Hi everybody,
I need your help.
I try to configure IPSec sito to site VPN between Juniper SRX-240 and Mikrotik RB-951. Juniper SRX has static IP and Mikrotik has dynamic IP.
When I use IP addresses as peer ID no problem. But if I try to use FQDN as peer ID for Mikrotik (It has dynamic IP) tunnel not established.
Juniper SRX with Juniper SRX and Juniper SRX with D-Link DSR-150N work good.
Config SRX:
set security ike policy ike-policy-dhcp mode aggressive
set security ike policy ike-policy-dhcp proposal-set standard
set security ike policy ike-policy-dhcp pre-shared-key ascii-text "Secret_key"
set security ike gateway cpe-gate-cfgr ike-policy ike-policy-dhcp
set security ike gateway cpe-gate-cfgr dynamic hostname cpe.oscon.ua
set security ike gateway cpe-gate-cfgr external-interface vlan.300
set security ipsec policy ipsec-policy-dhcp perfect-forward-secrecy keys group2
set security ipsec policy ipsec-policy-dhcp proposal-set standard
set security ipsec vpn ipsec-vpn-srx bind-interface st0.0
set security ipsec vpn ipsec-vpn-srx ike gateway cpe-gate-cfgr
set security ipsec vpn ipsec-vpn-srx ike ipsec-policy ipsec-policy-dhcp
set security ipsec vpn ipsec-vpn-srx establish-tunnels immediately
Mikrotik config:
/ip firewall nat
add chain=srcnat dst-address=192.168.110.0/24 src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway
/ip ipsec peer
# Unsafe configuration, suggestion to use certificates
add address=194.187.108.110/32 dpd-interval=disable-dpd exchange-mode=\
aggressive my-id-user-fqdn=cpe.oscon.ua nat-traversal=no secret=Secret_key
/ip ipsec policy
add dst-address=192.168.110.0/24 level=unique sa-dst-address=194.187.108.110 \
sa-src-address=194.187.108.107 src-address=192.168.88.0/24 tunnel=yes
Re: IPSec site to site VPN between Juniper SRX and Mikrotik
Hi everybody,
I need your help.
I try to configure IPSec sito to site VPN between Juniper SRX-240 and Mikrotik RB-951. Juniper SRX has static IP and Mikrotik has dynamic IP.
When I use IP addresses as peer ID no problem. But if I try to use FQDN as peer ID for Mikrotik (It has dynamic IP) tunnel not established.
Juniper SRX with Juniper SRX and Juniper SRX with D-Link DSR-150N work good.
Config SRX:
set security ike policy ike-policy-dhcp mode aggressive
set security ike policy ike-policy-dhcp proposal-set standard
set security ike policy ike-policy-dhcp pre-shared-key ascii-text "Secret_key"
set security ike gateway cpe-gate-cfgr ike-policy ike-policy-dhcp
set security ike gateway cpe-gate-cfgr dynamic hostname cpe.oscon.ua
set security ike gateway cpe-gate-cfgr external-interface vlan.300
set security ipsec policy ipsec-policy-dhcp perfect-forward-secrecy keys group2
set security ipsec policy ipsec-policy-dhcp proposal-set standard
set security ipsec vpn ipsec-vpn-srx bind-interface st0.0
set security ipsec vpn ipsec-vpn-srx ike gateway cpe-gate-cfgr
set security ipsec vpn ipsec-vpn-srx ike ipsec-policy ipsec-policy-dhcp
set security ipsec vpn ipsec-vpn-srx establish-tunnels immediately
Mikrotik config:
/ip firewall nat
add chain=srcnat dst-address=192.168.110.0/24 src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway
/ip ipsec peer
# Unsafe configuration, suggestion to use certificates
add address=194.187.108.110/32 dpd-interval=disable-dpd exchange-mode=\
aggressive my-id-user-fqdn=cpe.oscon.ua nat-traversal=no secret=Secret_key
/ip ipsec policy
add dst-address=192.168.110.0/24 level=unique sa-dst-address=194.187.108.110 \
sa-src-address=194.187.108.107 src-address=192.168.88.0/24 tunnel=yes
-----------------------------------------------------------------------------------------------------------
The problem was in Mikrotik. Mikrotik use only U-FQDN peer ID in format "xxx.@yyy.com" and Juniper can use FQDN and U-FQDN also. You must change command on Juniper :
Old command
"set security ike gateway cpe-gate-cfgr dynamic hostname cpe.oscon.ua"
New command
"set security ike gateway srx-gate-cfgr dynamic user-at-hostname "cpe@oscon.ua"
-
-
Rattlehead
just joined
- Posts: 20
- Joined:
Re: IPSec site to site VPN between Juniper SRX and Mikrotik
garysh,
Did you get it all sorted?
Im having major problems trying to establish it.
Same setup as you. Mikrotik with dynamic IP.......Juniper SRX240 with static.
Are you configuring it as a route based or policy based on the SRX?
Keep getting a no proposal chosen alarm on both boxes.
Did you get it all sorted?
Im having major problems trying to establish it.
Same setup as you. Mikrotik with dynamic IP.......Juniper SRX240 with static.
Are you configuring it as a route based or policy based on the SRX?
Keep getting a no proposal chosen alarm on both boxes.
Re: IPSec site to site VPN between Juniper SRX and Mikrotik
Did any of get this sorted out?
I am trying to get an Juniper SRX <-> Mikrotik site-to-site IPSEC running, Phase 1 is up, and Phase 2 is giving us a headache...no proposal chosen...
'
Thank you
/Ulrich
I am trying to get an Juniper SRX <-> Mikrotik site-to-site IPSEC running, Phase 1 is up, and Phase 2 is giving us a headache...no proposal chosen...
'
Thank you
/Ulrich
Re: IPSec site to site VPN between Juniper SRX and Mikrotik
Enable ipsec debug logs and post the output here after the failure.
Who is online
Users browsing this forum: No registered users and 33 guests