Juniper SRX IPSec tunnel to Microsoft Azure DroppingConfigure ipsec vpn tunnel (network to network with IKE...

Where is this triangular-shaped space station from?

How to kill a localhost:8080

Is my plan for fixing my water heater leak bad?

Hacker Rank: Array left rotation

Can you use a beast's innate abilities while polymorphed?

Non-Italian European mafias in USA?

Reason Why Dimensional Travelling Would be Restricted

How to approximate rolls for potions of healing using only d6's?

The change directory (cd) command is not working with a USB drive

Easy code troubleshooting in wordpress

If nine coins are tossed, what is the probability that the number of heads is even?

If a druid in Wild Shape swallows a creature whole, then turns back to her normal form, what happens?

Should I choose Itemized or Standard deduction?

What can I substitute for soda pop in a sweet pork recipe?

How to acknowledge an embarrassing job interview, now that I work directly with the interviewer?

I encountered my boss during an on-site interview at another company. Should I bring it up when seeing him next time?

What type of postprocessing gives the effect of people standing out

How to mitigate "bandwagon attacking" from players?

How to avoid being sexist when trying to employ someone to function in a very sexist environment?

Second-rate spelling

Must a tritone substitution use a dominant seventh chord?

"Murder!" The knight said

Why does Starman/Roadster have radial acceleration?

What is the difference between ashamed and shamed?



Juniper SRX IPSec tunnel to Microsoft Azure Dropping


Configure ipsec vpn tunnel (network to network with IKE with preshared key) on Centos 6 with openswanWindows 2008 R2 IPsec encryption in tunnel mode, hosts in same subnetFortigate IPSEC VPN IssueCan't route back down ipsec tunnel from VPSPacket is not entering IPSEC tunnel Juniper SRXRouting through IPSec tunnelIPSec between Palo Alto and Strong Swan - traffic between tunnel endpoint IPs (used for ESP transport) should pass through tunnelSeparate Azure S2S VPN tunnel per subnet with Juniper SRXPolicy-based IPsec routing in linuxAWS EC2 CentOS 7 with LibreSwan IPsec Tunnel UP (Established), No Traffic flow, cannot ping Peer encryption Domain Nodes













1















I'm a bit stumped and was hoping to find some guidance here.



I've configured an IPSec tunnel to Microsoft Azure from my Juniper SRX240 (12.1X44-D45.2). The tunnel works fine but phase 2 drops when there is no traffic running across the tunnel (doesn't matter from which side traffic originates).



I've tried playing around with DPD but Azure doesn't support it. I've also configured VPN monitor to a destination on the other end of the tunnel but this also didn't work. In my "show log kmd" I am seeing P2 no proposal chosen messages after the drop occurs. I should add that phase 1 never drops.



This would be ok but unfortunately I have to statically route the remote ranges over the tunnel and since the tunnel doesn't (and can't) have an IP address, my next hop is st0.2. When phase 2 drops, so does the static route and routing follows the next more specific route. So there's no way to bring the tunnel back up automatically at this time.



I would greatly appreciate any advice or assistance on the matter. I need the tunnel to stay up even when there's no traffic running over it. Please see my config below. 



set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL authentication-method pre-shared-keys

set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL dh-group group2

set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL authentication-algorithm sha1

set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL encryption-algorithm aes-256-cbc

set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL lifetime-seconds 28800

set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL protocol esp

set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL authentication-algorithm hmac-sha1-96

set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL encryption-algorithm aes-256-cbc

set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL lifetime-seconds 3600

set groups GENERIC_GROUP security ipsec policy IPSEC_POLICY proposals IPSEC_PROPOSAL

set groups CUSTOMER_GROUP interfaces st0 unit 2 family inet

set groups CUSTOMER_GROUP security ike policy IKE_POLICY mode main

set groups CUSTOMER_GROUP security ike policy IKE_POLICY proposals IKE_PROPOSAL

set groups CUSTOMER_GROUP security ike policy IKE_POLICY pre-shared-key ascii-text omitted

set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY ike-policy IKE_POLICY

set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY address omitted

set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY external-interface vlan.457

set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY version v2-only

set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN bind-interface st0.2

set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN vpn-monitor optimized

set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN vpn-monitor destination-ip 192.168.183.2

set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN ike gateway IKE_GATEWAY

set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN ike ipsec-policy IPSEC_POLICY

set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN establish-tunnels immediately

