none
Azure and Juniper SRX 220H with JunOS 11.4r5

    Question

  • Hi all

    I need advice to identify the problem that is presenting me when wanting to make the VPN connection with Juniper SRX 220H device JunOS11.4r5 because by trying to make the connection throws me the following error.

    {primary:node0}
    root> 
    
    {primary:node0}
    root> show log Monitor_VPN
    root> show log Monitor_VPN    
    Oct 12 13:54:08  clear-log[66722]: logfile cleared
    Oct 12 13:54:08 ikev2_packet_allocate: Allocated packet bb4800 from freelist
    Oct 12 13:54:08 ike_sa_find: Not found SA = { 5337226a 072424a9 - 30b47b18 b9de98b7 }
    Oct 12 13:54:08 ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
    Oct 12 13:54:08 ike_get_sa: Start, SA = { 5337226a 072424a9 - 30b47b18 b9de98b7 } / 00000001, remote = 168.62.213.89:1032
    Oct 12 13:54:08 ike_sa_find: Not found SA = { 5337226a 072424a9 - 30b47b18 b9de98b7 }
    Oct 12 13:54:08 ike_sa_find_half: Not found half SA = { 5337226a 072424a9 - 00000000 00000000 }
    Oct 12 13:54:08 ike_get_sa: Invalid cookie, no sa found, SA = { 5337226a 072424a9 - 30b47b18 b9de98b7 } / 00000001, remote = 168.62.213.89:1032
    Oct 12 13:54:08 unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 168.62.213.89:1032
    Oct 12 13:54:16 iked_pm_ike_spd_notify_request: Sending Initial contact
    Oct 12 13:54:16 ssh_ike_connect: Start, remote_name = 168.62.213.89:500, xchg = 2, flags = 00090000
    Oct 12 13:54:16 ike_sa_allocate: Start, SA = { b403a2da 42436f6c - 00000000 00000000 }
    Oct 12 13:54:16 ike_init_isakmp_sa: Start, remote = 168.62.213.89:500, initiator = 1
    Oct 12 13:54:16 ssh_ike_connect: SA = { b403a2da 42436f6c - 00000000 00000000}, nego = -1
    Oct 12 13:54:16 ike_st_o_sa_proposal: Start
    Oct 12 13:54:16 ike_policy_reply_isakmp_vendor_ids: Start
    Oct 12 13:54:16 ike_st_o_private: Start
    Oct 12 13:54:16 ike_policy_reply_private_payload_out: Start
    Oct 12 13:54:16 ike_encode_packet: Start, SA = { 0xb403a2da 42436f6c - 00000000 00000000 } / 00000000, nego = -1
    Oct 12 13:54:16 ike_send_packet: Start, send SA = { b403a2da 42436f6c - 00000000 00000000}, nego = -1, dst = 168.62.213.89:500,  routing table id = 0
    Oct 12 13:54:24 ikev2_packet_allocate: Allocated packet bb4c00 from freelist
    Oct 12 13:54:24 ike_sa_find: Not found SA = { 5337226a 072424a9 - 30b47b18 b9de98b7 }
    Oct 12 13:54:24 ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
    Oct 12 13:54:24 ike_get_sa: Start, SA = { 5337226a 072424a9 - 30b47b18 b9de98b7 } / 00000001, remote = 168.62.213.89:1032
    Oct 12 13:54:24 ike_sa_find: Not found SA = { 5337226a 072424a9 - 30b47b18 b9de98b7 }
    Oct 12 13:54:24 ike_sa_find_half: Not found half SA = { 5337226a 072424a9 - 00000000 00000000 }
    Oct 12 13:54:24 ike_get_sa: Invalid cookie, no sa found, SA = { 5337226a 072424a9 - 30b47b18 b9de98b7 } / 00000001, remote = 168.62.213.89:1032
    Oct 12 13:54:24 unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 168.62.213.89:1032
    Oct 12 13:54:26 ike_retransmit_callback: Start, retransmit SA = { b403a2da 42436f6c - 00000000 00000000}, nego = -1
    Oct 12 13:54:26 ike_send_packet: Start, retransmit previous packet SA = { b403a2da 42436f6c - 00000000 00000000}, nego = -1, dst = 168.62.213.89:500 routing table id = 0
    Oct 12 13:54:36 ike_retransmit_callback: Start, retransmit SA = { b403a2da 42436f6c - 00000000 00000000}, nego = -1
    Oct 12 13:54:36 ike_send_packet: Start, retransmit previous packet SA = { b403a2da 42436f6c - 00000000 00000000}, nego = -1, dst = 168.62.213.89:500 routing table id = 0
    I know that this model is not in the list of supported devices, I would at least identify what may be happening.

