962, Gateway Name: ike-gate-cfgr
  Location: FPC 12, PIC 0, KMD-Instance 1
  Role: Responder, State: UP
  Initiator cookie: e20e6f153f888c65, Responder cookie: 68a9cb90fedb43f6
  Exchange type: Main, Authentication method: Pre-shared-keys
  Local: 37.123.96.145:500, Remote: 95.0.214.195:500
  Lifetime: Expires in 28684 seconds
  Peer ike-id: 95.0.214.195
  Xauth user-name: not available
  Xauth assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha1-96
   Encryption            : 3des-cbc
   Pseudo random function: hmac-sha1
   Diffie-Hellman group  : DH-group-2
  Traffic statistics:
   Input  bytes  :                 1156
   Output bytes  :                  752
   Input  packets:                    5
   Output packets:                    4
  IPSec security associations: 1 created, 0 deleted
  Phase 2 negotiations in progress: 0


root@srx3600.spd.net.tr> show security ipsec security-associations detail
  ID: 131073 Virtual-system: root, VPN Name: ipsec-vpn-cfgr
  Local Gateway: 37.123.96.145, Remote Gateway: 95.0.214.195
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv1
    DF-bit: copy
    Bind-interface: st0.1

  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 600a21
  Tunnel Down Reason: SA not initiated
    Location: FPC 12, PIC 0, KMD-Instance 1
    Direction: inbound, SPI: 60fda2ed, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3479 seconds
    Lifesize Remaining:  4608000 kilobytes
    Soft lifetime: Expires in 2915 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc
    Anti-replay service: disabled
    Location: FPC 12, PIC 0, KMD-Instance 1
    Direction: outbound, SPI: 50952f05, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3479 seconds
    Lifesize Remaining:  4608000 kilobytes
    Soft lifetime: Expires in 2915 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc
    Anti-replay service: disabled

root@srx3600.spd.net.tr> show security ipsec statistics
ESP Statistics:
  Encrypted bytes:           231168
  Decrypted bytes:                0
  Encrypted packets:           1703
  Decrypted packets:              0
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

Open in new window

0
JohnBusiness Consultant (Owner)Commented:
Thanks. Phase 1 succeeded and Phase 2 did not succeed.

The settings for Phase 1 are the same as Phase 1 (2 settings in Phase 2 with PFS OFF).

Then the settings must mirror at the other end.

You are using a Pre-Shared key - make sure it is correct. You are not using Xauth user name / password. I think this is correct.
0
FireBallITAuthor Commented:
both are the same but when i checked logs there is a strange error

 This is NOT anchoring instance  what should be that :S



[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]  iked_ipsec_is_ifl_installed: Bind interface st0.1, index<73>, IFL ext is up
[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]    SA CFG Name: ipsec-vpn-cfgr
[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]    Interface name: xe-1/0/1, Unit: 0, AF: 2, ksa_cfg_ifl_index: 72
[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]    Local gateway: 37.123.96.145
[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]    Remote gateway: 95.0.214.195
[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]  Inside iked_get_primary_addr_by_intf_name... AF = 2
[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]    iked_get_primary_addr_by_intf_name:2264 intf_name xe-1/0/1.0, af=inet, addr_len=4
[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]    iked_get_primary_addr_by_intf_name:2268 ip address = 37.123.96.145 ifam_flags = 0xc0
[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]  Got address 37.123.96.145 as prefered address for interface xe-1/0/1.0
[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]  iked_ipsec_is_ifl_installed: Found ip address for external interface 37.123.96.145. Marking sa-cfg ipsec-vpn-cfgr as ifa up
[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]  iked_check_if_sa_cfg_ready: SA-CFG is ready
[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]  iked_sa_cfg_add_to_hash_table: Failed to add sa_cfg ipsec-vpn-cfgr to sadb hash tbl
[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]  iked_is_anchoring_instance sa_dist_id=96, self_dist_id=199
[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]  iked_is_anchoring_instance: This is NOT anchoring instance

[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]  (iked_sa_cfg_deactivate_nhtb) SA-CFG ipsec-vpn-cfgr is not anchred here. Skipping deactivate NHTB request
[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]  In iked_ipsec_sa_config_add: if:xe-1/0/1 flags = 0x600a21 UP

