I'm a bit stumped and was hoping to find some guidance here.
I've configured an IPSec tunnel to Microsoft Azure from my Juniper SRX240 (12.1X44-D45.2). The tunnel works fine but phase 2 drops when there is no traffic running across the tunnel (doesn't matter from which side traffic originates).
I've tried playing around with DPD but Azure doesn't seem to support it. I've also configured VPN monitor to a destination routed through the tunnel but this also didn't work. In my "show log kmd" I am seeing P2 no proposal chosen messages after the drop occurs. I should add that phase 1 never drops.
This would be ok but unfortunately I have to statically route the remote ranges over the tunnel and since the tunnel doesn't (and can't) have an IP address, my next hop is st0.2. When phase 2 drops, so does the static route and routing follows the next more specific route. So there's no way to bring the tunnel back up automatically when it drops it seems (or is there?).
I would greatly appreciate any advice or assistance on the matter. I need the tunnel to stay up even when there's no traffic running over it. Please see my config below. (Some details omitted or changed for security purposes).
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL authentication-method pre-shared-keys set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL dh-group group2 set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL authentication-algorithm sha1 set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL encryption-algorithm aes-256-cbc set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL lifetime-seconds 28800 set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL protocol esp set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL authentication-algorithm hmac-sha1-96 set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL encryption-algorithm aes-256-cbc set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL lifetime-seconds 3600 set groups GENERIC_GROUP security ipsec policy IPSEC_POLICY proposals IPSEC_PROPOSAL set groups CUSTOMER_GROUP interfaces st0 unit 2 family inet set groups CUSTOMER_GROUP security ike policy IKE_POLICY mode main set groups CUSTOMER_GROUP security ike policy IKE_POLICY proposals IKE_PROPOSAL set groups CUSTOMER_GROUP security ike policy IKE_POLICY pre-shared-key ascii-text omitted set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY ike-policy IKE_POLICY set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY address omitted set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY external-interface vlan.457 set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY version v2-only set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN bind-interface st0.2 set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN vpn-monitor optimized set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN vpn-monitor destination-ip 192.168.183.2 set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN ike gateway IKE_GATEWAY set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN ike ipsec-policy IPSEC_POLICY set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN establish-tunnels immediately set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow match source-address AZURE_ZONE-RANGE set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow match destination-address CUSTOMER-PRIVATES set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow match application any set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow then permit set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services ike set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services ssh set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services snmp set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services telnet set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services ping set groups CUSTOMER_GROUP security zones security-zone AZURE_ZONE address-book address AZURE_ZONE-RANGE 192.168.183.0/24 set groups CUSTOMER_GROUP security zones security-zone AZURE_ZONE interfaces st0.2 host-inbound-traffic system-services all set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address CUSTOMER-PRIVATE-RANGE1 10.0.0.0/8 set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address CUSTOMER-PRIVATE-RANGE2 172.16.0.0/12 set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address CUSTOMER-PRIVATE-RANGE3 192.168.0.0/16 set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address-set CUSTOMER-PRIVATES address CUSTOMER-PRIVATE-RANGE1 set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address-set CUSTOMER-PRIVATES address CUSTOMER-PRIVATE-RANGE2 set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address-set CUSTOMER-PRIVATES address CUSTOMER-PRIVATE-RANGE3 set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST interfaces vlan.456 host-inbound-traffic system-services all set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 0.0.0.0/0 next-hop 1.1.1.1 set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 192.168.183.0/24 next-hop st0.2 set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 192.168.0.0/16 next-hop 172.31.0.2 set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 10.0.0.0/8 next-hop 172.31.0.2 set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 172.16.0.0/12 next-hop 172.31.0.2
Here is a snippet of my KMD log.
[Jul 9 13:56:40]Added (spi=0xffa48b1d, protocol=0) entry to the spi table [Jul 9 13:56:40]Construction NHTB payload for local:1.1.1.1, remote:2.2.2.2 IKEv2 P1 SA index 1241218 sa-cfg IPSEC_VPN [Jul 9 13:56:40]Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg IPSEC_VPN [Jul 9 13:56:40]ikev2_packet_allocate: Allocated packet db4000 from freelist [Jul 9 13:56:40]Received authenticated notification payload No proposal chosen from local:1.1.1.1 remote:2.2.2.2 IKEv2 for P1 SA 1241218 [Jul 9 13:56:40]ikev2_decode_packet: [db4000/dfe400] Received packet: HDR, N(NO_PROPOSAL_CHOSEN) [Jul 9 13:56:40]ikev2_state_child_initiator_in: [db4000/dfe400] Error: Mandatory payloads (SAr,Ni,TSi,TSr) missing [Jul 9 13:56:40]ikev2_process_notify: [db4000/dfe400] Received error notify No proposal chosen (14) [Jul 9 13:56:40]ikev2_state_error: [db4000/dfe400] Negotiation failed because of error No proposal chosen (14) [Jul 9 13:56:40]IPSec negotiation failed for SA-CFG IPSEC_VPN for local:1.1.1.1, remote:2.2.2.2 IKEv2. status: No proposal chosen [Jul 9 13:56:40] P2 ed info: flags 0x82, P2 error: Error ok [Jul 9 13:56:40]IPSec SA done callback with sa-cfg NULL in p2_ed. status: No proposal chosen [Jul 9 13:56:42]ikev2_packet_allocate: Allocated packet db4400 from freelist [Jul 9 13:56:42]ikev2_decode_packet: [db4400/dfe400] Setting ed pkt ctx from VR id 4 to VR id 4) [Jul 9 13:56:42]ikev2_decode_packet: [db4400/dfe400] Received packet: HDR [Jul 9 13:56:42]ikev2_packet_allocate: Allocated packet db4800 from freelist [Jul 9 13:56:43]ikev2_packet_allocate: Allocated packet db4c00 from freelistIt has to be said that the tunnel works fine when there's traffic running across it, even if it's just a ping from either end but unfortunately this is not a feasible way to keep the tunnel up as I'm sure you'd understand.
Any guidance would be greatly appreciated.