 asked on
Juniper SRX IPSec Tunnel is up but traffic not passing
We have complete the tunnel between cisco and juniper but it does not send  / get any packages
Some of our prints  as seen below
what should cause of this  ?
we have generated the code from https://www.juniper.net/support/tools/vpnconfig/#advancedSettings
Some of our prints  as seen below
root@srx3600.spd.net.tr> show route 192.168.90.90
inet.0: 28 destinations, 28 routes (28 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
192.168.90.0/24 *[Static/5] 00:32:09
> via st0.1
root@srx3600.spd.net.tr> show route 192.168.70.1
inet.0: 28 destinations, 28 routes (28 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
192.168.70.1/32 *[Local/0] 00:24:29
Local via xe-1/0/1.0
root@srx3600.spd.net.tr> show interfaces terse
Interface Admin Link Proto Local Remote
ge-0/0/0 up down
gr-0/0/0 up up
ip-0/0/0 up up
lt-0/0/0 up up
ge-0/0/1 up up
ge-0/0/1.0 up up inet 192.168.1.95/24
multiservice
ge-0/0/2 up down
ge-0/0/3 up down
ge-0/0/4 up down
ge-0/0/5 up down
ge-0/0/6 up down
ge-0/0/7 up down
ge-0/0/8 up down
ge-0/0/9 up down
ge-0/0/10 up down
ge-0/0/11 up down
xe-1/0/0 up up
xe-1/0/0.0 up up inet 10.1.0.2/30
37.123.100.122/29
multiservice
xe-1/0/1 up up
xe-1/0/1.0 up up inet 37.123.96.145/28
37.123.98.225/27
37.123.101.225/27
178.20.229.33/27
178.20.229.65/27
178.20.229.225/27
178.20.231.1/24
185.9.157.1/27
185.9.158.1/24
192.168.70.1/24
multiservice
xe-4/0/0 up down
xe-4/0/1 up down
mt-12/0/0 up up
avs0 up up
avs1 up up
avs1.0 up up inet 254.0.0.254 --> 0/0
inet6 fe80::199
dsc up up
em0 up up
em0.0 up up inet 10.0.0.1/8
10.0.0.4/8
128.0.0.1/2
128.0.0.4/2
inet6 fe80::200:ff:fe00:4/64
fec0::a:0:0:4/64
tnp 0x4
em1 up down
em1.0 up down inet 10.0.0.1/8
10.0.0.4/8
128.0.0.1/2
128.0.0.4/2
inet6 fe80::200:1ff:fe00:4/64
fec0::a:0:0:4/64
tnp 0x4
fxp0 up down
gre up up
ipip up up
irb up up
lo0 up up
lo0.16384 up up inet 127.0.0.1 --> 0/0
lo0.16385 up up inet
lsi up up
mtun up up
pimd up up
pime up up
ppd0 up up
ppe0 up up
st0 up up
st0.1 up up inet
tap up up
root@srx3600.spd.net.tr> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
3229295851 UP 750201f2533b6d2b 362ccc922889e6d7 Main 95.0.214.195
root@srx3600.spd.net.tr> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:3des/md5 60d9c766 1532/ 4607949 - root 500 95.0.214.195
>131073 ESP:3des/md5 ff7cdff2 1532/ 4607949 - root 500 95.0.214.195
root@srx3600.spd.net.tr> monitor traffic interface st0.1 no-resolve
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on st0.1, capture size 96 bytes
^C
0 packets received by filter
0 packets dropped by kernel
root@srx3600.spd.net.tr> ping 192.168.90.90 source 192.168.70.1
PING 192.168.90.90 (192.168.90.90): 56 data bytes
^C
--- 192.168.90.90 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
root@srx3600.spd.net.tr> show security ipsec security-associations index 131073
ID: 131073 Virtual-system: root, VPN Name: ipsec-vpn-cfgr
Local Gateway: 37.123.96.145, Remote Gateway: 95.0.214.195
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Version: IKEv1
DF-bit: copy
Bind-interface: st0.1
Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 600a21
Tunnel Down Reason: Config Change
Location: FPC 12, PIC 0, KMD-Instance 1
Direction: inbound, SPI: 60d9c766, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 1487 seconds
Lifesize Remaining: 4607949 kilobytes
Soft lifetime: Expires in 897 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc
Anti-replay service: disabled
Location: FPC 12, PIC 0, KMD-Instance 1
Direction: outbound, SPI: ff7cdff2, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 1487 seconds
Lifesize Remaining: 4607949 kilobytes
Soft lifetime: Expires in 897 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc
Anti-replay service: disabled
what should cause of this  ?