set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow match source-address AZURE_ZONE-RANGE

set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow match destination-address CUSTOMER-PRIVATES

set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow match application any

set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow then permit

set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services ike

set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services ssh

set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services snmp

set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services telnet

set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services ping

set groups CUSTOMER_GROUP security zones security-zone AZURE_ZONE address-book address AZURE_ZONE-RANGE 192.168.183.0/24

set groups CUSTOMER_GROUP security zones security-zone AZURE_ZONE interfaces st0.2 host-inbound-traffic system-services all

set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address CUSTOMER-PRIVATE-RANGE1 10.0.0.0/8

set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address CUSTOMER-PRIVATE-RANGE2 172.16.0.0/12

set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address CUSTOMER-PRIVATE-RANGE3 192.168.0.0/16

set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address-set CUSTOMER-PRIVATES address CUSTOMER-PRIVATE-RANGE1

set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address-set CUSTOMER-PRIVATES address CUSTOMER-PRIVATE-RANGE2

set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address-set CUSTOMER-PRIVATES address CUSTOMER-PRIVATE-RANGE3

set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST interfaces vlan.456 host-inbound-traffic system-services all

set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 0.0.0.0/0 next-hop 1.1.1.1

set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 192.168.183.0/24 next-hop st0.2

set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 192.168.0.0/16 next-hop 172.31.0.2

set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 10.0.0.0/8 next-hop 172.31.0.2

set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 172.16.0.0/12 next-hop 172.31.0.2


This is what the kmd logs look like. 



[Jul  9 13:56:40]Added (spi=0xffa48b1d, protocol=0) entry to the spi table

[Jul  9 13:56:40]Construction NHTB payload for  local:1.1.1.1, remote:2.2.2.2 IKEv2 P1 SA index 1241218 sa-cfg IPSEC_VPN

[Jul  9 13:56:40]Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg IPSEC_VPN

[Jul  9 13:56:40]ikev2_packet_allocate: Allocated packet db4000 from freelist

[Jul  9 13:56:40]Received authenticated notification payload No proposal chosen from local:1.1.1.1 remote:2.2.2.2 IKEv2 for P1 SA 1241218

[Jul  9 13:56:40]ikev2_decode_packet: [db4000/dfe400] Received packet: HDR, N(NO_PROPOSAL_CHOSEN)

[Jul  9 13:56:40]ikev2_state_child_initiator_in: [db4000/dfe400] Error: Mandatory payloads (SAr,Ni,TSi,TSr) missing

[Jul  9 13:56:40]ikev2_process_notify: [db4000/dfe400] Received error notify No proposal chosen (14)

[Jul  9 13:56:40]ikev2_state_error: [db4000/dfe400] Negotiation failed because of error No proposal chosen (14)

[Jul  9 13:56:40]IPSec negotiation failed for SA-CFG IPSEC_VPN for local:1.1.1.1, remote:2.2.2.2 IKEv2. status: No proposal chosen

[Jul  9 13:56:40]   P2 ed info: flags 0x82, P2 error: Error ok

[Jul  9 13:56:40]IPSec SA done callback with sa-cfg NULL in p2_ed. status: No proposal chosen

[Jul  9 13:56:42]ikev2_packet_allocate: Allocated packet db4400 from freelist

[Jul  9 13:56:42]ikev2_decode_packet: [db4400/dfe400] Setting ed pkt ctx from VR id 4 to VR id 4)

[Jul  9 13:56:42]ikev2_decode_packet: [db4400/dfe400] Received packet: HDR

[Jul  9 13:56:42]ikev2_packet_allocate: Allocated packet db4800 from freelist

[Jul  9 13:56:43]ikev2_packet_allocate: Allocated packet db4c00 from freelist


Like I said, it works perfectly well until there's no traffic and I have no idea what else to try.



Thanks in advance!






azure ipsec juniper srx







share|improve this question
















bumped to the homepage by Community 3 hours ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.




















    1















    I'm a bit stumped and was hoping to find some guidance here.



    I've configured an IPSec tunnel to Microsoft Azure from my Juniper SRX240 (12.1X44-D45.2). The tunnel works fine but phase 2 drops when there is no traffic running across the tunnel (doesn't matter from which side traffic originates).



    I've tried playing around with DPD but Azure doesn't support it. I've also configured VPN monitor to a destination on the other end of the tunnel but this also didn't work. In my "show log kmd" I am seeing P2 no proposal chosen messages after the drop occurs. I should add that phase 1 never drops.



