Config Router

You are here: Home / Juniper / VPN comes up even if there is a proxy-identity mismatch

VPN comes up even if there is a proxy-identity mismatch

by

This article discusses the scenario in which a VPN comes up even when there is a proxy-id mismatch (one of the proxy-ids is a subset of the other). This is expected behavior.

Two SRX devices are directly connected. Configuration on the devices is as follows:

Device-1:

root@240-POE-1# show security ipsec
policy ipsecp {
    proposal-set standard;
}
vpn vpn1 {
    bind-interface st0.0;
    ike {
        gateway ikeg;
        proxy-identity {
            local 192.168.1.0/24;
            remote 192.168.2.0/24;
        }
        ipsec-policy ipsecp;
    }
    establish-tunnels immediately;
}

Device-2:

root@240-POE-2# show security ipsec
policy p1 {
    proposal-set standard;
}
policy ipsecp {
    proposal-set standard;
}
vpn vpn1 {
    bind-interface st0.0;
    ike {
        gateway ikeg;
        ipsec-policy ipsecp;
    }
    traffic-selector ts1 { ##Same behavior will be seen if similar proxy-identity is configured
        local-ip 192.168.2.0/24;
        remote-ip 192.168.1.1/32;
    }
    establish-tunnels immediately;
}
VPN is up as seen below:

root@240-POE-1# run show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
927644  UP     f974975e922c6138  9bf0b489e8caaf25  Main           172.27.201.22

[edit]
root@240-POE-1# run show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:3des/sha1 7f8c5491 3385/ unlim   -   root 500   172.27.201.22
  >131073 ESP:3des/sha1 22a3b405 3385/ unlim   -   root 500   172.27.201.22

If ipsec-key-management is restarted on Device-1, the VPN will remain down. IKE traceoptions will display the error “No proposal chosen”:

root@240-POE-1# run restart ipsec-key-management
run show log iIPSec Key Management daemon started, pid 10818

[edit]
root@240-POE-1# run show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
3276433 UP     06e43cadd3c7c88d  ac343460748d364b  Main           172.27.201.22

[edit]
root@240-POE-1# run show security ipsec security-associations
  Total active tunnels: 0

[edit]
root@240-POE-1# run show log iktrace
<...Output snipped...>
[Feb  3 21:19:17]IPSec negotiation failed for SA-CFG vpn1 for local:172.27.201.21, remote:172.27.201.22 IKEv1. status: No proposal chosen
[Feb  3 21:19:17]   P2 ed info: flags 0xc2, P2 error: Error ok
[Feb  3 21:19:17]  IKEv1 Error : No proposal chosen
A similar restart of ipsec-key-management on Device-2 will show the VPN coming up:
root@240-POE-1# run show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:3des/sha1 c8265980 3563/ unlim   -   root 500   172.27.201.22
  >131073 ESP:3des/sha1 e0ee2340 3563/ unlim   -   root 500   172.27.201.22

This behavior is as per design. The behavior depends on which side is the initiator/responder in Phase-2. Since Device-2’s proxy-identity is subset of Device-1’s proxy-identity when Device-2 sends the proxy-identity first the VPN comes up.
In the above case please see the proxy-identities in Phase-2 security association detailed output:

Initiator:

root@240-POE-2# run show security ipsec security-associations detail
  ID: 131073 Virtual-system: root, VPN Name: vpn1
  Local Gateway: 172.27.201.23, Remote Gateway: 172.27.201.21
  Local Identity: ipv4_subnet(any:0,[0..7]=192.168.2.0/24)>>>>>>>>>>>>>>>>>>>>
  Remote Identity: ipv4(any:0,[0..3]=192.168.1.1)>>>>>>>>>>>>>>>
  Version: IKEv1
    DF-bit: clear
    Bind-interface: st0.0

    Direction: inbound, SPI: 2c037c77, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3556 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2934 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: 305bcbeb, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3556 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2934 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

Responder:

root@240-POE-1# run show security ipsec security-associations detail
  ID: 131073 Virtual-system: root, VPN Name: vpn1
  Local Gateway: 172.27.201.21, Remote Gateway: 172.27.201.23
  Local Identity: ipv4_subnet(any:0,[0..7]=192.168.1.0/24)>>>>>>>>>>>>>>>>>>
  Remote Identity: ipv4_subnet(any:0,[0..7]=192.168.2.0/24)>>>>>>>>>>>>>>>>>>
  Version: IKEv1
    DF-bit: clear
    Bind-interface: st0.0

    Direction: inbound, SPI: 305bcbeb, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3552 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2955 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: 2c037c77, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3552 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2955 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64