Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Dynamic VPN fails between two sites already having a site to site main mode VPN after 11.4

0

0

Article ID: KB27276 KB Last Updated: 07 Jan 2014Version: 1.0
Summary:
We are having a site to site main mode VPN between two devices. Clients are trying to connect through dynamic VPN to one of the sites and the connection is failing.
Symptoms:

Assume that the following firewalls are directly connected:

Dynamic VPN Clients--------100-2 (fe-0/0/7)-----[VPN]-------(fe-0/0/7) 100-5

The IP address on 100-2 fe-0/0/7 is 1.1.1.2/30 and the IP address on 100-5 is 1.1.1.1/30

There is already a site-to-site VPN configured between 100-2 and 100-5 (terminated on fe-0/0/7 interface). In addition to this, dynamic VPN is also configured on 100-5 (terminated on the same interface fe-0/0/7). 

In the above topology, VPN users trying to connect to 100-5 are not able to connect.

Cause:
If IKE traceoptions are enabled, the following error messages will appear:
Apr 13 23:59:09 iked_pm_id_validate id NOT matched.
Apr 13 23:59:09 iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
Apr 13 23:59:09 ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg c21800)

On increasing the level of traceoptions further,  the following messages appear in the logs:

Apr 14 00:00:28 Search for a tunnel matching the IKE peers, local:1.1.1.1, remote:1.1.1.2 IKEv1
Apr 14 00:00:28 iked_pm_phase1_sa_cfg_lookup_by_addr: Found SA-CFG vpn1 by ip address for local:1.1.1.1, remote:1.1.1.2 IKEv1 remote_port:15072 ike_peer_src_port=500
Apr 14 00:00:28 ikev2_fb_idv2_to_idv1: Converting the IKEv2 payload ID ID(type = fqdn (2), len = 10, value = testdynvpn) to IKEv1 ID
Apr 14 00:00:28 ikev2_fb_idv2_to_idv1: IKEv2 payload ID converted to IKEv1 payload ID fqdn(any:0,[0..9]=testdynvpn)
Apr 14 00:00:28 iked_pm_id_validate called with id fqdn(any:0,[0..9]=testdynvpn)
Apr 14 00:00:28 iked_pm_id_validate Use default id [ipv4(any:0,[0..3]=1.1.1.2)]
Apr 14 00:00:28 iked_pm_id_validate id NOT matched.

The dynamic VPN connection IKE negotiation is failing as the device is treating the negotiation request coming in for dynamic VPN for the already configured site to site main mode VPN gateway instead of the dynamic VPN gateway. The device first does address lookup for gateway, and if no match is found it then moves to ID based lookup (i.e. it first does main mode lookup and then aggressive mode) . Since in this case the dynamic VPN packets will come with the same source IP for which we have already made a site-to-site main mode VPN,  it will match the main mode gateway. In main mode, device matches the identity sent (which is fqdn "testdynvpn") with IP address i.e. 1.1.1.2, which results in a mismatch and thus IKE negotiation fail for dynamic VPN connections.

Solution:

Solution is to change the site to site main mode VPN into aggressive mode. On changing VPN mode into aggressive mode we will see that address based lookup will fail and it will move to ID based lookup for which our correct aggressive mode dynamic VPN gateway will be found resulting into correct ID validation and thus the VPN will be established:


Oct 5 01:26:57 Address based phase 1 SA-CFG lookup failed for local:172.27.201.22, remote:172.27.201.23 IKEv1
>>>>>No main mode gateway found for dynamic VPN negotiation
Oct 5 01:26:57 iked_pm_phase1_sa_cfg_lookup_by_id called with id type 2 >>>>>It moves to aggressive based gateway lookup and finds the gateway
Oct 5 01:26:57 ikev2_fb_idv2_to_idv1: Converting the IKEv2 payload ID ID(type = fqdn (2), len = 10, value = testdynvpn) to IKEv1 ID
Oct 5 01:26:57 ikev2_fb_idv2_to_idv1: IKEv2 payload ID converted to IKEv1 payload ID fqdn(any:0,[0..9]=testdynvpn)
Oct 5 01:26:57 Gateway dyn-vpn-local-gw: number of connections=0, limit=2
Oct 5 01:26:57 id based lookup successful: Sa_cfg:INSTANCE-dyn-vpn_0002_0004_0000 Gateway:dyn-vpn-local-gw
Oct 5 01:26:57 ikev2_fb_idv2_to_idv1: Converting the IKEv2 payload ID ID(type = fqdn (2), len = 10, value = testdynvpn) to IKEv1 ID
Oct 5 01:26:57 ikev2_fb_idv2_to_idv1: IKEv2 payload ID converted to IKEv1 payload ID fqdn(any:0,[0..9]=testdynvpn)
Oct 5 01:26:57 iked_pm_id_validate called with id fqdn(any:0,[0..9]=testdynvpn) >>>>>>>>>>Now ID validation will not fail

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search