    This would be ok but unfortunately I have to statically route the remote ranges over the tunnel and since the tunnel doesn't (and can't) have an IP address, my next hop is st0.2. When phase 2 drops, so does the static route and routing follows the next more specific route. So there's no way to bring the tunnel back up automatically at this time.



    I would greatly appreciate any advice or assistance on the matter. I need the tunnel to stay up even when there's no traffic running over it. Please see my config below. 



    set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL authentication-method pre-shared-keys
    
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL dh-group group2
    
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL authentication-algorithm sha1
    
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL encryption-algorithm aes-256-cbc
    
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL lifetime-seconds 28800
    
set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL protocol esp
    
set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL authentication-algorithm hmac-sha1-96
    
set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL encryption-algorithm aes-256-cbc
    
set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL lifetime-seconds 3600
    
set groups GENERIC_GROUP security ipsec policy IPSEC_POLICY proposals IPSEC_PROPOSAL
    
set groups CUSTOMER_GROUP interfaces st0 unit 2 family inet
    
set groups CUSTOMER_GROUP security ike policy IKE_POLICY mode main
    
set groups CUSTOMER_GROUP security ike policy IKE_POLICY proposals IKE_PROPOSAL
    
set groups CUSTOMER_GROUP security ike policy IKE_POLICY pre-shared-key ascii-text omitted
    
set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY ike-policy IKE_POLICY
    
set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY address omitted
    
set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY external-interface vlan.457
    
set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY version v2-only
    
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN bind-interface st0.2
    
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN vpn-monitor optimized
    
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN vpn-monitor destination-ip 192.168.183.2
    
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN ike gateway IKE_GATEWAY
    
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN ike ipsec-policy IPSEC_POLICY
    
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN establish-tunnels immediately
    
set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow match source-address AZURE_ZONE-RANGE
    
set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow match destination-address CUSTOMER-PRIVATES
    
set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow match application any
    
set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow then permit
    
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services ike
    
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services ssh
    
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services snmp
    
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services telnet
    
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services ping
    
set groups CUSTOMER_GROUP security zones security-zone AZURE_ZONE address-book address AZURE_ZONE-RANGE 192.168.183.0/24
    
set groups CUSTOMER_GROUP security zones security-zone AZURE_ZONE interfaces st0.2 host-inbound-traffic system-services all
    
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address CUSTOMER-PRIVATE-RANGE1 10.0.0.0/8
    
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address CUSTOMER-PRIVATE-RANGE2 172.16.0.0/12
    
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address CUSTOMER-PRIVATE-RANGE3 192.168.0.0/16
    
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address-set CUSTOMER-PRIVATES address CUSTOMER-PRIVATE-RANGE1
    
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address-set CUSTOMER-PRIVATES address CUSTOMER-PRIVATE-RANGE2
    
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address-set CUSTOMER-PRIVATES address CUSTOMER-PRIVATE-RANGE3
    
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST interfaces vlan.456 host-inbound-traffic system-services all
    
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 0.0.0.0/0 next-hop 1.1.1.1
    
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 192.168.183.0/24 next-hop st0.2
    
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 192.168.0.0/16 next-hop 172.31.0.2
    
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 10.0.0.0/8 next-hop 172.31.0.2
    
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 172.16.0.0/12 next-hop 172.31.0.2


    This is what the kmd logs look like. 



    [Jul  9 13:56:40]Added (spi=0xffa48b1d, protocol=0) entry to the spi table
    
[Jul  9 13:56:40]Construction NHTB payload for  local:1.1.1.1, remote:2.2.2.2 IKEv2 P1 SA index 1241218 sa-cfg IPSEC_VPN
    
[Jul  9 13:56:40]Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg IPSEC_VPN
    
[Jul  9 13:56:40]ikev2_packet_allocate: Allocated packet db4000 from freelist
    
[Jul  9 13:56:40]Received authenticated notification payload No proposal chosen from local:1.1.1.1 remote:2.2.2.2 IKEv2 for P1 SA 1241218
    
[Jul  9 13:56:40]ikev2_decode_packet: [db4000/dfe400] Received packet: HDR, N(NO_PROPOSAL_CHOSEN)
    
[Jul  9 13:56:40]ikev2_state_child_initiator_in: [db4000/dfe400] Error: Mandatory payloads (SAr,Ni,TSi,TSr) missing
    
