What is causing the problem?

user@SRX-1> show configuration security ike traceoptions { file ike-trace; flag all; } policy
juniper { proposal-set standard; pre-shared-key ascii-text “$ $ znCO hKMXtuMX – gTz “; ##
SECRET-DATA } gateway juniper { ike-policy juniper; address 192.168.1.11;
external-interface fe-0/0/7; } user@SRX-1> show configuration security ipsec traceoptions {
flag all; } policy juniper { proposal-set standard; } vpn juniper { bind-interface st0.0; ike {
gateway juniper; ipsec-policy juniper; } } user@SRX-1> show security ike
security-associations user@SRX-1> show security ipsec security-associations Total active
tunnels: 0 user@SRX-1> show log ike-trace … Jun 13 16:21:33 ike_st_o_all_done:
MESSAGE: Phase 1 { 0x3f669946 90eba0c7 – 0x76bdffab f8770040 } / 00000000, version
= 1.0, xchg = Identity protect, auth_method = Pre shared keys, Responder, cipher =
3des-cbc, hash = sha1, prf = hmac-sha1, life = 0 kB / 28800 sec, key l Jun 13 16:21:33
192.168.1.10:500 (Responder) -> 192.168.1.11:500 { 3f669946 90eba0c7 -76bdffab
f8770040 [-1] / 0x00000000 } IP; MESSAGE: Phase 1 version = 1.0, auth_method = Pre
shared keys, cipher = 3des-cbc, hash = sha1, prf = hmac-sha1, life = 0 kB / 28800 sec, key
Jun 13 16:21:33 ike_encode_packet: Start, SA = { 0x3f669946 90eba0c7 – 76bdffab
f8770040 } / 00000000, nego = -1 Jun 13 16:21:33 ike_send_packet: Start, send SA = {
3f669946 90eba0c7 – 76bdffab f8770040}, nego = -1, dst = 192.168.1.11:500, routing table
id = 0 Jun 13 16:21:33 ike_send_notify: Connected, SA = { 3f669946 90eba0c7 – 76bdffab
f8770040}, nego = -1 Jun 13 16:21:33 iked_pm_ike_sa_done: local:192.168.1.10,
remote:192.168.1.11 IKEv1 Jun 13 16:21:33 iked_pm_id_validate id NOT matched. Jun 13

16:21:33 P1 SA 3075313 timer expiry. ref cnt 1, timer reason Defer delete timer expired (3),
flags 0x331. Jun 13 16:21:33 iked_pm_ike_sa_delete_notify_done_cB. For p1 sa index
3075313, ref cnt 1, status: Error ok Jun 13 16:21:33 ike_expire_callback: Start, expire SA =
{ 3f669946 90eba0c7 – 76bdffab f8770040}, nego = -1 Jun 13 16:21:33
ike_alloc_negotiation: Start, SA = { 3f669946 90eba0c7 – 76bdffab f8770040} You are
troubleshooting a new IPsec VPN that is not establishing between SRX-1 and a remote end
device. What is causing the problem?

user@SRX-1> show configuration security ike traceoptions { file ike-trace; flag all; } policy
juniper { proposal-set standard; pre-shared-key ascii-text “$ $ znCO hKMXtuMX – gTz “; ##
SECRET-DATA } gateway juniper { ike-policy juniper; address 192.168.1.11;
external-interface fe-0/0/7; } user@SRX-1> show configuration security ipsec traceoptions {
flag all; } policy juniper { proposal-set standard; } vpn juniper { bind-interface st0.0; ike {
gateway juniper; ipsec-policy juniper; } } user@SRX-1> show security ike
security-associations user@SRX-1> show security ipsec security-associations Total active
tunnels: 0 user@SRX-1> show log ike-trace … Jun 13 16:21:33 ike_st_o_all_done:
MESSAGE: Phase 1 { 0x3f669946 90eba0c7 – 0x76bdffab f8770040 } / 00000000, version
= 1.0, xchg = Identity protect, auth_method = Pre shared keys, Responder, cipher =
3des-cbc, hash = sha1, prf = hmac-sha1, life = 0 kB / 28800 sec, key l Jun 13 16:21:33
192.168.1.10:500 (Responder) -> 192.168.1.11:500 { 3f669946 90eba0c7 -76bdffab
f8770040 [-1] / 0x00000000 } IP; MESSAGE: Phase 1 version = 1.0, auth_method = Pre
shared keys, cipher = 3des-cbc, hash = sha1, prf = hmac-sha1, life = 0 kB / 28800 sec, key
Jun 13 16:21:33 ike_encode_packet: Start, SA = { 0x3f669946 90eba0c7 – 76bdffab
f8770040 } / 00000000, nego = -1 Jun 13 16:21:33 ike_send_packet: Start, send SA = {
3f669946 90eba0c7 – 76bdffab f8770040}, nego = -1, dst = 192.168.1.11:500, routing table
id = 0 Jun 13 16:21:33 ike_send_notify: Connected, SA = { 3f669946 90eba0c7 – 76bdffab
f8770040}, nego = -1 Jun 13 16:21:33 iked_pm_ike_sa_done: local:192.168.1.10,
remote:192.168.1.11 IKEv1 Jun 13 16:21:33 iked_pm_id_validate id NOT matched. Jun 13

16:21:33 P1 SA 3075313 timer expiry. ref cnt 1, timer reason Defer delete timer expired (3),
flags 0x331. Jun 13 16:21:33 iked_pm_ike_sa_delete_notify_done_cB. For p1 sa index
3075313, ref cnt 1, status: Error ok Jun 13 16:21:33 ike_expire_callback: Start, expire SA =
{ 3f669946 90eba0c7 – 76bdffab f8770040}, nego = -1 Jun 13 16:21:33
ike_alloc_negotiation: Start, SA = { 3f669946 90eba0c7 – 76bdffab f8770040} You are
troubleshooting a new IPsec VPN that is not establishing between SRX-1 and a remote end
device. What is causing the problem?

A.
IKE Phase 2 proxy ID mismatch

B.
Pre-shared key mismatch

C.
IKE Phase 1 proposals mismatch

D.
IKE Phase 1 IKE ID mismatch



Leave a Reply 0

Your email address will not be published. Required fields are marked *