<< Prev Question Next Question >>
Question 35/36
-- Exhibit --
user@SRX-1> show configuration security ike
traceoptions {
file ike-trace;
flag all;
}
policy juniper {
proposal-set standard;
pre-shared-key ascii-text "$ $ znCO hKMXtuMX - gTz "; ## SECRET-DATA
}
gateway juniper {
ike-policy juniper;
address 192.168.1.11;
external-interface fe-0/0/7;
}
user@SRX-1> show configuration security ipsec
traceoptions {
flag all;
}
policy juniper {
proposal-set standard;
}
vpn juniper {
bind-interface st0.0;
ike {
gateway juniper;
ipsec-policy juniper;
}
}
user@SRX-1> show security ike security-associations
user@SRX-1> show security ipsec security-associations
Total active tunnels: 0
user@SRX-1> show log ike-trace
...
Jun 13 16:21:33 ike_st_o_all_done: MESSAGE: Phase 1 { 0x3f669946 90eba0c7 - 0x76bdffab f8770040 } / 00000000, version = 1.0, xchg = Identity protect, auth_method = Pre shared keys, Responder, cipher = 3des-cbc, hash = sha1, prf = hmac-sha1, life = 0 kB / 28800 sec, key l Jun 13 16:21:33 192.168.1.10:500 (Responder) -> 192.168.1.11:500 { 3f669946 90eba0c7 - 76bdffab f8770040 [-1] / 0x00000000 } IP; MESSAGE: Phase 1 version = 1.0, auth_method = Pre shared keys, cipher = 3des-cbc, hash = sha1, prf = hmac-sha1, life = 0 kB / 28800 sec, key Jun 13 16:21:33 ike_encode_packet: Start, SA = { 0x3f669946 90eba0c7 - 76bdffab f8770040 } /
00000000, nego = -1
Jun 13 16:21:33 ike_send_packet: Start, send SA = { 3f669946 90eba0c7 - 76bdffab f8770040}, nego = -1, dst = 192.168.1.11:500, routing table id = 0 Jun 13 16:21:33 ike_send_notify: Connected, SA = { 3f669946 90eba0c7 - 76bdffab f8770040}, nego = -1 Jun 13 16:21:33 iked_pm_ike_sa_done: local:192.168.1.10, remote:192.168.1.11 IKEv1 Jun 13 16:21:33 iked_pm_id_validate id NOT matched.
Jun 13 16:21:33 P1 SA 3075313 timer expiry. ref cnt 1, timer reason Defer delete timer expired (3), flags
0x331.
Jun 13 16:21:33 iked_pm_ike_sa_delete_notify_done_cB. For p1 sa index 3075313, ref cnt 1, status: Error ok Jun 13 16:21:33 ike_expire_callback: Start, expire SA = { 3f669946 90eba0c7 - 76bdffab f8770040}, nego
= -1
Jun 13 16:21:33 ike_alloc_negotiation: Start, SA = { 3f669946 90eba0c7 - 76bdffab f8770040}
...
-- Exhibit --
Click the Exhibit button.
You are troubleshooting a new IPsec VPN that is not establishing between SRX-1 and a remote end device.
Referring to the exhibit, what is causing the problem?
user@SRX-1> show configuration security ike
traceoptions {
file ike-trace;
flag all;
}
policy juniper {
proposal-set standard;
pre-shared-key ascii-text "$ $ znCO hKMXtuMX - gTz "; ## SECRET-DATA
}
gateway juniper {
ike-policy juniper;
address 192.168.1.11;
external-interface fe-0/0/7;
}
user@SRX-1> show configuration security ipsec
traceoptions {
flag all;
}
policy juniper {
proposal-set standard;
}
vpn juniper {
bind-interface st0.0;
ike {
gateway juniper;
ipsec-policy juniper;
}
}
user@SRX-1> show security ike security-associations
user@SRX-1> show security ipsec security-associations
Total active tunnels: 0
user@SRX-1> show log ike-trace
...
Jun 13 16:21:33 ike_st_o_all_done: MESSAGE: Phase 1 { 0x3f669946 90eba0c7 - 0x76bdffab f8770040 } / 00000000, version = 1.0, xchg = Identity protect, auth_method = Pre shared keys, Responder, cipher = 3des-cbc, hash = sha1, prf = hmac-sha1, life = 0 kB / 28800 sec, key l Jun 13 16:21:33 192.168.1.10:500 (Responder) -> 192.168.1.11:500 { 3f669946 90eba0c7 - 76bdffab f8770040 [-1] / 0x00000000 } IP; MESSAGE: Phase 1 version = 1.0, auth_method = Pre shared keys, cipher = 3des-cbc, hash = sha1, prf = hmac-sha1, life = 0 kB / 28800 sec, key Jun 13 16:21:33 ike_encode_packet: Start, SA = { 0x3f669946 90eba0c7 - 76bdffab f8770040 } /
00000000, nego = -1
Jun 13 16:21:33 ike_send_packet: Start, send SA = { 3f669946 90eba0c7 - 76bdffab f8770040}, nego = -1, dst = 192.168.1.11:500, routing table id = 0 Jun 13 16:21:33 ike_send_notify: Connected, SA = { 3f669946 90eba0c7 - 76bdffab f8770040}, nego = -1 Jun 13 16:21:33 iked_pm_ike_sa_done: local:192.168.1.10, remote:192.168.1.11 IKEv1 Jun 13 16:21:33 iked_pm_id_validate id NOT matched.
Jun 13 16:21:33 P1 SA 3075313 timer expiry. ref cnt 1, timer reason Defer delete timer expired (3), flags
0x331.
Jun 13 16:21:33 iked_pm_ike_sa_delete_notify_done_cB. For p1 sa index 3075313, ref cnt 1, status: Error ok Jun 13 16:21:33 ike_expire_callback: Start, expire SA = { 3f669946 90eba0c7 - 76bdffab f8770040}, nego
= -1
Jun 13 16:21:33 ike_alloc_negotiation: Start, SA = { 3f669946 90eba0c7 - 76bdffab f8770040}
...
-- Exhibit --
Click the Exhibit button.
You are troubleshooting a new IPsec VPN that is not establishing between SRX-1 and a remote end device.
Referring to the exhibit, what is causing the problem?
