This article discusses the scenario in which a VPN comes up even when there is a proxy-id mismatch (one of the proxy-ids is a subset of the other). This is expected behavior.
Two SRX devices are directly connected. Configuration on the devices is as follows:
Device-1:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
root@240-POE-1# show security ipsec policy ipsecp { proposal-set standard; } vpn vpn1 { bind-interface st0.0; ike { gateway ikeg; proxy-identity { local 192.168.1.0/24; remote 192.168.2.0/24; } ipsec-policy ipsecp; } establish-tunnels immediately; } |
Device-2:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
root@240-POE-2# show security ipsec policy p1 { proposal-set standard; } policy ipsecp { proposal-set standard; } vpn vpn1 { bind-interface st0.0; ike { gateway ikeg; ipsec-policy ipsecp; } traffic-selector ts1 { ##Same behavior will be seen if similar proxy-identity is configured local-ip 192.168.2.0/24; remote-ip 192.168.1.1/32; } establish-tunnels immediately; } VPN is up as seen below: root@240-POE-1# run show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 927644 UP f974975e922c6138 9bf0b489e8caaf25 Main 172.27.201.22 [edit] root@240-POE-1# run show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:3des/sha1 7f8c5491 3385/ unlim - root 500 172.27.201.22 >131073 ESP:3des/sha1 22a3b405 3385/ unlim - root 500 172.27.201.22 |
If ipsec-key-management is restarted on Device-1, the VPN will remain down. IKE traceoptions will display the error “No proposal chosen”:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
root@240-POE-1# run restart ipsec-key-management run show log iIPSec Key Management daemon started, pid 10818 [edit] root@240-POE-1# run show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 3276433 UP 06e43cadd3c7c88d ac343460748d364b Main 172.27.201.22 [edit] root@240-POE-1# run show security ipsec security-associations Total active tunnels: 0 [edit] root@240-POE-1# run show log iktrace <...Output snipped...> [Feb 3 21:19:17]IPSec negotiation failed for SA-CFG vpn1 for local:172.27.201.21, remote:172.27.201.22 IKEv1. status: No proposal chosen [Feb 3 21:19:17] P2 ed info: flags 0xc2, P2 error: Error ok [Feb 3 21:19:17] IKEv1 Error : No proposal chosen A similar restart of ipsec-key-management on Device-2 will show the VPN coming up: root@240-POE-1# run show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:3des/sha1 c8265980 3563/ unlim - root 500 172.27.201.22 >131073 ESP:3des/sha1 e0ee2340 3563/ unlim - root 500 172.27.201.22 |
This behavior is as per design. The behavior depends on which side is the initiator/responder in Phase-2. Since Device-2’s proxy-identity is subset of Device-1’s proxy-identity when Device-2 sends the proxy-identity first the VPN comes up.
In the above case please see the proxy-identities in Phase-2 security association detailed output:
Initiator:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
root@240-POE-2# run show security ipsec security-associations detail ID: 131073 Virtual-system: root, VPN Name: vpn1 Local Gateway: 172.27.201.23, Remote Gateway: 172.27.201.21 Local Identity: ipv4_subnet(any:0,[0..7]=192.168.2.0/24)>>>>>>>>>>>>>>>>>>>> Remote Identity: ipv4(any:0,[0..3]=192.168.1.1)>>>>>>>>>>>>>>> Version: IKEv1 DF-bit: clear Bind-interface: st0.0 Direction: inbound, SPI: 2c037c77, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3556 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2934 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: 305bcbeb, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3556 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2934 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 |
Responder:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
root@240-POE-1# run show security ipsec security-associations detail ID: 131073 Virtual-system: root, VPN Name: vpn1 Local Gateway: 172.27.201.21, Remote Gateway: 172.27.201.23 Local Identity: ipv4_subnet(any:0,[0..7]=192.168.1.0/24)>>>>>>>>>>>>>>>>>> Remote Identity: ipv4_subnet(any:0,[0..7]=192.168.2.0/24)>>>>>>>>>>>>>>>>>> Version: IKEv1 DF-bit: clear Bind-interface: st0.0 Direction: inbound, SPI: 305bcbeb, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3552 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2955 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: 2c037c77, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3552 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2955 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 |
