Less than month ago we had to replace our old SRX 210 HE device with a new SRX 300 because the old device started to become unreliable. We had two IPSeC tunnels to two different places both working without a hitch. However, after we rebuilt the configuration for the SRX 300 device based on the configuration extracted from the SRX 210 HE, only one of the IPSeC tunnels connected.
It seems that it's IKE phase 1 that won't work. Typing:
show security ike security-associations
Gives the following output
Index State Initiator cookie Responder cookie Mode Remote Address
1897066 UP 4cbbffa7700d641b d57600a59dc24c3a Main xxx.xxx.xxx.xxx
1897435 DOWN c3cf8b4f3a140154 0000000000000000 Main xxx.xxx.xxx.xxx
Since the Responder cookie is 0000000000000000 it means no reply is received from the other party. I consulted with them and their log shows the following error:
IP = xxx.xxx.xxx.xxx, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
Our log on the other hand gives the following error:
xxx.xxx.xxx.xxx:500 (Initiator) <-> xxx.xxx.xxx.xxx:500 { 0ecdfc62 8ee2e521 - 00000000 00000000 [-1] / 0x00000000 } IP; Connection timed out or error, calling callback
Is it normal behavior that there is no response being sent when this error occurs? Apparently this should be caused due to mismatch in IKE proposal, but we have painstakingly checked the proposal settings and they should be compatible, especially since the tunnel worked before we switched the device. It also seems that their log doesn't contain anything more specific than this, that would help solving the issue.
The proposal settings are as follows.
Ours:
authentication-method pre-shared-keys
dh-group group14
authentication-algorithm sha1
encryption-algorithm aes-256-cbc
lifetime-seconds 28800
Theirs:
Authentication pre-share
D-H Group 14
Hash sha
Encryption aes-256
Lifetime(seconds) 28800
The only thing that could be wrong would be the pre-shared key, but I tried setting it multiple times just in case I mistyped it. And shouldn't mismatching pre-share key give more specific error?
Can anyone help me identify what might cause this IKE phase 1 problem?
EDIT:
One time, while checking the ike security-associations I glimpsed a difference. It looked like the device had received a responder cookie, but the mode was unknown and the state was down. I found this error from the log.
Initiate IKE P1 SA 1898475 delete. curr ref count 2, del flags 0x3. Reason: Internal Error: Unknown event (0)
The security associations looked like this:
Index State Initiator cookie Responder cookie Mode Remote Address
1897579 UP e828d4c3cf65dea4 0a7d6e8c8a5f7fa1 Main xxx.xxx.xxx.xxx
1897673 DOWN ed7d4957fd811775 49d7f52a48f53679 Unknown xxx.xxx.xxx.xxx
