Set security ike proposal csd_ilm lifetime-seconds 3600 Set security ike proposal csd_ilm encryption-algorithm aes-256-cbc Set security ike proposal csd_ilm authentication-algorithm sha-256 Set security ike proposal csd_ilm dh-group group14 Set security ike proposal csd_ilm authentication-method pre-shared-keys Set security ike traceoptions file aram_kmd_csd Set routing-instances VR-MAIN routing-options static route 10.80.4.0/24 next-hop st0.2 Set routing-instances VR-MAIN interface st0.2 Set routing-instances VR-MAIN interface lo0.0 security policies are also in place to allow traffic from vpn zone to internal (trust), but these are clearly not the reason of VPN Phase I issuesĭC SRX1500: set interfaces lo0 unit 0 family inet address 100.100.100.100/32 Set security ipsec vpn ilm_csd establish-tunnels immediately Set security ipsec vpn ilm_csd ike ipsec-policy ipsec_vpn_phaseII Set security ipsec vpn ilm_csd ike gateway ilm_csd Set security ipsec vpn ilm_csd bind-interface st0.2 ![]() Set security ipsec policy ipsec_vpn_phaseII proposals ph2 Set security ipsec policy ipsec_vpn_phaseII perfect-forward-secrecy keys group14 Set security ipsec proposal ph2 lifetime-seconds 13000 Set security ipsec proposal ph2 encryption-algorithm aes-256-cbc Set security ipsec proposal ph2 authentication-algorithm hmac-sha-256-128 Set security ipsec proposal ph2 protocol esp ![]() ![]() Set security ike gateway ilm_csd external-interface ge-0/0/0.0 Set security ike gateway ilm_csd local-identity inet 192.168.113.2 Set security ike gateway ilm_csd dead-peer-detection probe-idle-tunnel Set security ike gateway ilm_csd address 100.100.100.100 Set security ike gateway ilm_csd ike-policy ilm_csd Set security ike policy ilm_csd pre-shared-key ascii-text "xxx" Set security ike policy ilm_csd proposals ph2 Set security ike policy ilm_csd mode main Set security ike proposal ph2 lifetime-seconds 3600 Set security ike proposal ph2 encryption-algorithm aes-256-cbc Set security ike proposal ph2 authentication-algorithm sha-256 Set security ike proposal ph2 dh-group group14 Set security ike proposal ph2 authentication-method pre-shared-keys Set security ike traceoptions file aram_kmd_nnn Set routing-options static route 10.99.10.0/24 next-hop st0.2 Set security zones security-zone vpn interfaces st0.2 show security ike show security ipsec inactive-tunnelsġ31075 500 99.99.99.99 1 IKE exchange is in progress currentlyīranch SRX300: set interfaces st0 unit 2 family inet ID Port Gateway Pending SAs Tunnel Down Reasonġ31075 500 100.100.100.100 1 IKE exchange is in progress currently Total inactive tunnels with establish immediately: 1 ![]() after 1 show security ike security-associationsĥ567341 UP 18066bed112b67b2 6862cab14ab2f4df Main show security ipsec inactive-tunnels SRX300: show security ike security-associations On DC SRX1500: either no IKE output, either cookie "0000…". On branch SRX300 phase I appears UP, but the Index is incrementing each minute, so is not fully established IPSec tunnel down reason – "IKE exchange is in progress currently" (on DSL modem, ports 5 are forwarded to SRX300)
0 Comments
Leave a Reply. |