we have generated the code from https://www.juniper.net/support/tools/vpnconfig/#advancedSettings
ike {
policy ike-policy-cfgr {
mode main;
proposal-set compatible;
pre-shared-key ascii-text "$9$DlkfzFnC0OR6/vWLxsYGDik5F69p";
}
gateway ike-gate-cfgr {
ike-policy ike-policy-cfgr;
address 95.0.214.195;
external-interface xe-1/0/1;
version v1-only;
}
}
ipsec {
traceoptions {
flag all;
}
proposal ipsec-proposal-cfgr {
protocol esp;
}
policy ipsec-policy-cfgr {
perfect-forward-secrecy {
keys group2;
}
proposal-set compatible;
}
vpn ipsec-vpn-cfgr {
bind-interface st0.1;
df-bit copy;
ike {
gateway ike-gate-cfgr;
no-anti-replay;
ipsec-policy ipsec-policy-cfgr;
}
establish-tunnels immediately;
}
}
security-zone UgurVPN {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
address-book {
address net-cfgr_192-168-90-0--24 192.168.90.0/24;
}
interfaces {
st0.1;
}
}
security-zone spdotomasyon {
address-book {
address net-cfgr_192-168-70-0--24 192.168.70.0/24;
}
}
Internet Protocol SecurityVPNCiscoNetworkingNetworking Hardware-Other
Last Comment
John
ASKER
Then in advanced settings: Try NAT Traversal ON. Â -> Nothing changed
Phase 1: Â 3DES or what you use, DH Group 2, SHA-1 or what you use. Â 3Des / MD5 -> it is correct
Main mode: you have that set. Â -> correct
PFS: OFF Â --> I dont know how to do it
what is DH ?
Phase 1: Â 3DES or what you use, DH Group 2, SHA-1 or what you use. Â 3Des / MD5 -> it is correct
Main mode: you have that set. Â -> correct
PFS: OFF Â --> I dont know how to do it
what is DH ?
3DES, DH Group 2 and SHA-1 are all Phase 1 settings. Look in that part of your setup. Â (DH Group 2 is one setting - Diffe Helman Group 2).
In Juniper, PFS (Perfect Forward Secrecy) is a check box. I leave it unchecked.
Phase 2 should be similar to Phase 1.
Check for one tunnel and look again at the logs when you make changes.
In Juniper, PFS (Perfect Forward Secrecy) is a check box. I leave it unchecked.
Phase 2 should be similar to Phase 1.
Check for one tunnel and look again at the logs when you make changes.
ASKER
evertything seems correct but as far as i see i am not the one
http://www.blackhole-netwo
http://www.blackhole-netwo
root@srx3600.spd.net.tr> show security ike security-associations detail
IKE peer 95.0.214.195, Index 3229295962, Gateway Name: ike-gate-cfgr
Location: FPC 12, PIC 0, KMD-Instance 1
Role: Responder, State: UP
Initiator cookie: e20e6f153f888c65, Responder cookie: 68a9cb90fedb43f6
Exchange type: Main, Authentication method: Pre-shared-keys
Local: 37.123.96.145:500, Remote: 95.0.214.195:500
Lifetime: Expires in 28684 seconds
Peer ike-id: 95.0.214.195
Xauth user-name: not available
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha1-96
Encryption : 3des-cbc
Pseudo random function: hmac-sha1
Diffie-Hellman group : DH-group-2
Traffic statistics:
Input bytes : 1156
Output bytes : 752
Input packets: 5
Output packets: 4
IPSec security associations: 1 created, 0 deleted
Phase 2 negotiations in progress: 0
root@srx3600.spd.net.tr> show security ipsec security-associations detail
ID: 131073 Virtual-system: root, VPN Name: ipsec-vpn-cfgr
Local Gateway: 37.123.96.145, Remote Gateway: 95.0.214.195
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Version: IKEv1
DF-bit: copy
Bind-interface: st0.1
Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 600a21
Tunnel Down Reason: SA not initiated
Location: FPC 12, PIC 0, KMD-Instance 1
Direction: inbound, SPI: 60fda2ed, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 3479 seconds
Lifesize Remaining: 4608000 kilobytes
Soft lifetime: Expires in 2915 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc
Anti-replay service: disabled
Location: FPC 12, PIC 0, KMD-Instance 1
Direction: outbound, SPI: 50952f05, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 3479 seconds
Lifesize Remaining: 4608000 kilobytes
Soft lifetime: Expires in 2915 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc
Anti-replay service: disabled
root@srx3600.spd.net.tr> show security ipsec statistics
ESP Statistics:
Encrypted bytes: 231168
Decrypted bytes: 0
Encrypted packets: 1703
Decrypted packets: 0
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
Thanks. Phase 1 succeeded and Phase 2 did not succeed.
