Cisco ASA fun and games

SapphireNET · ‎03-27-2008

Hi

Im a bit stuck with a site-to-site vpn between my srx240 and an cisco ASA box.

I am seeing the IKE phase 1 complete but then get a message:

Mar  8 16:44:10 Phase-1 [responder] done for local=ipv4(udp:0,[0..3]=A.A.A.A) remote=ipv4(udp:500,[0..3]=B.B.B.B)
Mar  8 16:44:10 ike_send_notify: Connected, SA = { a153805e bd94876e - f6236898 a1818b98}, nego = -1
Mar  8 16:44:10 ike_get_sa: Start, SA = { a153805e bd94876e - f6236898 a1818b98 } / 2f51b65f, remote = B.B.B.B:500
Mar  8 16:44:10 ike_sa_find: Found SA = { a153805e bd94876e - f6236898 a1818b98 }
Mar  8 16:44:10 ike_st_o_done: ISAKMP SA negotiation done
Mar  8 16:44:10 ike_send_notify: Connected, SA = { a153805e bd94876e - f6236898 a1818b98}, nego = -1
Mar  8 16:44:10 ike_free_negotiation_isakmp: Start, nego = -1
Mar  8 16:44:10 ike_free_negotiation: Start, nego = -1
Mar  8 16:44:10 ike_alloc_negotiation: Start, SA = { a153805e bd94876e - f6236898 a1818b98}
Mar  8 16:44:10 ike_init_qm_negotiation: Start, initiator = 0, message_id = 2f51b65f
Mar  8 16:44:10 ike_decode_packet: Start
Mar  8 16:44:10 ike_decode_packet: Start, SA = { a153805e bd94876e - f6236898 a1818b98} / 2f51b65f, nego = 0
Mar  8 16:44:10 ike_decode_payload_sa: Start
Mar  8 16:44:10 ike_decode_payload_t: Start, # trans = 1
Mar  8 16:44:10 ike_st_i_encrypt: Check that packet was encrypted succeeded
Mar  8 16:44:10 ike_st_i_qm_hash_1: Start, hash[0..16] = 152da0a7 3b252b64 ...
Mar  8 16:44:10 ike_st_i_qm_nonce: Nonce[0..20] = 0742fe29 25b147ad ...
Mar  8 16:44:10 ike_st_i_qm_sa_proposals: Start
Mar  8 16:44:10 Phase-2 sa_cfg lookup with local_id=ipv4_subnet(any:0,[0..7]=10.1.1.0/24), remote_id=ipv4_subnet(any:0,[0..7]=192.168.48.0/24)
Mar  8 16:44:10 IKE Phase-2; Could not select any protocols from IPSEC SA 0
Mar  8 16:44:10 ike_qm_sa_reply: Start
Mar  8 16:44:10 ike_qm_sa_reply: No proposal selected for sa 0
Mar  8 16:44:10 ike_st_i_status_n: Start, doi = 1, protocol = 1, code = Initial contact notification (24578), spi[0..16] = a153805e bd94876e ..., data[0..0] = 00000000 00000000 ...
Mar  8 16:44:10 KMD_PM_UNKNOWN_QM_NOTIFICATION: Unknown Quick mode notification 24578 (Initial contact notification) (size 0bytes) from B.B.B.B:500 for protocol=1d spi(16)=a1 53 80 5e bd 94 87 6e f6 23 68 98 a1 81 8b 98
Mar  8 16:44:10 KMD_PM_UNKNOWN_QM_NOTIFICATION: Unknown Quick mode notification 24578 (Initial contact notification) (size 0bytes) from B.B.B.B:500 for protocol=1d spi(16)=a1 53 80 5e bd 94 87 6e f6 23 68 98 a1 81 8b 98
Mar  8 16:44:10 ike_st_i_private: Start
Mar  8 16:44:10 ike_st_o_qm_hash_2: Start
Mar  8 16:44:10 ike_st_o_qm_sa_values: Start
Mar  8 16:44:10 A.A.A.A:500 (Responder) <-> B.B.B.B:500 { a153805e bd94876e - f6236898 a1818b98 [0] / 0x2f51b65f } QM; Error = No proposal chosen (14)

yet when I look at the config on the srx and cisco I have forced them to use the same settings?

srx:

> show configuration security ike 

proposal proposal1 {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm md5;
    encryption-algorithm aes-128-cbc;
}
policy Test {
    mode main;
    proposals proposal1;
    pre-shared-key ascii-text "###########"; ## SECRET-DATA
}
gateway Test-VPN {
    ike-policy Test;
    address B.B.B.B;
    external-interface ge-0/0/2.0;
}

> show configuration security ipsec  

proposal test-prop {
    protocol esp;
    authentication-algorithm hmac-md5-96;
    encryption-algorithm aes-128-cbc;
}

policy test-ipsec {
    perfect-forward-secrecy {
        keys group2;
    }
    proposals test-prop;
}


vpn Test-VPN {
    ike {
        gateway Test-VPN;
        ipsec-policy test-ipsec;
    }
}