[Jul  9 13:56:40]ikev2_process_notify: [db4000/dfe400] Received error notify No proposal chosen (14)
    
[Jul  9 13:56:40]ikev2_state_error: [db4000/dfe400] Negotiation failed because of error No proposal chosen (14)
    
[Jul  9 13:56:40]IPSec negotiation failed for SA-CFG IPSEC_VPN for local:1.1.1.1, remote:2.2.2.2 IKEv2. status: No proposal chosen
    
[Jul  9 13:56:40]   P2 ed info: flags 0x82, P2 error: Error ok
    
[Jul  9 13:56:40]IPSec SA done callback with sa-cfg NULL in p2_ed. status: No proposal chosen
    
[Jul  9 13:56:42]ikev2_packet_allocate: Allocated packet db4400 from freelist
    
[Jul  9 13:56:42]ikev2_decode_packet: [db4400/dfe400] Setting ed pkt ctx from VR id 4 to VR id 4)
    
[Jul  9 13:56:42]ikev2_decode_packet: [db4400/dfe400] Received packet: HDR
    
[Jul  9 13:56:42]ikev2_packet_allocate: Allocated packet db4800 from freelist
    
[Jul  9 13:56:43]ikev2_packet_allocate: Allocated packet db4c00 from freelist


    Like I said, it works perfectly well until there's no traffic and I have no idea what else to try.



    Thanks in advance!






    azure ipsec juniper srx







    share|improve this question
















    bumped to the homepage by Community 3 hours ago


    This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.


















      1












      1








      1








      I'm a bit stumped and was hoping to find some guidance here.



      I've configured an IPSec tunnel to Microsoft Azure from my Juniper SRX240 (12.1X44-D45.2). The tunnel works fine but phase 2 drops when there is no traffic running across the tunnel (doesn't matter from which side traffic originates).



      I've tried playing around with DPD but Azure doesn't support it. I've also configured VPN monitor to a destination on the other end of the tunnel but this also didn't work. In my "show log kmd" I am seeing P2 no proposal chosen messages after the drop occurs. I should add that phase 1 never drops.



      This would be ok but unfortunately I have to statically route the remote ranges over the tunnel and since the tunnel doesn't (and can't) have an IP address, my next hop is st0.2. When phase 2 drops, so does the static route and routing follows the next more specific route. So there's no way to bring the tunnel back up automatically at this time.



      I would greatly appreciate any advice or assistance on the matter. I need the tunnel to stay up even when there's no traffic running over it. Please see my config below. 



      set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL authentication-method pre-shared-keys
      
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL dh-group group2
      
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL authentication-algorithm sha1
      
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL encryption-algorithm aes-256-cbc
      
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL lifetime-seconds 28800
      
set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL protocol esp
      
set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL authentication-algorithm hmac-sha1-96
      
set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL encryption-algorithm aes-256-cbc
      
set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL lifetime-seconds 3600
      
set groups GENERIC_GROUP security ipsec policy IPSEC_POLICY proposals IPSEC_PROPOSAL
      
set groups CUSTOMER_GROUP interfaces st0 unit 2 family inet
      
set groups CUSTOMER_GROUP security ike policy IKE_POLICY mode main
      
set groups CUSTOMER_GROUP security ike policy IKE_POLICY proposals IKE_PROPOSAL
      
set groups CUSTOMER_GROUP security ike policy IKE_POLICY pre-shared-key ascii-text omitted
      
set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY ike-policy IKE_POLICY
      
set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY address omitted
      
set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY external-interface vlan.457
      
set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY version v2-only
      
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN bind-interface st0.2
      
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN vpn-monitor optimized
      
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN vpn-monitor destination-ip 192.168.183.2
      
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN ike gateway IKE_GATEWAY
      
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN ike ipsec-policy IPSEC_POLICY
      
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN establish-tunnels immediately
      
set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow match source-address AZURE_ZONE-RANGE
      
set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow match destination-address CUSTOMER-PRIVATES
      
set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow match application any
      
set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow then permit
      
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services ike
      
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services ssh
      
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services snmp
      
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services telnet
      
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services ping
      
set groups CUSTOMER_GROUP security zones security-zone AZURE_ZONE address-book address AZURE_ZONE-RANGE 192.168.183.0/24
      
set groups CUSTOMER_GROUP security zones security-zone AZURE_ZONE interfaces st0.2 host-inbound-traffic system-services all
      