The settings for Phase 1 are the same as Phase 1 (2 settings in Phase 2 with PFS OFF).
Then the settings must mirror at the other end.
You are using a Pre-Shared key - make sure it is correct. You are not using Xauth user name / password. I think this is correct.
The settings for Phase 1 are the same as Phase 1 (2 settings in Phase 2 with PFS OFF).
Then the settings must mirror at the other end.
You are using a Pre-Shared key - make sure it is correct. You are not using Xauth user name / password. I think this is correct.
ASKER
both are the same but when i checked logs there is a strange error
 This is NOT anchoring instance  what should be that :S
 This is NOT anchoring instance  what should be that :S
[Apr 8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195] iked_ipsec_is_ifl_installed: Bind interface st0.1, index<73>, IFL ext is up
[Apr 8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195] SA CFG Name: ipsec-vpn-cfgr
[Apr 8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195] Interface name: xe-1/0/1, Unit: 0, AF: 2, ksa_cfg_ifl_index: 72
[Apr 8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195] Local gateway: 37.123.96.145
[Apr 8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195] Remote gateway: 95.0.214.195
[Apr 8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195] Inside iked_get_primary_addr_by_intf_name... AF = 2
[Apr 8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195] iked_get_primary_addr_by_intf_name:2264 intf_name xe-1/0/1.0, af=inet, addr_len=4
[Apr 8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195] iked_get_primary_addr_by_intf_name:2268 ip address = 37.123.96.145 ifam_flags = 0xc0
[Apr 8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195] Got address 37.123.96.145 as prefered address for interface xe-1/0/1.0
[Apr 8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195] iked_ipsec_is_ifl_installed: Found ip address for external interface 37.123.96.145. Marking sa-cfg ipsec-vpn-cfgr as ifa up
[Apr 8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195] iked_check_if_sa_cfg_ready: SA-CFG is ready
[Apr 8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195] iked_sa_cfg_add_to_hash_table: Failed to add sa_cfg ipsec-vpn-cfgr to sadb hash tbl
[Apr 8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195] iked_is_anchoring_instance sa_dist_id=96, self_dist_id=199
[Apr 8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195] iked_is_anchoring_instance: This is NOT anchoring instance
[Apr 8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195] (iked_sa_cfg_deactivate_nhtb) SA-CFG ipsec-vpn-cfgr is not anchred here. Skipping deactivate NHTB request
[Apr 8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195] In iked_ipsec_sa_config_add: if:xe-1/0/1 flags = 0x600a21 UP
[Apr 8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195] iked_ipsec_sa_config_add: No need to install SA Config on RE
[Apr 8 15:05:10 KMD-RE][37.123.96.145 <-> 95.0.214.195] Ignoring the ifa preferred address add/change message as previous local address is the same
[Apr 8 15:05:10 KMD-RE]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received
[Apr 8 15:05:19 KMD-RE][37.123.96.145 <-> 95.0.214.195] iked_re_ike_sa_db_entry_add: Recevied IKE-SA add request for index 3229295966
[Apr 8 15:05:19 KMD-RE][37.123.96.145 <-> 95.0.214.195] iked_re_ipsec_sa_add sa_cfg->dist_id=96
[Apr 8 15:05:19 KMD-RE][37.123.96.145 <-> 95.0.214.195] Creating a SA spi=0x601137d2, proto=ESP pair_index = 1
[Apr 8 15:05:19 KMD-RE][37.123.96.145 <-> 95.0.214.195] Added (spi=0x601137d2, protocol=ESP dst=37.123.96.145) entry to the peer hash table
[Apr 8 15:05:19 KMD-RE][37.123.96.145 <-> 95.0.214.195] iked_re_ipsec_sa_add sa_cfg->dist_id=96
[Apr 8 15:05:19 KMD-RE][37.123.96.145 <-> 95.0.214.195] Creating a SA spi=0x9f810056, proto=ESP pair_index = 1
[Apr 8 15:05:19 KMD-RE][37.123.96.145 <-> 95.0.214.195] Added (spi=0x9f810056, protocol=ESP dst=95.0.214.195) entry to the peer hash table
[Apr 8 15:05:19 KMD-RE][37.123.96.145 <-> 95.0.214.195] iked_is_anchoring_instance sa_dist_id=96, self_dist_id=199
