I am having an issue getting a tunnel working on a production Juniper SRX to a RR450G which is working in my lab setup perfect.
Here are the configurations from both the production and lab devices.
I changes the IP addresses on the production box and names as expected.
Phase 1 comes up fine in production phase 2 will not come up and I receive an error
Total inactive tunnels with establish immediately: 1
ID Port Gateway Pending SAs Tunnel Down Reason
131075 500 10.20.229.173 1 Negotiation failed with error code TS_UNACCEPTABLE received from peer (31 times)
Any help is appreciated.
Production Peer:
set security ike proposal To-XXX1-PD authentication-method pre-shared-keys
set security ike proposal To-XXX1-PD dh-group group14
set security ike proposal To-XXX1-PD authentication-algorithm sha-256
set security ike proposal To-XXX1-PD encryption-algorithm aes-256-cbc
set security ike proposal To-XXX1-PD lifetime-seconds 28800
set security ike policy To-XXX1-PD-Policy reauth-frequency 0
set security ike policy To-XXX1-PD-Policy proposals To-XXX1-PD
set security ike policy To-XXX1-PD-Policy pre-shared-key ascii-text “$9$GhUkmpu1cyKn/tO1RlebwYg4ZQz69tuPfTz”
set security ike gateway To-XXX1-PD-GW ike-policy To-XXX1-PD-Policy
set security ike gateway To-XXX1-PD-GW address 10.20.229.173
set security ike gateway To-XXX1-PD-GW dead-peer-detection optimized
set security ike gateway To-XXX1-PD-GW dead-peer-detection interval 10
set security ike gateway To-XXX1-PD-GW dead-peer-detection threshold 5
set security ike gateway To-XXX1-PD-GW no-nat-traversal
set security ike gateway To-XXX1-PD-GW local-identity inet 17.26.252.173
set security ike gateway To-XXX1-PD-GW remote-identity inet 10.20.229.173
set security ike gateway To-XXX1-PD-GW external-interface ge-0/0/0
set security ike gateway To-XXX1-PD-GW local-address 17.26.252.173
set security ike gateway To-XXX1-PD-GW version v2-only
set security ike gateway To-XXX1-PD-GW fragmentation size 576
set security ipsec proposal To-XXX1-PD protocol esp
set security ipsec proposal To-XXX1-PD authentication-algorithm hmac-sha-256-128
set security ipsec proposal To-XXX1-PD encryption-algorithm aes-256-cbc
set security ipsec proposal To-XXX1-PD lifetime-seconds 3600
set security ipsec policy To-XXX1-PD-Policy perfect-forward-secrecy keys group14
set security ipsec policy To-XXX1-PD-Policy proposals To-XXX1-PD
set security ipsec vpn To-XXX1-PD-VPN bind-interface st0.12
set security ipsec vpn To-XXX1-PD-VPN df-bit clear
set security ipsec vpn To-XXX1-PD-VPN copy-outer-dscp
set security ipsec vpn To-XXX1-PD-VPN ike gateway To-XXX1-PD-GW
set security ipsec vpn To-XXX1-PD-VPN ike ipsec-policy To-XXX1-PD-Policy
set security ipsec vpn To-XXX1-PD-VPN establish-tunnels immediately
IKE Exchange:
1505081 UP 94117ddca5604e1e cc4c39667737897b IKEv2 10.20.229.173
IPSec Exchange:
Total inactive tunnels with establish immediately: 1
ID Port Gateway Pending SAs Tunnel Down Reason
131075 500 10.20.229.173 1 Negotiation failed with error code TS_UNACCEPTABLE received from peer (31 times)
ID: 131075 Virtual-system: root, VPN Name: To-XXX1-PD
Local Gateway: 17.26.252.173, Remote Gateway: 10.20.229.173
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Version: IKEv2
DF-bit: clear, Copy-Outer-DSCP Enabled, Bind-interface: st0.12
Port: 500, Nego#: 11, Fail#: 0, Def-Del#: 0 Flag: 0x600a29
Multi-sa, Configured SAs# 1, Negotiated SAs#: 0
Tunnel events:
Wed Sep 25 2024 12:41:11 -0400: Negotiation failed with error code TS_UNACCEPTABLE received from peer (32 times)
Wed Sep 25 2024 12:16:11 -0400: IKE SA negotiation successfully completed (32 times)
Wed Sep 25 2024 12:09:14 -0400: Peer proposed phase2 proposal conflicts with local configuration. Negotiation failed (1 times)
Wed Sep 25 2024 12:09:11 -0400: Negotiation failed with error code TS_UNACCEPTABLE received from peer (1 times)
Wed Sep 25 2024 12:09:09 -0400: IPSec SAs cleared as corresponding IKE SA deleted (1 times)
Wed Sep 25 2024 12:09:09 -0400: IPSec SA negotiation successfully completed (1 times)
Wed Sep 25 2024 12:09:03 -0400: Peer proposed phase2 proposal conflicts with local configuration. Negotiation failed (3 times)
Wed Sep 25 2024 12:08:11 -0400: Negotiation failed with error code TS_UNACCEPTABLE received from peer (1 times)
