Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] VPN configuration erased after reboot

0

0

Article ID: KB31524 KB Last Updated: 28 Mar 2017Version: 1.0
Summary:
Sometimes a VPN configuration gets deleted after a reboot or upgrade. This is caused by crypto policy options. This article explains the issue and discusses possible solutions.
 
Symptoms:

Environment:

  • Performed firmware upgrade or reset of the device
  • Reconfiguring VPN

Symptom or Error:

  • After upgrade or reset, the VPN configuration is erased
  • "Error in set ike gateway" seen while reconfiguring VPN
Cause:
This issue is caused by crypto policy options set on the firewall:
 
Default crypto policy :
get crypto-policy :
crypto policies: 
encryption alg supported: ALL
authentication alg supported: ALL
DH group supported: ALL
mode supported: ALL
authentication method supported: ALL
Solution:

The following scenarios illustrate the issue.

Scenario 1:

Unable to configure VPN as the proposal used did not match with the crypto policy options.
Example:
Encryption algorithm is configured as 3DES in the crypto policy. While trying to configure phase 1 VPN with encryption algorithm other than 3des, it throws an error as “Error in set ike gateway “.
 
ISG2000-> get crypto-policy
Crypto policies: 
Encryption alg supported: 3des 
Authentication alg supported: ALL
DH group supported: ALL
Mode supported: ALL
Authentication method supported: ALL
No limitation for P1 lifetime
No limitation for P2 lifetime
No limitation for P2 lifesize
 
ISG2000-> set ike gateway test address 5.5.5.5 main outgoing-interface ethernet1/1 preshare test proposal pre-g2-aes128-md5
Error in set ike gateway.
Failed command - set ike gateway "vid" address 5.5.5.5 Main outgoing-interface "ethernet1/1" preshare "j4oKg/vBNn/G7rsaVdCSUsaLFgnvQASeXA==" proposal "pre-g2-aes128-md5"
 

Scenario 2:

There is an existing VPN configuration with a proposal – DH Group2 in the firewall. Later, you have configured crypto policy with DH option as group 14. After a reboot, the VPN configuration is erased.
Example :
nsisg2000-> get config | i vpn
set vpn "test" gateway "test" no-replay tunnel idletime 0 sec-level standard
nsisg2000-> get config | i ike
set ike gateway "test" address 2.2.2.2 Main outgoing-interface "ethernet4/2" preshare "KhWd+UTqNENBSpsaYeCnYqv7T3n5TwxX5A==" proposal "pre-g2-3des-sha"
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
 
nsisg2000-> get crypto-policy
crypto policies: 
encryption alg supported: ALL
authentication alg supported: ALL
DH group supported: group14 
mode supported: ALL
authentication method supported: ALL
no limitation for P1 lifetime
no limitation for P2 lifetime
no limitation for P2 lifesize
 
nsisg2000-> save
Save System Configuration...
Done
nsisg2000-> reset
System reset, are you sure? y/[n] y
In reset...


During the boot sequence, the device loads the system configuration. The VPN configured with the proposals does not match when compared against the crypto options used, and the VPN configuration is erased.  
 
********

Crypto-policy is a set of access lists that determines the proposals to be used, when configuring VPN phase1 and phase 2. Therefore, the configuration for the VPN should match to the crypto policy on the device. By default, the crypto policy permits all the proposal parameters. However, if there is any modification made to it, then the same should be reflected in the VPN phase 1/phase 2 configuration. 

If the VPN required to be configured has some entity different from what the crypto policy permits, the crypto policy must be modified first. Only then can you go ahead and configure the VPN.
 
Please refer to the link below for more details on configuring a crypto policy:

KB27101 - [ScreenOS] What is a Crypto-policy?


 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search