ipsec troubleshooting with traceoptions

Owned by Jean-luc KRIKER
Mar 31, 2022
2 min read





traceoptions
root@vSRX2> show configuration security ike
traceoptions {
    file ikeflag size 1m;
    flag all;
}

root@vSRX2> show log ikeflag

file
[Mar 31 16:38:15][0] IKEv1 packet S(192.168.225.20:500 -> 192.168.225.30:500): len=  344, mID=00000000, HDR, SA, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid
[Mar 31 16:38:15][0] ike_send_packet: Start, send SA = { 881b0e31 f5b57be0 - 00000000 00000000}, nego = -1, dst = 192.168.225.30:500
[Mar 31 16:38:15][0] ---------> Received from 192.168.225.30:500 to 192.168.225.20:0, VR 0, length 102 on IF
[Mar 31 16:38:15][0] ikev2_packet_st_input_start: FSM_SET_NEXT:ikev2_packet_st_input_v1_get_sa
[Mar 31 16:38:15][0] ike_sa_find: Not found SA = { 881b0e31 f5b57be0 - d7b98ecb d15b84f6 }
[Mar 31 16:38:15][0] ikev2_packet_st_input_v1_get_sa: Checking if unauthenticated IKEv1 notify is for an IKEv2 SA


[Mar 31 16:38:15][0] ike_send_notify: Connected, SA = { 881b0e31 f5b57be0 - d7b98ecb d15b84f6}, nego = 0
[Mar 31 16:38:15][0] 192.168.225.20:500 (Initiator) <-> 192.168.225.30:500 { 881b0e31 f5b57be0 - d7b98ecb d15b84f6 [-1] / 0x00000000 } IP; Connection got error = 14, calling callback
[Mar 31 16:38:15][0] ikev2_fb_v1_encr_id_to_v2_id: Unknown IKE encryption identifier -1
[Mar 31 16:38:15][0] ikev2_fb_v1_hash_id_to_v2_prf_id: Unknown IKE hash alg identifier -1
[Mar 31 16:38:15][0] ikev2_fb_v1_hash_id_to_v2_integ_id: Unknown IKE hash alg identifier -1
[Mar 31 16:38:15][0] IKE negotiation fail for local:192.168.225.20, remote:192.168.225.30 IKEv1 with status: No proposal chosen
[Mar 31 16:38:15][0]   IKEv1 Error : No proposal chosen
[Mar 31 16:38:15][0] IPSec Rekey for SPI 0x0 failed
[Mar 31 16:38:15][0] IPSec SA done callback called for sa-cfg IPSEC-VPN2 local:192.168.225.20, remote:192.168.225.30 IKEv1 with status No proposal chosen
[Mar 31 16:38:15][0] IKE SA delete called for p1 sa 3764543 (ref cnt 2) local:192.168.225.20, remote:192.168.225.30, IKEv1
[Mar 31 16:38:15][0] P1 SA 3764543 reference count is not zero (1). Delaying deletion of SA
[Mar 31 16:38:15][0] iked_pm_p1_sa_destroy:  p1 sa 3764543 (ref cnt 0), waiting_for_del 0x8f15d80
[Mar 31 16:38:15][0] The Remote Access user's license error in release
Solution

wrong config on the remote site:  wrong gateway IP address