Jump to content
Welcome to our new Citrix community!

ipsec vpn between netscaler and juniper srx is not stable


Marwa Saidani

Recommended Posts

Hi All,

Does anyone has a guide of ipsec configuration between juniper srx and Citrix Netscaler?(i googled  but i couldn`t find anything) 

The issue i`m having is that i configured ipsec vpn ,in our side we use Juniper srx ,the customer side are using Citrix netscaler .

From the beginning i was receiving this alert in the log message:

=============

Oct 26 16:30:57 sn-dx-node0 kmd[2232]: KMD_DPD_PEER_DOWN: DPD detected peer 161 .156.130.175 is dead, so dropping the tunnel
Oct 26 16:30:57 sn-dx-node0 kmd[2232]: KMD_VPN_DOWN_ALARM_USER: VPN ike-vpn-efi s from 161.156.130.175 is down. Local-ip: 172.17.30.2, gateway name: gw-efis, vp n name: ike-vpn-efis, tunnel-id: 131075, local tunnel-if: st0.12, remote tunnel- ip: Not-Available, Local IKE-ID: , Remote IKE-ID: 161.156.130.175, AAA user name: Not-Applicable, VR id: 7, Traffic-selector: , Traffic-selector local ID: i pv4_subnet(any:0,[0..7]=10.15.29.0/29), Traffic-selector remote ID: ipv4_subnet( any:0,[0..7]=10.75.53.0/26), SA Type: Static, Reason: DPD detected peer as down. Existing IKE/IPSec SAs cleared

===============================

Also when we transfer files to the customer side,the connection times out and hangs randomly 

also when i do "show security ike security-association" and "show security ipsec security-association" i dont see that particular vpn listed in the output however once i do ping to the customer side ,the vpn comes up and i can see it on the output of those show commands .

Im suspecting mismatch configuration on the DPD,so i deleted DPD configuration from our side ,the vpn now is always listed on the "show security ipsec security association" but we still have the same behavior: if i do ping ,there are some packet loss randomly and file transfer still hanging 

Here is the customer phase1 (ike) configuration:

===============


IKE Protocol Version: V1
Perfect Forward Secrecy: DISABLE
Encryption Algorithm: AES 3DES AES192 AES256
Hashing Algorithm: HMAC_SHA1 HMAC_SHA256 HMAC_SHA384 HMAC_SHA512 HMAC_MD5
Lifetime: 28800
Pre shared key: *****
LivenessCheckInterval: 10
ikeRetryInterval: 60
replayWindowSize: 9216
RetransmitInterval: 1

==============================

and this is our phase1 configuration:

=======================

ike-policy efis-ike-phase1-policy;
address 161.156.130.175;
dead-peer-detection {
interval 10;
threshold 3;
}
local-identity inet 195.30.121.105;
remote-identity inet 161.156.130.175;
external-interface reth1.33;
version v1-only;

===================== 

im having trouble understanding those parameters in the customer configuration : LivenessCheckInterval, ikeRetryInterval, replayWindowSize and  RetransmitInterval 

and im not sure if those have the same function as DPD in juniper and if they should match ,and even with some googling im still not sure

So if anyone has an idea or a guide i will be super grateful 

Thank you in advance 

 

Link to comment
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...