[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]  iked_ipsec_sa_config_add: No need to install SA Config on RE
[Apr  8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195]  Ignoring the ifa preferred address add/change message as previous local address is the same
[Apr  8 15:05:10 KMD-RE]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received
[Apr  8 15:05:19 KMD-RE][37.123.96.145 <-> 95.0.214.195]  iked_re_ike_sa_db_entry_add: Recevied IKE-SA add request for index 3229295966
[Apr  8 15:05:19 KMD-RE][37.123.96.145 <-> 95.0.214.195]  iked_re_ipsec_sa_add sa_cfg->dist_id=96
[Apr  8 15:05:19 KMD-RE][37.123.96.145 <-> 95.0.214.195]  Creating a SA spi=0x601137d2, proto=ESP pair_index = 1
[Apr  8 15:05:19 KMD-RE][37.123.96.145 <-> 95.0.214.195]  Added (spi=0x601137d2, protocol=ESP dst=37.123.96.145) entry to the peer hash table
[Apr  8 15:05:19 KMD-RE][37.123.96.145 <-> 95.0.214.195]  iked_re_ipsec_sa_add sa_cfg->dist_id=96
[Apr  8 15:05:19 KMD-RE][37.123.96.145 <-> 95.0.214.195]  Creating a SA spi=0x9f810056, proto=ESP pair_index = 1
[Apr  8 15:05:19 KMD-RE][37.123.96.145 <-> 95.0.214.195]  Added (spi=0x9f810056, protocol=ESP dst=95.0.214.195) entry to the peer hash table
[Apr  8 15:05:19 KMD-RE][37.123.96.145 <-> 95.0.214.195]  iked_is_anchoring_instance sa_dist_id=96, self_dist_id=199
[Apr  8 15:05:19 KMD-RE][37.123.96.145 <-> 95.0.214.195]  iked_is_anchoring_instance: This is NOT anchoring instance

[Apr  8 15:05:19 KMD-RE][37.123.96.145 <-> 95.0.214.195]  SA-CFG ipsec-vpn-cfgr is not anchred here. Skipping activate NHTB request
[Apr  8 15:06:54 KMD-RE]KMD_INTERNAL_ERROR: kmd_show_sa_tunnel_info: 1299: sending show info for SA: ipsec-vpn-cfgr
[Apr  8 15:08:03 KMD-RE]KMD_INTERNAL_ERROR: kmd_show_sa_tunnel_info: 1299: sending show info for SA: ipsec-vpn-cfgr
[Apr  8 15:08:38 KMD-RE]KMD_INTERNAL_ERROR: kmd_show_sa_tunnel_info: 1299: sending show info for SA: ipsec-vpn-cfgr
[Apr  8 15:10:38 KMD-RE]KMD_INTERNAL_ERROR: kmd_show_sa_tunnel_info: 1299: sending show info for SA: ipsec-vpn-cfgr
[Apr  8 15:16:06 KMD-RE]KMD_INTERNAL_ERROR: kmd_show_sa_tunnel_info: 1299: sending show info for SA: ipsec-vpn-cfgr

Open in new window

0
FireBallITAuthor Commented:
very strangely when i change routing from st0.1 to an ip on it everything has changed but not resolved yet



root@srx3600.spd.net.tr> show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
3229295975 UP  b6ea1fe1de2c475f  18a8bf9aeb23bd16  Main           95.0.214.195

root@srx3600.spd.net.tr> show security ike security-associations detail
IKE peer 95.0.214.195, Index 3229295975, Gateway Name: ike-gate-cfgr
  Location: FPC 12, PIC 0, KMD-Instance 1
  Role: Responder, State: UP
  Initiator cookie: b6ea1fe1de2c475f, Responder cookie: 18a8bf9aeb23bd16
  Exchange type: Main, Authentication method: Pre-shared-keys
  Local: 37.123.96.145:500, Remote: 95.0.214.195:500
  Lifetime: Expires in 28488 seconds
  Peer ike-id: 95.0.214.195
  Xauth user-name: not available
  Xauth assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha1-96
   Encryption            : 3des-cbc
   Pseudo random function: hmac-sha1
   Diffie-Hellman group  : DH-group-2
  Traffic statistics:
   Input  bytes  :                 1068
   Output bytes  :                  616
   Input  packets:                    5
   Output packets:                    4
  IPSec security associations: 1 created, 0 deleted
  Phase 2 negotiations in progress: 0


root@srx3600.spd.net.tr> show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:3des/sha1 6022e4a7 3273/  4608000 -  root 500   95.0.214.195
  >131073 ESP:3des/sha1 1f084d06 3273/  4608000 -  root 500   95.0.214.195

root@srx3600.spd.net.tr> show security ipsec security-associations detail
  ID: 131073 Virtual-system: root, VPN Name: ipsec-vpn-cfgr
  Local Gateway: 37.123.96.145, Remote Gateway: 95.0.214.195
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv1
    DF-bit: copy
    Bind-interface: st0.1

  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 600a21
  Tunnel Down Reason: SA config deactivated
    Location: FPC 12, PIC 0, KMD-Instance 1
    Direction: inbound, SPI: 6022e4a7, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3271 seconds
    Lifesize Remaining:  4608000 kilobytes
    Soft lifetime: Expires in 2691 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: disabled
    Location: FPC 12, PIC 0, KMD-Instance 1
    Direction: outbound, SPI: 1f084d06, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3271 seconds
    Lifesize Remaining:  4608000 kilobytes
    Soft lifetime: Expires in 2691 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: disabled