[Apr 8 15:05:19 KMD-RE][37.123.96.145 <-> 95.0.214.195] iked_is_anchoring_instance: This is NOT anchoring instance
[Apr 8 15:05:19 KMD-RE][37.123.96.145 <-> 95.0.214.195] SA-CFG ipsec-vpn-cfgr is not anchred here. Skipping activate NHTB request
[Apr 8 15:06:54 KMD-RE]KMD_INTERNAL_ERROR: kmd_show_sa_tunnel_info: 1299: sending show info for SA: ipsec-vpn-cfgr
[Apr 8 15:08:03 KMD-RE]KMD_INTERNAL_ERROR: kmd_show_sa_tunnel_info: 1299: sending show info for SA: ipsec-vpn-cfgr
[Apr 8 15:08:38 KMD-RE]KMD_INTERNAL_ERROR: kmd_show_sa_tunnel_info: 1299: sending show info for SA: ipsec-vpn-cfgr
[Apr 8 15:10:38 KMD-RE]KMD_INTERNAL_ERROR: kmd_show_sa_tunnel_info: 1299: sending show info for SA: ipsec-vpn-cfgr
[Apr 8 15:16:06 KMD-RE]KMD_INTERNAL_ERROR: kmd_show_sa_tunnel_info: 1299: sending show info for SA: ipsec-vpn-cfgr
ASKER
very strangely when i change routing from st0.1 to an ip on it everything has changed but not resolved yet
root@srx3600.spd.net.tr> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
3229295975 UP b6ea1fe1de2c475f 18a8bf9aeb23bd16 Main 95.0.214.195
root@srx3600.spd.net.tr> show security ike security-associations detail
IKE peer 95.0.214.195, Index 3229295975, Gateway Name: ike-gate-cfgr
Location: FPC 12, PIC 0, KMD-Instance 1
Role: Responder, State: UP
Initiator cookie: b6ea1fe1de2c475f, Responder cookie: 18a8bf9aeb23bd16
Exchange type: Main, Authentication method: Pre-shared-keys
Local: 37.123.96.145:500, Remote: 95.0.214.195:500
Lifetime: Expires in 28488 seconds
Peer ike-id: 95.0.214.195
Xauth user-name: not available
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha1-96
Encryption : 3des-cbc
Pseudo random function: hmac-sha1
Diffie-Hellman group : DH-group-2
Traffic statistics:
Input bytes : 1068
Output bytes : 616
Input packets: 5
Output packets: 4
IPSec security associations: 1 created, 0 deleted
Phase 2 negotiations in progress: 0
root@srx3600.spd.net.tr> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:3des/sha1 6022e4a7 3273/ 4608000 - root 500 95.0.214.195
>131073 ESP:3des/sha1 1f084d06 3273/ 4608000 - root 500 95.0.214.195
root@srx3600.spd.net.tr> show security ipsec security-associations detail
ID: 131073 Virtual-system: root, VPN Name: ipsec-vpn-cfgr
Local Gateway: 37.123.96.145, Remote Gateway: 95.0.214.195
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Version: IKEv1
DF-bit: copy
Bind-interface: st0.1
Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 600a21
Tunnel Down Reason: SA config deactivated
Location: FPC 12, PIC 0, KMD-Instance 1
Direction: inbound, SPI: 6022e4a7, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 3271 seconds
Lifesize Remaining: 4608000 kilobytes
Soft lifetime: Expires in 2691 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service: disabled
Location: FPC 12, PIC 0, KMD-Instance 1
Direction: outbound, SPI: 1f084d06, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 3271 seconds
Lifesize Remaining: 4608000 kilobytes
Soft lifetime: Expires in 2691 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service: disabled
Let me look for a bit and come back in 3 or 4 hours. Â Meantime perhaps another VPN expert will look in.
iked_ipsec_is_ifl_installe
iked_check_if_sa_cfg_ready
iked_sa_cfg_add_to_hash_ta
iked_is_anchoring_instance
iked_is_anchoring_instance
Is your configuration trying to do Xauth? Â
==========================
very strangely when i change routing from st0.1 to an ip on it everything has changed but not resolved yet
This looks more like the first set of logs with Phase 2 failing. Also, it says Xauth user name not available. Is Xauth set up?
iked_check_if_sa_cfg_ready
iked_sa_cfg_add_to_hash_ta
iked_is_anchoring_instance
iked_is_anchoring_instance
Is your configuration trying to do Xauth? Â
==========================
very strangely when i change routing from st0.1 to an ip on it everything has changed but not resolved yet
This looks more like the first set of logs with Phase 2 failing. Also, it says Xauth user name not available. Is Xauth set up?