Cisco Side:

name 192.168.48.0 LOCAL_NET
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.48.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address B.B.B.B.B 255.255.255.252 
!
interface Ethernet0/0
 switchport access vlan 2
!             
interface Ethernet0/1
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!

object-group network REMOTE_NET
 network-object 10.1.1.0 255.255.255.0
aaccess-list inside_nat0_outbound extended permit ip LOCAL_NET 255.255.255.0 object-group REMOTE_NET 
access-list outside_cryptomap extended permit ip LOCAL_NET 255.255.255.0 10.1.1.0 255.255.255.0 

mtu inside 1500
mtu outside 1500

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1

crypto ipsec transform-set testone esp-aes esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set peer A.A.A.A 
crypto map outside_map0 1 set transform-set testone
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash md5
 group 2
 lifetime 86400
no crypto isakmp nat-traversal

group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec svc 
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive disable
tunnel-group A.A.A.A type ipsec-l2l
tunnel-group A.A.A.A ipsec-attributes
 pre-shared-key *****
!

Krisco VPN isnt my strong point and I get the impression that there seems to be a mismatch with the IKE phase 2 but from the config I guess it looks ok?

any ideas?

JNCIS-M, JNCIS-SEC

keithr · ‎09-10-2009

VPN issues, especially with Cisco boxes, are more often than not related to mismatched Proxy IDs.

Cisco is much more strict about proxy ID matching. Juniper <-> Juniper VPNs "just work" more often because they are more tolerant of mismatched proxy IDs.

Cisco ASAs base the proxy ID for the VPN on ACL entries. Since you are using policy-based VPN, you must build a separate and specific policies on the SRX that exactly match the ACL entries on the ASA.

You didn't include the piece of your config with your actual security policies to tunnel the traffic, so that's where you should start.

I would also *highly* recommend you set your phase 1 and phase 2 lifetimes (seconds and kb (for phase 2)) to match on both sides -- Juniper defaults do not match Cisco defaults.

-kr
JNCIS-SEC, JNCIA-ER, JNCIA-EX

---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.

SapphireNET · ‎03-27-2008

here is the parts that are missing.

as far as I can tell looks good?

zones {
    security-zone untrust {
        address-book {
			address net_test 192.168.48.0/24;
        }
        host-inbound-traffic {
            system-services {
                ping;
                ike;
            }
        }
        interfaces {
            ge-0/0/2.0;
        }
    }
    security-zone trust {
        address-book {            
            address LOCAL-NET 10.1.1.0/24;
        }
        host-inbound-traffic {
            system-services {
                all;
            }                           
            protocols {
                all;
            }
        }        
    }
}
policies {    
    from-zone trust to-zone untrust {        
        policy test_vpnpolicy_trust-untrust {
            match {
                source-address LOCAL-NET;
                destination-address net_test;
                application any;
            }
            then {
                permit {
                    tunnel {
                        ipsec-vpn test-VPN;
                        pair-policy test_vpnpolicy_untrust-trust;
                    }
                }
            }
        }
    }
    from-zone untrust to-zone trust {
        policy test_vpnpolicy_untrust-trust {
            match {
                source-address net_test;
                destination-address LOCAL-NET;
                application any;
            }
            then {
                permit {
                    tunnel {
                        ipsec-vpn test-VPN;
                        pair-policy test_vpnpolicy_trust-untrust;
                    }
                }
            }
        }
    }
}

the policy code came from the vpn generator tool on the juniper support site.

JNCIS-M, JNCIS-SEC

tbehrens · ‎04-30-2010

I see PFS (perfect forward secrecy, phase 2) configured on the JunOS side, but not the ASA side. It's possible I'm missing something, but check. If ASA does not have PFS configured, remove it from JunOS as well.

SapphireNET · ‎03-27-2008

many thanks guys

I have the IKE and IPSEC up now and am seeing packets flowing over the tunnel.

my remaining question is this:

the subnet that sits behind the Cisco ASA is 192.168.48.0.

when I do a >show route 192.168.48.0 on my SRX it just shows me the default, how can I get this route into the routing table? I dont know what to set as the next-hop if I were to do it statically?

JNCIS-M, JNCIS-SEC

tbehrens · ‎04-30-2010

You have a policy-based VPN configured, routing does not come into it.

A route-based VPN would use st0.x and a static route to that interface.

Out of curiosity, which change made your VPN work?

SapphireNET · ‎03-27-2008

ok sorted it out.

I just pointed the route to the external interface and redistributed it.

thanks all

JNCIS-M, JNCIS-SEC

SapphireNET · ‎03-27-2008

I removed the PFS and after that It came up.

JNCIS-M, JNCIS-SEC

Cisco ASA fun and games

Re: Cisco ASA fun and games

Re: Cisco ASA fun and games

Re: Cisco ASA fun and games

Re: Cisco ASA fun and games

Re: Cisco ASA fun and games

Re: Cisco ASA fun and games

Re: Cisco ASA fun and games