    Details:

    Network:

    Address Space Azure: 10.254.0.0/16
    Subnets Azure: FrontEnd --10.254.2.0/24
    AZURENetworkCIDR Gateway: 10.254.1.0/24
    Azure Gateway IP Address: 168.62.213.89
    PreSharedKey: 9fzbUu8u9frrzJ0Un9aNbx0xtLCWR7hqt140itNJg7X7UB2aaE
    DNS Servers: 
    SRV1 - 10.1.5.1
    SRV2 - 10.1.7.1
    OnPremiseNetworkCIDR 1: 10.1.4.0/22
    AZURENetworkCIDR 1: 10.254.2.0/24

    Requirements for VPN

    IKE Phase I Parameters:
        Mode: Main mode
        Encryption: AES128
        Integrity: SHA1
        Diffie-Hellman group: Group 2 (1024 bit)
        Authentication Method: Pre-shared secret

    IKE Phase II Parameters:
        Mode: ESP tunnel mode
        Encryption: AES128
        Integrity: SHA1
        Perfect Forward Secrecy: OFF
        Diffie-Hellman group: Group 2 (1024 bit)
        Security Association Lifetime: 3600 seconds


    The staff is supporting me in configuring the device says that the error may be the Pre-Shared-Key but we have already regenerated several times and still not working.

    I finally asked the following questions if anyone can help me.

    • The Gateway of Azure has enabled ping and UDP port 500, that for Troubleshooting and whether the team come from the juniper.
    • The Pre-Shared-Key is correct that as long
    • The Pre-Shared-Key and brings a hash.

    Thanks in advance

    Friday, October 12, 2012 8:46 PM

Answers

  • Hi Roberto,

    Thank you for posting your question here.

    It is true that the Juniper SRX 220H is not on the supported device list.

    However, the Juniper SRX 210 is on the list and you can find a sample configuration script for that device here.

    Are you using Policy-based or Route-based VPN?

    The Windows Azure Gateway will not respond to ICMP (ping or tracert) directly but it will forward ICMP.

    The Pre-Shared-Key is 50 characters long by default and your is 50 characters.

    I'm not sure I understand your last question, "The Pre-Shared-Key and brings a hash". Can you ask it a different way?

    -Steve

    Friday, October 12, 2012 11:11 PM
    Moderator
  • Good Morning

    Updating the case, the final solution was to downgrade to the highest version supported by Microsoft for Juniper devices in this case finally left with JunOS 11.2r6. After downgrading the VPN worked.

    Thanks.
    Monday, October 22, 2012 4:31 PM

All replies

  • Hi Roberto,

    Thank you for posting your question here.

    It is true that the Juniper SRX 220H is not on the supported device list.

    However, the Juniper SRX 210 is on the list and you can find a sample configuration script for that device here.

    Are you using Policy-based or Route-based VPN?

    The Windows Azure Gateway will not respond to ICMP (ping or tracert) directly but it will forward ICMP.

    The Pre-Shared-Key is 50 characters long by default and your is 50 characters.