Wed Sep 25 2024 12:08:04 -0400: IPSec SAs cleared as corresponding IKE SA deleted (1 times)
Wed Sep 25 2024 08:15:11 -0400: Negotiation failed with error code AUTHENTICATION_FAILED received from peer (2 times)
Wed Sep 25 2024 08:11:11 -0400: IKE SA negotiation successfully completed (1 times)
Wed Sep 25 2024 08:10:40 -0400: No response from peer. Negotiation failed (10 times)
Mikrotik:
/ip ipsec peer add address=17.26.252.173/32 exchange-mode=ike2 local-address=10.20.229.173 name=To-Monitoring
/ip ipsec profile set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=IPSec-Phase-2 nat-traversal=no
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=IKE_Proposal-Phase1 pfs-group=modp2048
/ip ipsec identity add peer=To-Monitoring remote-id=address:17.26.252.173
/ip ipsec policy add dst-address=100.0.181.200/32 peer=To-Monitoring proposal=IKE_Proposal-Phase1 src-address=100.10.88.0/23 tunnel=yes
/ip ipsec policy add dst-address=100.0.181.200/32 peer=To-Monitoring proposal=IKE_Proposal-Phase1 src-address=172.16.80.0/23 tunnel=yes
/ip ipsec policy add dst-address=100.0.181.200/32 peer=To-Monitoring proposal=IKE_Proposal-Phase1 src-address=172.16.100.0/23 tunnel=yes
Lab Configuration:
set security ike proposal To-XXX2-PD authentication-method pre-shared-keys
set security ike proposal To-XXX2-PD dh-group group14
set security ike proposal To-XXX2-PD authentication-algorithm sha-256
set security ike proposal To-XXX2-PD encryption-algorithm aes-256-cbc
set security ike proposal To-XXX2-PD lifetime-seconds 28800
set security ike policy To-XXX2-PD-Policy reauth-frequency 0
set security ike policy To-XXX2-PD-Policy proposals To-XXX2-PD
set security ike policy To-XXX2-PD-Policy pre-shared-key ascii-text “$9$.mzntpBESeO1”
set security ike gateway To-XXX2-PD-GW ike-policy To-XXX2-PD-Policy
set security ike gateway To-XXX2-PD-GW address 50.187.105.34
set security ike gateway To-XXX2-PD-GW dead-peer-detection optimized
set security ike gateway To-XXX2-PD-GW dead-peer-detection interval 10
set security ike gateway To-XXX2-PD-GW dead-peer-detection threshold 5
set security ike gateway To-XXX2-PD-GW no-nat-traversal
set security ike gateway To-XXX2-PD-GW local-identity inet 10.254.77.252
set security ike gateway To-XXX2-PD-GW remote-identity inet 50.187.105.34
set security ike gateway To-XXX2-PD-GW external-interface ge-0/0/0
set security ike gateway To-XXX2-PD-GW local-address 10.254.77.252
set security ike gateway To-XXX2-PD-GW version v2-only
set security ike gateway To-XXX2-PD-GW fragmentation size 576
set security ipsec proposal To-XXX2-PD protocol esp
set security ipsec proposal To-XXX2-PD authentication-algorithm hmac-sha-256-128
set security ipsec proposal To-XXX2-PD encryption-algorithm aes-256-cbc
set security ipsec proposal To-XXX2-PD lifetime-seconds 3600
set security ipsec policy To-XXX2-PD-Policy perfect-forward-secrecy keys group14
set security ipsec policy To-XXX2-PD-Policy proposals To-XXX2-PD
set security ipsec vpn To-XXX2-PD-VPN bind-interface st0.11
set security ipsec vpn To-XXX2-PD-VPN df-bit clear
set security ipsec vpn To-XXX2-PD-VPN copy-outer-dscp
set security ipsec vpn To-XXX2-PD-VPN ike gateway To-XXX2-PD-GW
set security ipsec vpn To-XXX2-PD-VPN ike ipsec-policy To-XXX2-PD-Policy
set security ipsec vpn To-XXX2-PD-VPN establish-tunnels immediately
IKE Exchange:
Index State Initiator cookie Responder cookie Mode Remote Address
807630 UP 2fac6602faf071de 54b484d8ed899074 IKEv2 50.187.105.34
IPSec Exchange:
Total active tunnels: 1 Total Ipsec sas: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131075 ESP:aes-cbc-256/sha256 d5be5f64 3017/ unlim - root 500 50.187.105.34
131075 ESP:aes-cbc-256/sha256 9ee0d61 3017/ unlim - root 500 50.187.105.34
Mikrotik RB450G Lab Config:
/ip ipsec peer add address=10.254.77.252/32 exchange-mode=ike2 local-address=50.187.105.34 name=To-Juniper-Remote
/ip ipsec profile set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=IPSec-Phase-2 nat-traversal=no
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=IKE-Proposal-Phase1 pfs-group=modp2048
/ip ipsec identity add peer=To-Juniper-Remote
/ip ipsec policy add dst-address=10.254.252.0/24 peer=To-Juniper-Remote proposal=IKE-Proposal-Phase1 src-address=192.168.88.0/24 tunnel=yes