Open in new window

0
JohnBusiness Consultant (Owner)Commented:
Let me look for a bit and come back in 3 or 4 hours.  Meantime perhaps another VPN expert will look in.
0
JohnBusiness Consultant (Owner)Commented:
iked_ipsec_is_ifl_installed: Found ip address for external interface 37.123.96.145. Marking sa-cfg ipsec-vpn-cfgr as ifa up
iked_check_if_sa_cfg_ready: SA-CFG is ready
iked_sa_cfg_add_to_hash_table: Failed to add sa_cfg ipsec-vpn-cfgr to sadb hash tbl
iked_is_anchoring_instance sa_dist_id=96, self_dist_id=199
iked_is_anchoring_instance: This is NOT anchoring instance

Is your configuration trying to do Xauth?  

===================================

very strangely when i change routing from st0.1 to an ip on it everything has changed but not resolved yet

This looks more like the first set of logs with Phase 2 failing. Also, it says Xauth user name not available. Is Xauth set up?
0
FireBallITAuthor Commented:
Is your configuration trying to do Xauth?  
  no

   ike {
        proposal ugur {
            authentication-method pre-shared-keys;
            authentication-algorithm md5;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 86400;
        }
        policy ike-policy-cfgr {
            mode main;
            proposal-set compatible;
            pre-shared-key ascii-text "$9$DlkfzFnC0OR6/vWLxsYGDik5F69p";
        }
        gateway ike-gate-cfgr {
            ike-policy ike-policy-cfgr;
            address 95.0.214.195;
            #no-nat-traversal;
            external-interface xe-1/0/1;
            version v1-only;
        }
    }
    ipsec {
        traceoptions {
            flag all;
        }
        proposal ipsec-proposal-cfgr {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm 3des-cbc;
        }
        policy ipsec-policy-cfgr {
            proposal-set compatible;
        }
        vpn ipsec-vpn-cfgr {
            bind-interface st0.1;
            df-bit copy;
            ike {
                gateway ike-gate-cfgr;
                no-anti-replay;
                ipsec-policy ipsec-policy-cfgr;
            }
            establish-tunnels immediately;
        }
    }

Open in new window

0
JohnBusiness Consultant (Owner)Commented:
I am not sure. The basic setup for one tunnel is as follows:

Phase 1: 3 variables like 3DES, DH Group 2, SHA-1
PFS: OFF
Phase 2: 2 variables like 3DES,  SHA-1  (PFS OFF mandates 2 variables in Phase 2)
Pre-shared key.
Then under Advanced:
Main mode:  Aggressive mode unchecked.
Keep Alive
NAT Traversal: normally checked, but depends
Dead Peer Detect: 10 seconds.
All other advanced variables unchecked.

Make sure external IP is IP only, but internal IP is Subnet with a mask of 255.255.255.0

This is all for Cisco RV325 but the same variables are used in Juniper Netscreen. This is for working tunnels.
0
FireBallITAuthor Commented:
Make sure external IP is IP only, but internal IP is Subnet with a mask of 255.255.255.0
there are multiple subnets but selected ip declared on other side

and all variables same
0
JohnBusiness Consultant (Owner)Commented:
Try a one to one tunnel to see if you can make this work. I use different tunnels for different arrangements.
0
FireBallITAuthor Commented:
which one is better for  policy based ipsec or routed
0
JohnBusiness Consultant (Owner)Commented:
I would have one end with one end point and the other end with a max of one subnet for multiple machines on the subnet. I would use (and do use) policy based IPsec.
0
FireBallITAuthor Commented:
dear john i have sent you setup commands of our ipsec via message i tryed policy based but result same i hope you to help me :(
0
JohnBusiness Consultant (Owner)Commented:
I am running out of ideas. The approach I laid out above for one tunnel with a subnet on each end works like a charm for me.

I will keep watch on the question to see if others can help.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JohnBusiness Consultant (Owner)Commented:
I read the messages and the detailed settings are beyond my level of expertise. What I cannot find is Phase 2 and Phase 2 is failing in your tests.
0
FireBallITAuthor Commented:
we have change it as policy based but still the same result  :

  Tunnel Down Reason: SA not initiated

Open in new window



That is the part for phrase 2 :
    ipsec {
        proposal ipsec-proposal-cfgr {
            protocol esp;
        }
        policy ipsec-policy-cfgr {
            proposal-set compatible;
        }
        vpn ipsec-vpn-cfgr {
            ike {
                gateway ike-gate-cfgr;
                no-anti-replay;
                ipsec-policy ipsec-policy-cfgr;
            }
            establish-tunnels immediately;
        }
    }

Open in new window

0
FireBallITAuthor Commented:
thank you
0
JohnBusiness Consultant (Owner)Commented:
@Cahit Eyigunlu  - You are very welcome and I was happy to work with you.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security

From novice to tech pro — start learning today.