    I'm not sure I understand your last question, "The Pre-Shared-Key and brings a hash". Can you ask it a different way?

    -Steve

    Friday, October 12, 2012 11:11 PM
    Moderator
  • Thanks Steve

    I missed that comment you use the sample script for Juniper SRX 210 or JUNOS JUNOS 11.2r6 10.4r9, does not the VPN and Juniper log in I get the message "Not found SA" according to the staff that helps me settings I said that perhaps the Pre-Shared-Key.

    This is the configuration we have, so you could check and see if you find something that we are missing.

    set security ike proposal ike-proposal-Microsoft authentication-method pre-shared-keys
    set security ike proposal ike-proposal-Microsoft dh-group group2
    set security ike proposal ike-proposal-Microsoft authentication-algorithm sha1
    set security ike proposal ike-proposal-Microsoft encryption-algorithm aes-128-cbc
    set security ike proposal ike-proposal-Microsoft lifetime-seconds 28800
    set security ike policy ike-policy-Microsoft mode main
    set security ike policy ike-policy-Microsoft proposals ike-proposal-Microsoft
    set security ike policy ike-policy-Microsoft pre-shared-key ascii-text "$9$JfGqmF39tORDiuBIEKvDiHqT30BIrlMBINbY4jizFn6tuRhyWLNMWLNVYaJUjHkT3n/CA0I69hyKvXxq.PTn9BIEhSep0xdbwg4Fn6/p0yrvXNbik3/tuEh24oaiqz36pOIhSwYg4DjHqmfTF"
    set security ike gateway ike-gate-Microsoft ike-policy ike-policy-Microsoft
    set security ike gateway ike-gate-Microsoft address 168.62.213.89
    set security ike gateway ike-gate-Microsoft external-interface reth1.0
    set security ipsec proposal ipsec-proposal-Microsoft protocol esp
    set security ipsec proposal ipsec-proposal-Microsoft authentication-algorithm hmac-sha1-96
    set security ipsec proposal ipsec-proposal-Microsoft encryption-algorithm aes-128-cbc
    set security ipsec proposal ipsec-proposal-Microsoft lifetime-seconds 3600
    set security ipsec policy ipsec-policy-Microsoft proposal-set standard
    set security ipsec vpn ipsec-vpn-Microsoft ike gateway ike-gate-Microsoft
    set security ipsec vpn ipsec-vpn-Microsoft ike ipsec-policy ipsec-policy-Microsoft
    set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-Microsoft match source-address RED_LAN_TRUST
    set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-Microsoft match destination-address Net_10-254-3-0--24
    set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-Microsoft match destination-address Net_10-254-2-0--24
    set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-Microsoft match application any
    set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-Microsoft then permit tunnel ipsec-vpn ipsec-vpn-Microsoft
    set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-Microsoft then permit tunnel pair-policy vpnpolicy-untrust-trust-Microsoft
    set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-Microsoft match source-address Net_10-254-2-0--24
    set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-Microsoft match source-address Net_10-254-3-0--24
    set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-Microsoft match destination-address RED_LAN_TRUST
    set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-Microsoft match application any
    set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-Microsoft then permit tunnel ipsec-vpn ipsec-vpn-Microsoft
    set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-Microsoft then permit tunnel pair-policy vpnpolicy-trust-untrust-Microsoft
    

    Regarding your question if we are using policy-based or Route-based, script we used was the Policy-based, your you recommend that we use the route-based script?

    Thanks.

    Saturday, October 13, 2012 4:06 PM
  • Good Morning

    Updating the case, the final solution was to downgrade to the highest version supported by Microsoft for Juniper devices in this case finally left with JunOS 11.2r6. After downgrading the VPN worked.

    Thanks.
    Monday, October 22, 2012 4:31 PM
  • Roberto,

    Thank you very much for sharing your experience with us.

    -Steve

    Tuesday, October 23, 2012 4:16 PM
    Moderator