VPN with Juniper

Question

Hello,

We are trying to establish a VPN between a Fortigate 900D and a Juniper. It must be a DialUp VPN since the Juniper has PPPoE (not a static IP) and the version of JUNOS the device has don't support dynamicdns.

The Juniper has the following configuration:

security { ike { proposal ike-phase1-proposal { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm 3des-cbc; lifetime-seconds 28800; } policy ike-phase1-policy { mode aggressive; proposals ike-phase1-proposal; pre-shared-key ascii-text "12345678"; } gateway gw-test { ike-policy ike-phase1-policy; address 189.1.1.1; local-identity hostname TEST; external-interface fe-0/0/0.0; } } ipsec { proposal ipsec-phase2-proposal { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; lifetime-seconds 3600; } policy ipsec-phase2-policy { perfect-forward-secrecy { keys group2; } proposals ipsec-phase2-proposal; } vpn ike-vpn-test { bind-interface st0.0; ike { gateway gw-test; proxy-identity { local 10.10.10.0/0; remote 0.0.0.0/0; service any; } ipsec-policy ipsec-phase2-policy; } establish-tunnels immediately; } }

On the Fortigate I can do an good diagnose. The VPN gets stablished (phase 1 and phase 2 OK), but immediately it receives a package to take down the connection.

Here are some logs:

ike 0:test_0:285: recv ISAKMP SA delete eab487019033cffc/3a86ccc15b3ea1a5 ike 0:test_0: deleting ike 0:test_0: flushing ike 0:test_0:test: sending SNMP tunnel DOWN trap ike 0:test_0:241: del route 0.0.0.0/0.0.0.0 oif test_0(305) metric 15 priority 0 ike 0:test_0: flushed ike 0:test_0: delete dynamic ike 0:test_0: reset NAT-T ike 0:test_0: deleted

Any ideas?

Any commands so I can do a debug on the Juniper?

Thanks

JohnAgora · Accepted Answer

I found out the problem. It was completly on Juniper.

Here are the logs:

Jan 19 13:37:24 ikev2_fb_idv2_to_idv1: Converting the IKEv2 payload ID ID(type = keyid (11), len = 4, value = 74657374) to IKEv1 ID Jan 19 13:37:24 ikev2_fb_idv2_to_idv1: IKEv2 payload ID converted to IKEv1 payload ID key_id(any:0,[0..3]=74 65 73 74 ) Jan 19 13:37:24 iked_pm_id_validate called with id key_id(any:0,[0..3]=74 65 73 74 ) Jan 19 13:37:24 iked_pm_id_validate Use default id [ipv4(any:0,[0..3]=189.1.1.1)] Jan 19 13:37:24 iked_pm_id_validate id NOT matched. Jan 19 13:37:24 iked_pm_ike_sa_done ID validation fails

Basically the key was "test", but it didn't validate it (I don't know if it was fortinet sending it wrong or Juniper reading it wrong).

I put the following option on Juniper's VPN:

set gateway gw-test general-ikeid

and it was solved. :D

Thanks a lot for your help!

emnoc · Answer

Are you 100% sure the Juniper has phase1 and phase2 established? If they are the tunnels are being torn down, than I would review and post the fortigate side configurations to include the lifetime settings ( bytes or time )

I would also execute show security ike security-associations and show security ipsec security-associations on the juniper side of things .These should match the fortigate's diag vpn ike gateway and diag vpn tunnel list

http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded