— Exhibit –user@SRX-1> show configuration security ike
traceoptions {
file ike-trace;
flag all;
}
policy juniper {
proposal-set standard;
pre-shared-key ascii-text “$ $ znCO hKMXtuMX – gTz “; ## SECRET-DATA
}
gateway juniper {
ike-policy juniper;
address 192.168.1.11;
external-interface fe-0/0/7;
}
user@SRX-1> show configuration security ipsec
traceoptions {
flag all;
}
policy juniper {
proposal-set standard;
}
vpn juniper {
bind-interface st0.0;
ike {
gateway juniper;
ipsec-policy juniper;
}
}
user@SRX-1> show security ike security-associations
user@SRX-1> show security ipsec security-associations
Total active tunnels: 0
user@SRX-1> show log ike-trace
…
Jun 13 16:21:33 ike_st_o_all_done: MESSAGE: Phase 1 { 0x3f669946 90eba0c7 – 0x76bdffab
f8770040 } / 00000000, version = 1.0, xchg = Identity protect, auth_method = Pre shared keys,
Responder, cipher = 3des-cbc, hash = sha1, prf = hmac-sha1, life = 0 kB / 28800 sec, key l
Jun 13 16:21:33 192.168.1.10:500 (Responder) -> 192.168.1.11:500 { 3f669946 90eba0c7 -76bdffab f8770040 [-1] / 0x00000000 } IP; MESSAGE: Phase 1 version = 1.0, auth_method = Pre
shared keys, cipher = 3des-cbc, hash = sha1, prf = hmac-sha1, life = 0 kB / 28800 sec, key
Jun 13 16:21:33 ike_encode_packet: Start, SA = { 0x3f669946 90eba0c7 – 76bdffab f8770040 } /
00000000, nego = -1
Jun 13 16:21:33 ike_send_packet: Start, send SA = { 3f669946 90eba0c7 – 76bdffab f8770040},
nego = -1, dst = 192.168.1.11:500, routing table id = 0
Jun 13 16:21:33 ike_send_notify: Connected, SA = { 3f669946 90eba0c7 – 76bdffab f8770040},
nego = -1
Jun 13 16:21:33 iked_pm_ike_sa_done: local:192.168.1.10, remote:192.168.1.11 IKEv1
Jun 13 16:21:33 iked_pm_id_validate id NOT matched.
Jun 13 16:21:33 P1 SA 3075313 timer expiry. ref cnt 1, timer reason Defer delete timer expired
(3), flags 0x331.
Jun 13 16:21:33 iked_pm_ike_sa_delete_notify_done_cB. For p1 sa index 3075313, ref cnt 1,
status: Error ok
Jun 13 16:21:33 ike_expire_callback: Start, expire SA = { 3f669946 90eba0c7 – 76bdffab
f8770040}, nego = -1
Jun 13 16:21:33 ike_alloc_negotiation: Start, SA = { 3f669946 90eba0c7 – 76bdffab f8770040}
…
— Exhibit –Click the Exhibit button.
You are troubleshooting a new IPsec VPN that is not establishing between SRX-1 and a remote
end device.
Referring to the exhibit, what is causing the problem?
A.
Pre-shared key mismatch
B.
IKE Phase 1 proposals mismatch
C.
IKE Phase 1 IKE ID mismatch
D.
IKE Phase 2 proxy ID mismatch
Explanation:
Answer C
iked_pm_id_validate id NOT matched.
ID mismatch, answer C.