ASKER
Is your configuration trying to do Xauth? Â
 no
 no
ike {
proposal ugur {
authentication-method pre-shared-keys;
authentication-algorithm md5;
encryption-algorithm aes-256-cbc;
lifetime-seconds 86400;
}
policy ike-policy-cfgr {
mode main;
proposal-set compatible;
pre-shared-key ascii-text "$9$DlkfzFnC0OR6/vWLxsYGDik5F69p";
}
gateway ike-gate-cfgr {
ike-policy ike-policy-cfgr;
address 95.0.214.195;
#no-nat-traversal;
external-interface xe-1/0/1;
version v1-only;
}
}
ipsec {
traceoptions {
flag all;
}
proposal ipsec-proposal-cfgr {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm 3des-cbc;
}
policy ipsec-policy-cfgr {
proposal-set compatible;
}
vpn ipsec-vpn-cfgr {
bind-interface st0.1;
df-bit copy;
ike {
gateway ike-gate-cfgr;
no-anti-replay;
ipsec-policy ipsec-policy-cfgr;
}
establish-tunnels immediately;
}
}
I am not sure. The basic setup for one tunnel is as follows:
Phase 1: 3 variables like 3DES, DH Group 2, SHA-1
PFS: OFF
Phase 2: 2 variables like 3DES, Â SHA-1 Â (PFS OFF mandates 2 variables in Phase 2)
Pre-shared key.
Then under Advanced:
Main mode: Â Aggressive mode unchecked.
Keep Alive
NAT Traversal: normally checked, but depends
Dead Peer Detect: 10 seconds.
All other advanced variables unchecked.
Make sure external IP is IP only, but internal IP is Subnet with a mask of 255.255.255.0
This is all for Cisco RV325 but the same variables are used in Juniper Netscreen. This is for working tunnels.
Phase 1: 3 variables like 3DES, DH Group 2, SHA-1
PFS: OFF
Phase 2: 2 variables like 3DES, Â SHA-1 Â (PFS OFF mandates 2 variables in Phase 2)
Pre-shared key.
Then under Advanced:
Main mode: Â Aggressive mode unchecked.
Keep Alive
NAT Traversal: normally checked, but depends
Dead Peer Detect: 10 seconds.
All other advanced variables unchecked.
Make sure external IP is IP only, but internal IP is Subnet with a mask of 255.255.255.0
This is all for Cisco RV325 but the same variables are used in Juniper Netscreen. This is for working tunnels.
ASKER
Make sure external IP is IP only, but internal IP is Subnet with a mask of 255.255.255.0
there are multiple subnets but selected ip declared on other side
and all variables same
there are multiple subnets but selected ip declared on other side
and all variables same
Try a one to one tunnel to see if you can make this work. I use different tunnels for different arrangements.
ASKER
which one is better for  policy based ipsec or routed
I would have one end with one end point and the other end with a max of one subnet for multiple machines on the subnet. I would use (and do use) policy based IPsec.
ASKER
dear john i have sent you setup commands of our ipsec via message i tryed policy based but result same i hope you to help me :(
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
I read the messages and the detailed settings are beyond my level of expertise. What I cannot find is Phase 2 and Phase 2 is failing in your tests.
ASKER
we have change it as policy based but still the same result  :
That is the part for phrase 2 :
Tunnel Down Reason: SA not initiated
That is the part for phrase 2 :
ipsec {
proposal ipsec-proposal-cfgr {
protocol esp;
}
policy ipsec-policy-cfgr {
proposal-set compatible;
}
vpn ipsec-vpn-cfgr {
ike {
gateway ike-gate-cfgr;
no-anti-replay;
ipsec-policy ipsec-policy-cfgr;
}
establish-tunnels immediately;
}
}
ASKER
thank you
@Cahit Eyigunlu  - You are very welcome and I was happy to work with you.
Main mode: you have that set.
Phase 1: Â 3DES or what you use, DH Group 2, SHA-1 or what you use.
PFS: OFF
Phase 2: As above but do not set DH - just the other two and same as Phase 1.
Then in advanced settings: Try NAT Traversal ON.
Make sure the other end is set the same way.