Ipsec vpn between juniper srx240 and routeros

joeyqiao · August 31, 2017, 8:13am

[Codebox=html5 file=Untitled.html][Codebox=text file=Untitled.txt][/Codebox][/Codebox]
Dear,

I’m Joey from Shanghai.
I configured ipsec vpn between juniper srx240 and routeros (version 6.38.7). The ipsec is not working and the phase1 has a problem as below:
08:08:54 ipsec,info respond new phase 1 (Aggressive): 172.19.43.184[500]<=>101.81.28.200[500]
08:08:54 ipsec,info ISAKMP-SA established 172.19.43.184[4500]-101.81.28.200[4500] spi:a854054b5694cfd1:a3116bbc65f838e7
08:08:54 ipsec,info purging ISAKMP-SA 172.19.43.184[4500]<=>101.81.28.200[4500] spi=a854054b5694cfd1:a3116bbc65f838e7.
08:08:55 ipsec,info ISAKMP-SA deleted 172.19.43.184[4500]-101.81.28.200[4500] spi:a854054b5694cfd1:a3116bbc65f838e7 rekey:1
The log is in loop, ISAKMP-SA status:established → purging → deleted.
Anyone can help me?

emils · August 31, 2017, 8:28am

Please enable IPsec logging under System Logging menu. It will show more information about the issue.

/system logging add topics=ipsec,!debug

joeyqiao · August 31, 2017, 8:42am

I prepared a vsrx240 in my vmware workstation and a routerboard, then created ipsec vpn between them, that’s ok.
After that, I used routeros on Ali cloud and customer’s srx240 to create ipsec vpn, but it is fail. Debug information is too much, the below information is abnormal that I found.

08:32:44 ipsec 172.19.43.184 Hashing 172.19.43.184[4500] with algo #2
08:32:44 ipsec,debug hash(sha1)
08:32:44 ipsec NAT-D payload #0 doesn’t match
08:32:44 ipsec 101.81.28.200 Hashing 101.81.28.200[4500] with algo #2
08:32:44 ipsec,debug hash(sha1)
08:32:44 ipsec NAT-D payload #1 verified
08:32:44 ipsec NAT detected: ME

08:35:24 ipsec,debug 101.81.28.200 delete payload for protocol ISAKMP
08:35:24 ipsec,info purging ISAKMP-SA 172.19.43.184[4500]<=>101.81.28.200[4500] spi=6b3af9001e21c5ae:c349aff6d11f549c.
08:35:24 ipsec purged IPsec-SA spi=0x0
08:35:24 ipsec purged IPsec-SA spi=0xc548751e
08:35:24 ipsec,debug an undead schedule has been deleted.
08:35:24 ipsec removing generated policy
08:35:24 ipsec,debug seq a80a25cb of GETSPI message not interesting.
08:35:24 ipsec purged ISAKMP-SA 172.19.43.184[4500]<=>101.81.28.200[4500] spi=6b3af9001e21c5ae:c349aff6d11f549c.
08:35:24 ipsec,debug purged SAs.
08:35:25 ipsec,info ISAKMP-SA deleted 172.19.43.184[4500]-101.81.28.200[4500] spi:6b3af9001e21c5ae:c349aff6d11f549c rekey:1
08:35:25 ipsec,debug an undead schedule has been deleted.

emils · August 31, 2017, 8:50am

These messages are meaningless. Please generate supout.rif file and send it to support@mikrotik.com.