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address CUSTOMER-PRIVATE-RANGE1 10.0.0.0/8
      
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address CUSTOMER-PRIVATE-RANGE2 172.16.0.0/12
      
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address CUSTOMER-PRIVATE-RANGE3 192.168.0.0/16
      
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address-set CUSTOMER-PRIVATES address CUSTOMER-PRIVATE-RANGE1
      
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address-set CUSTOMER-PRIVATES address CUSTOMER-PRIVATE-RANGE2
      
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address-set CUSTOMER-PRIVATES address CUSTOMER-PRIVATE-RANGE3
      
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST interfaces vlan.456 host-inbound-traffic system-services all
      
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 0.0.0.0/0 next-hop 1.1.1.1
      
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 192.168.183.0/24 next-hop st0.2
      
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 192.168.0.0/16 next-hop 172.31.0.2
      
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 10.0.0.0/8 next-hop 172.31.0.2
      
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 172.16.0.0/12 next-hop 172.31.0.2


      This is what the kmd logs look like. 



      [Jul  9 13:56:40]Added (spi=0xffa48b1d, protocol=0) entry to the spi table
      
[Jul  9 13:56:40]Construction NHTB payload for  local:1.1.1.1, remote:2.2.2.2 IKEv2 P1 SA index 1241218 sa-cfg IPSEC_VPN
      
[Jul  9 13:56:40]Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg IPSEC_VPN
      
[Jul  9 13:56:40]ikev2_packet_allocate: Allocated packet db4000 from freelist
      
[Jul  9 13:56:40]Received authenticated notification payload No proposal chosen from local:1.1.1.1 remote:2.2.2.2 IKEv2 for P1 SA 1241218
      
[Jul  9 13:56:40]ikev2_decode_packet: [db4000/dfe400] Received packet: HDR, N(NO_PROPOSAL_CHOSEN)
      
[Jul  9 13:56:40]ikev2_state_child_initiator_in: [db4000/dfe400] Error: Mandatory payloads (SAr,Ni,TSi,TSr) missing
      
[Jul  9 13:56:40]ikev2_process_notify: [db4000/dfe400] Received error notify No proposal chosen (14)
      
[Jul  9 13:56:40]ikev2_state_error: [db4000/dfe400] Negotiation failed because of error No proposal chosen (14)
      
[Jul  9 13:56:40]IPSec negotiation failed for SA-CFG IPSEC_VPN for local:1.1.1.1, remote:2.2.2.2 IKEv2. status: No proposal chosen
      
[Jul  9 13:56:40]   P2 ed info: flags 0x82, P2 error: Error ok
      
[Jul  9 13:56:40]IPSec SA done callback with sa-cfg NULL in p2_ed. status: No proposal chosen
      
[Jul  9 13:56:42]ikev2_packet_allocate: Allocated packet db4400 from freelist
      
[Jul  9 13:56:42]ikev2_decode_packet: [db4400/dfe400] Setting ed pkt ctx from VR id 4 to VR id 4)
      
[Jul  9 13:56:42]ikev2_decode_packet: [db4400/dfe400] Received packet: HDR
      
[Jul  9 13:56:42]ikev2_packet_allocate: Allocated packet db4800 from freelist
      
[Jul  9 13:56:43]ikev2_packet_allocate: Allocated packet db4c00 from freelist


      Like I said, it works perfectly well until there's no traffic and I have no idea what else to try.



      Thanks in advance!






      azure ipsec juniper srx







      share|improve this question
















      I'm a bit stumped and was hoping to find some guidance here.



      I've configured an IPSec tunnel to Microsoft Azure from my Juniper SRX240 (12.1X44-D45.2). The tunnel works fine but phase 2 drops when there is no traffic running across the tunnel (doesn't matter from which side traffic originates).



      I've tried playing around with DPD but Azure doesn't support it. I've also configured VPN monitor to a destination on the other end of the tunnel but this also didn't work. In my "show log kmd" I am seeing P2 no proposal chosen messages after the drop occurs. I should add that phase 1 never drops.



      This would be ok but unfortunately I have to statically route the remote ranges over the tunnel and since the tunnel doesn't (and can't) have an IP address, my next hop is st0.2. When phase 2 drops, so does the static route and routing follows the next more specific route. So there's no way to bring the tunnel back up automatically at this time.



