Hi ,
I have a SRX240(version 11.4R7.5) want to build up L2L VPN with a ASA firewall, when the ASA is directly in public, the IPSEC can be built up successfully, but when I put the ASA behind a router and nat to internet with static nat, the ipsec tunnel cannot been built up.
As I tyied ,when I initialize the tunnel from ASA side ,the erro showed in SRX is: "Jan 21 22:46:35 BTMU-FW-01 kmd[1365]: IKE Phase-1 Failure: Invalid cookie recvd [spi=^D@嘘M-^@沪^P, src_ip=<none>, dst_ip=114.141.171.66]"
when I initialize the tunnel from SRX side , the erro showed in ASA is : "Jan 22 2014 10:52:22 GEJV-DC-SH-ASA5520-01 : %ASA-3-713231: Group = 106.37.206.50, IP = 106.37.206.50, Internal Error, ike_lock trying to unlock bit that is not locked for type SA_LOCK_P1_SA_CREATE
Jan 22 2014 10:52:22 GEJV-DC-SH-ASA5520-01 : %ASA-3-713232: Group = 106.37.206.50, IP = 106.37.206.50, SA lock refCnt = 0, bitmask = 00000000, p1_decrypt_cb = 0, qm_decrypt_cb = 0, qm_hash_cb = 0, qm_spi_ok_cb = 0, qm_dh_cb = 0, qm_secret_key_cb = 0, qm_encrypt_cb = 1
Jan 22 2014 10:52:22 GEJV-DC-SH-ASA5520-01 : %ASA-3-713902: Group = 106.37.206.50, IP = 106.37.206.50, Removing peer from correlator table failed, no match!"
I know if a SRX firewall is behind the nat, command "set security ike gateway L2L-P1-Gateway local-identity inet xxxx"should be config, if ASA also need to config the equal commad?
Anyone kown what is the issue?
This is the config for ASA :
access-list To-BTMU extended permit ip host 10.10.2.2 host 10.10.11.253 log
tunnel-group 106.37.206.50 type ipsec-l2l
tunnel-group 106.37.206.50 ipsec-attributes
ikev1 pre-shared-key XXXX
isakmp keepalive threshold 300 retry 3
crypto ikev1 policy 8
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ipsec ikev1 transform-set L2L-P2-BTMU esp-des esp-md5-hmac
crypto map remotevpn 20 match address To-BTMU
crypto map remotevpn 20 set peer 106.37.206.50
crypto map remotevpn 20 set ikev1 transform-set L2L-P2-BTMU
This is the config for SRX:
set security zones security-zone INTERNET address-book address L2L-Remote-Address 10.10.2.2/32
set security zones security-zone Management address-book address L2L-Local-Address 10.10.11.253/32
set security ike proposal L2L-P1-Proposal authentication-method pre-shared-keys
set security ike proposal L2L-P1-Proposal dh-group group2
set security ike proposal L2L-P1-Proposal authentication-algorithm sha1
set security ike proposal L2L-P1-Proposal encryption-algorithm des-cbc
set security ike proposal L2L-P1-Proposal lifetime-seconds 86400
set security ike policy L2L-P1-Policy mode main
set security ike policy L2L-P1-Policy proposals L2L-P1-Proposal
set security ike policy L2L-P1-Policy pre-shared-key ascii-text "$9$aFUkPFnCpBEmf0IEcMWbs24Zjq.5"
set security ike gateway L2L-P1-Gateway ike-policy L2L-P1-Policy
set security ike gateway L2L-P1-Gateway address 114.141.171.66
set security ike gateway L2L-P1-Gateway external-interface ge-0/0/0.0
set security ipsec proposal L2L-P2-Proposal protocol esp
set security ipsec proposal L2L-P2-Proposal authentication-algorithm hmac-md5-96
set security ipsec proposal L2L-P2-Proposal encryption-algorithm des-cbc
set security ipsec proposal L2L-P2-Proposal lifetime-seconds 3600
set security ipsec policy L2L-P2-Policy proposals L2L-P2-Proposal
set security ipsec vpn IMC-Vpn ike gateway L2L-P1-Gateway
set security ipsec vpn IMC-Vpn ike ipsec-policy L2L-P2-Policy
set security ipsec vpn IMC-Vpn establish-tunnels on-traffic
set security policies from-zone Management to-zone INTERNET policy VPN-Outbound match source-address L2L-Local-Address
set security policies from-zone Management to-zone INTERNET policy VPN-Outbound match destination-address L2L-Remote-Address
set security policies from-zone Management to-zone INTERNET policy VPN-Outbound match application any
set security policies from-zone Management to-zone INTERNET policy VPN-Outbound then permit tunnel ipsec-vpn IMC-Vpn
set security policies from-zone Management to-zone INTERNET policy VPN-Outbound then permit tunnel pair-policy VPN-Inbound
set security policies from-zone Management to-zone INTERNET policy VPN-Outbound then log session-init
set security policies from-zone Management to-zone INTERNET policy VPN-Outbound then log session-close
set security policies from-zone INTERNET to-zone Management policy VPN-Inbound match source-address L2L-Remote-Address
set security policies from-zone INTERNET to-zone Management policy VPN-Inbound match destination-address L2L-Local-Address
set security policies from-zone INTERNET to-zone Management policy VPN-Inbound match application any
set security policies from-zone INTERNET to-zone Management policy VPN-Inbound then permit tunnel ipsec-vpn IMC-Vpn
set security policies from-zone INTERNET to-zone Management policy VPN-Inbound then permit tunnel pair-policy VPN-Outbound
set security policies from-zone INTERNET to-zone Management policy VPN-Inbound then log session-init
set security policies from-zone INTERNET to-zone Management policy VPN-Inbound then log session-close