      I would greatly appreciate any advice or assistance on the matter. I need the tunnel to stay up even when there's no traffic running over it. Please see my config below. 



      set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL authentication-method pre-shared-keys
      
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL dh-group group2
      
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL authentication-algorithm sha1
      
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL encryption-algorithm aes-256-cbc
      
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL lifetime-seconds 28800
      
set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL protocol esp
      
set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL authentication-algorithm hmac-sha1-96
      
set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL encryption-algorithm aes-256-cbc
      
set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL lifetime-seconds 3600
      
set groups GENERIC_GROUP security ipsec policy IPSEC_POLICY proposals IPSEC_PROPOSAL
      
set groups CUSTOMER_GROUP interfaces st0 unit 2 family inet
      
set groups CUSTOMER_GROUP security ike policy IKE_POLICY mode main
      
set groups CUSTOMER_GROUP security ike policy IKE_POLICY proposals IKE_PROPOSAL
      
set groups CUSTOMER_GROUP security ike policy IKE_POLICY pre-shared-key ascii-text omitted
      
set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY ike-policy IKE_POLICY
      
set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY address omitted
      
set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY external-interface vlan.457
      
set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY version v2-only
      
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN bind-interface st0.2
      
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN vpn-monitor optimized
      
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN vpn-monitor destination-ip 192.168.183.2
      
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN ike gateway IKE_GATEWAY
      
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN ike ipsec-policy IPSEC_POLICY
      
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN establish-tunnels immediately
      
set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow match source-address AZURE_ZONE-RANGE
      
set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow match destination-address CUSTOMER-PRIVATES
      
set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow match application any
      
set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow then permit
      
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services ike
      
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services ssh
      
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services snmp
      
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services telnet
      
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services ping
      
set groups CUSTOMER_GROUP security zones security-zone AZURE_ZONE address-book address AZURE_ZONE-RANGE 192.168.183.0/24
      
set groups CUSTOMER_GROUP security zones security-zone AZURE_ZONE interfaces st0.2 host-inbound-traffic system-services all
      
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address CUSTOMER-PRIVATE-RANGE1 10.0.0.0/8
      
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address CUSTOMER-PRIVATE-RANGE2 172.16.0.0/12
      
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address CUSTOMER-PRIVATE-RANGE3 192.168.0.0/16
      
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address-set CUSTOMER-PRIVATES address CUSTOMER-PRIVATE-RANGE1
      
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address-set CUSTOMER-PRIVATES address CUSTOMER-PRIVATE-RANGE2
      
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address-set CUSTOMER-PRIVATES address CUSTOMER-PRIVATE-RANGE3
      
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST interfaces vlan.456 host-inbound-traffic system-services all
      
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 0.0.0.0/0 next-hop 1.1.1.1
      
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 192.168.183.0/24 next-hop st0.2
      
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 192.168.0.0/16 next-hop 172.31.0.2
      
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 10.0.0.0/8 next-hop 172.31.0.2
      
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 172.16.0.0/12 next-hop 172.31.0.2


      This is what the kmd logs look like. 



      [Jul  9 13:56:40]Added (spi=0xffa48b1d, protocol=0) entry to the spi table
      
[Jul  9 13:56:40]Construction NHTB payload for  local:1.1.1.1, remote:2.2.2.2 IKEv2 P1 SA index 1241218 sa-cfg IPSEC_VPN
      
[Jul  9 13:56:40]Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg IPSEC_VPN
      
[Jul  9 13:56:40]ikev2_packet_allocate: Allocated packet db4000 from freelist
      
[Jul  9 13:56:40]Received authenticated notification payload No proposal chosen from local:1.1.1.1 remote:2.2.2.2 IKEv2 for P1 SA 1241218
      
[Jul  9 13:56:40]ikev2_decode_packet: [db4000/dfe400] Received packet: HDR, N(NO_PROPOSAL_CHOSEN)
      
[Jul  9 13:56:40]ikev2_state_child_initiator_in: [db4000/dfe400] Error: Mandatory payloads (SAr,Ni,TSi,TSr) missing
      
[Jul  9 13:56:40]ikev2_process_notify: [db4000/dfe400] Received error notify No proposal chosen (14)
      
[Jul  9 13:56:40]ikev2_state_error: [db4000/dfe400] Negotiation failed because of error No proposal chosen (14)
      
[Jul  9 13:56:40]IPSec negotiation failed for SA-CFG IPSEC_VPN for local:1.1.1.1, remote:2.2.2.2 IKEv2. status: No proposal chosen
      
[Jul  9 13:56:40]   P2 ed info: flags 0x82, P2 error: Error ok
      
[Jul  9 13:56:40]IPSec SA done callback with sa-cfg NULL in p2_ed. status: No proposal chosen
      
[Jul  9 13:56:42]ikev2_packet_allocate: Allocated packet db4400 from freelist
      
[Jul  9 13:56:42]ikev2_decode_packet: [db4400/dfe400] Setting ed pkt ctx from VR id 4 to VR id 4)
      
[Jul  9 13:56:42]ikev2_decode_packet: [db4400/dfe400] Received packet: HDR
      
[Jul  9 13:56:42]ikev2_packet_allocate: Allocated packet db4800 from freelist
      
[Jul  9 13:56:43]ikev2_packet_allocate: Allocated packet db4c00 from freelist


      Like I said, it works perfectly well until there's no traffic and I have no idea what else to try.



      Thanks in advance!






      azure ipsec juniper srx




      azure ipsec juniper srx






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Jul 9 '15 at 14:06







      Rudidl

















      asked Jul 9 '15 at 13:56









      RudidlRudidl

      64




      64





      bumped to the homepage by Community 3 hours ago


      This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.







      bumped to the homepage by Community 3 hours ago


      This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
























          1 Answer
          1






          active

          oldest

          votes


















          0














          That issue sounds like an issue I had in a IPSec VPN tunnel between Vyatta and Juniper SRX.



          Have you tried to configure in your juniper and in azure the dead peer detection under the IKE configuration in the first phase of the VPN negotiation?



          In Juniper I know that it is enabled by default but for example in Vyatta I had to configure manually and it looks like something like that:



              ike-group <IKE-GROUP> {
          
        dead-peer-detection {
          
            action restart
          
            interval 15
          
            timeout 30
          
        }
          
        lifetime 3600
          
        proposal 1 {
          
            encryption aes256
          
            hash sha1
          
        }
          
        proposal 2 {
          
            encryption aes256
          
            hash sha1
          
        }
          
    }


          Please let me know if it does work for you.



          Saul






          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "2"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f704630%2fjuniper-srx-ipsec-tunnel-to-microsoft-azure-dropping%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            That issue sounds like an issue I had in a IPSec VPN tunnel between Vyatta and Juniper SRX.



            Have you tried to configure in your juniper and in azure the dead peer detection under the IKE configuration in the first phase of the VPN negotiation?



            In Juniper I know that it is enabled by default but for example in Vyatta I had to configure manually and it looks like something like that:



                ike-group <IKE-GROUP> {
            
        dead-peer-detection {
            
            action restart
            
            interval 15
            
            timeout 30
            
        }
            
        lifetime 3600
            
        proposal 1 {
            
            encryption aes256
            
            hash sha1
            
        }
            
        proposal 2 {
            
            encryption aes256
            
            hash sha1
            
        }
            
    }


            Please let me know if it does work for you.



            Saul






            share|improve this answer




























              0














              That issue sounds like an issue I had in a IPSec VPN tunnel between Vyatta and Juniper SRX.



              Have you tried to configure in your juniper and in azure the dead peer detection under the IKE configuration in the first phase of the VPN negotiation?



              In Juniper I know that it is enabled by default but for example in Vyatta I had to configure manually and it looks like something like that:



                  ike-group <IKE-GROUP> {
              
        dead-peer-detection {
              
            action restart
              
            interval 15
              
            timeout 30
              
        }
              
        lifetime 3600
              
        proposal 1 {
              
            encryption aes256
              
            hash sha1
              
        }
              
        proposal 2 {
              
            encryption aes256
              
            hash sha1
              
        }
              
    }


              Please let me know if it does work for you.



              Saul






              share|improve this answer


























                0












                0








                0







                That issue sounds like an issue I had in a IPSec VPN tunnel between Vyatta and Juniper SRX.



                Have you tried to configure in your juniper and in azure the dead peer detection under the IKE configuration in the first phase of the VPN negotiation?



                In Juniper I know that it is enabled by default but for example in Vyatta I had to configure manually and it looks like something like that:



                    ike-group <IKE-GROUP> {
                
        dead-peer-detection {
                
            action restart
                
            interval 15
                
            timeout 30
                
        }
                
        lifetime 3600
                
        proposal 1 {
                
            encryption aes256
                
            hash sha1
                
        }
                
        proposal 2 {
                
            encryption aes256
                
            hash sha1
                
        }
                
    }


                Please let me know if it does work for you.



                Saul






                share|improve this answer













                That issue sounds like an issue I had in a IPSec VPN tunnel between Vyatta and Juniper SRX.



                Have you tried to configure in your juniper and in azure the dead peer detection under the IKE configuration in the first phase of the VPN negotiation?



                In Juniper I know that it is enabled by default but for example in Vyatta I had to configure manually and it looks like something like that:



                    ike-group <IKE-GROUP> {
                
        dead-peer-detection {
                
            action restart
                
            interval 15
                
            timeout 30
                
        }
                
        lifetime 3600
                
        proposal 1 {
                
            encryption aes256
                
            hash sha1
                
        }
                
        proposal 2 {
                
            encryption aes256
                
            hash sha1
                
        }
                
    }


                Please let me know if it does work for you.



                Saul







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Jun 27 '16 at 8:25









                Saul RamosSaul Ramos

                1




                1






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Server Fault!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f704630%2fjuniper-srx-ipsec-tunnel-to-microsoft-azure-dropping%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    As a Security Precaution, the user account has been locked The Next CEO of Stack OverflowMS...

                    Image
                    Could a dragon use its wings to swim? Is it a bad idea to plug the other end of ESD strap to wall ground? How can I prove that a state of equilibrium is unstable? Compilation of a 2d array and a 1d array pgfplots: How to draw a tangent graph below two others? How dangerous is XSS Gauss' Posthumous Publications? How to implement Comparable so it is consistent with identity-equality What does this strange code stamp on my passport mean? "Eavesdropping" vs "Listen in on" Which acid/base does a strong base/acid react when added to a buffer solution?
                    Read more

                    Список ссавців Італії Природоохоронні статуси | Список |...

                    Image
                    Списки ссавцівФауна ІталіїСписки:ІталіяСсавці Італії ІталіїМСОПХижіCetartiodactylaРукокриліКомахоїдніЗайцеподібніГризуниМСОП ссавці Італії ? Італія Біорегіон Біогеографічний екорегіон Голарктика Екозона Палеарктика Біом субтропічний ліс, альпійські луки, прісні води, континентальний шельф, континентальний схил Місцевість Континент Європа Країна Італія Територія Середземне море Фауна більшого обсягу За географією фауна Європи За систематикою ссавці, фауна Італії За екологією суходільна фауна, морська фауна За біогеографією теріофауна Європи Геологічний вік сучасність Особливості Видовий обсяг 121 Чужорідні види Genetta genetta, Ondatra zibethicus, Oryctolagus cuniculus, Rattus norvegicus, Rattus rattus, Sciurus carolinensis, Tamias sibiricus Список ссавців Італії містить перелік видів, записаних на території Італії (південна Європа) згідно з
                    Read more

                    Українські прізвища Зміст Історичні відомості |...

                    Image
                    АдигськіАбхазькіАзербайджанські [en] Албанські [en] АлтайськіАмериканські [en] Афроамериканські [en] АнглійськіАрабськіБашкирськіБілоруські [en] прізвищаБолгарські [en] БоснійськіБурятськіВельські [en] ВепськіВ'єтнамські [en] Вірменські [en] Гавайські [en] ГолландськіГрецькіГрузинськіДанськіЕстонськіЄврейські [en] Юдейські [en] Ефіопія/Еритрея [en] Зімбабвійські [en] Індіанські [en] ІндійськіІндонезійські [en] Ірландські [en] ІсландськіІспанські і португальськіІталійськіКалмицькі [en] КарельськіКазахськіКамбоджійські [en] Канадські [en] КіргизькіКитайські [en] КоміКорейськіЛатиськіЛитовські [en] Лаоські [en] МарійськіМакедонські [en] Малазійські [en] Монгольські [en] МордовськіНімецькіНорвезькіОсетинськіПерські [en] ПольськіПрибалтійськіПортугальськіРосійськіпрізвищаРумунськіСербськіСкандинавськіСлов'янськіСахаСловацькі [en] Сомалійські [en] ТайванськіТайські [en] Татарські [en] ТибетськіТувинськіТурецькі [en] УгорськіУдмуртськіУкраїнськіпрізвищаФіджійські [en] ФінськіФранцузьк
                    Read more