SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 15
Registered: ‎02-17-2011
0 Kudos

SRX 240 to Cisco VPN Help

Any help that you might be able to provide would be greatly appreciated.

We are trying to Lan to Lan vpn between our SRX and a Cisco appliance.  Here's the relevant information.

 

X.X.X.100 is out external IP on the Juniper and is ge-0/0/0
X.X.X.126 is what I gave st0.1
10.10.2.0/24 is our internal subnet
Y.Y.Y.Y is their external IP on their Cisco
192.168.0.0/24 is their internal subnet

show security ike security-associations
Index   Remote Address  State  Initiator cookie  Responder cookie  Mode
5105    Y.Y.Y.Y         UP     XXXXXXXXX         XXXXXXXXX       Main


show security ipsec security-associations
Lists our other active VPN but does not show this one.  

 

I don't have the Cisco config, but he said he pretty much matched everything I list below on his end including the Litetimes.  I'm thinking that the lifetimes don't need to match, but I don't know what they should be.

 

And the relevant Juniper end config.  Please let me know if you need any more information and I'll do what I can.

 

 

    st0 {
        unit 1 {
            family inet {
                address X.X.X.126/27;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 10.10.2.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 192.168.0.0/24 next-hop st0.1;
    }
}
security {
    ike {
        proposal ike-prop-cisco {
            description cisco;
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm md5;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 28800;
        }
        policy ike-policy-cisco {
            mode main;
            description cisco;
            proposals ike-prop-cisco;
            pre-shared-key ascii-text "KEY";
        }
        gateway ike-gate-cisco {
            ike-policy ike-policy-cisco;
            address Y.Y.Y.Y;
            dead-peer-detection {
                interval 10;
                threshold 5;
            }
            external-interface ge-0/0/0;
        }
    }
    ipsec {
        vpn-monitor-options {
            interval 15;
            threshold 15;
        }
        proposal ipsec-prop-cisco {
            description cisco;
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 3600;
            lifetime-kilobytes 1048576;
        }
        policy ipsec-policy-cisco {
            description cisco;
            perfect-forward-secrecy {
                keys group2;
            }
            proposals ipsec-prop-cisco;
        }
        vpn ipsec-vpn-cisco {
            bind-interface st0.1;
            ike {
                gateway ike-gate-cisco;
                proxy-identity {
                    local X.X.X.126/32;  (Cisco guy thinks this needs to be X.X.X.100/32)
                    remote Y.Y.Y.Y/32;
                }
                ipsec-policy ipsec-policy-cisco;
            }
            establish-tunnels immediately;
        }
    }
    zones {
        security-zone trust {
            address-book {
                address net-cisco_10-10-2-0--24 10.10.2.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone vpn {
            interfaces {
                st0.1 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone vpn {
            policy vpn-policy {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy trust-vpn-cisco {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone vpn to-zone vpn {
            policy vpn {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone vpn to-zone trust {
            policy vpn-trust-cisco {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }

Trusted Contributor
Posts: 57
Registered: ‎08-25-2010
0 Kudos

Re: SRX 240 to Cisco VPN Help

I would say that your proxy id's should be the internal addresses and not the external

 

If you can get the kmd logs then this should highlight where the issue may lie

Contributor
Posts: 15
Registered: ‎02-17-2011
0 Kudos

Re: SRX 240 to Cisco VPN Help

[ Edited ]

So if the proxy ids are the internal subs then does that mean the static route should be his external?  Like so:

routing-options {
    static {
        route Y.Y.Y.Y/32 next-hop st0.1;

 

And I'm pretty new to Junipers, so forgive my ignorance.  Show do I get the kmd logs to filter?  We have another VPN that is cluttering the log so it's hard to read. 

Trusted Contributor
Posts: 57
Registered: ‎08-25-2010
0 Kudos

Re: SRX 240 to Cisco VPN Help

The route is fine, to view the logs

 

show log kmd | match y.y.y.y

Highlighted
Contributor
Posts: 15
Registered: ‎02-17-2011
0 Kudos

Re: SRX 240 to Cisco VPN Help

When I run show log kmd | match y.y.y.y it comes up blank. 

Trusted Contributor
Posts: 57
Registered: ‎08-25-2010
0 Kudos

Re: SRX 240 to Cisco VPN Help

Ok, try your external intefaces ie X.X.X.100 AND X.X.X.126

 

show log kmd | match X.X.X.100

show log kmd | match X.X.X.126

Contributor
Posts: 15
Registered: ‎02-17-2011
0 Kudos

Re: SRX 240 to Cisco VPN Help

Both of those are blank as well... ?

Trusted Contributor
Posts: 57
Registered: ‎08-25-2010
0 Kudos

Re: SRX 240 to Cisco VPN Help

Ok silly question of the day

 

You are putting in the actual external ip address and not X.X.X.100 in the match statement?

Contributor
Posts: 15
Registered: ‎02-17-2011
0 Kudos

Re: SRX 240 to Cisco VPN Help

Haha,  Give me a LITTLE credit.  Yes I put in the external IP.  I've got another log that I created from a different forum post.  I'm cleaning it up now.  It's all jumbled.  Will post when it's clean.

Trusted Contributor
Posts: 57
Registered: ‎08-25-2010
0 Kudos

Re: SRX 240 to Cisco VPN Help

lol, I only asked as you should have got some results from the search, as I get this from mine

 

Dec  9 08:42:32 [IKED 4] Phase-1 [initiator] done for local=ipv4(udp:500,[0..3]=A.A.A.A) remote=ipv4(udp:0,[0..3]=B.B.B.B)
Dec  9 08:42:32 [IKED 4] Phase-1 negotiation succeeded for p1_local=ipv4(udp:500,[0..3]=A.A.A.A) p1_remote=ipv4(udp:500,[0..3]=B.B.B.B)
Dec  9 08:42:32 [IKED 4] Phase-2 sa_cfg lookup with local_id=ipv4_subnet(any:0,[0..7]=10.192.0.0/13), remote_id=ipv4_subnet(any:0,[0..7]=172.31.14.0/24)
Dec  9 08:42:32 [IKED 4] Negotiating IPsec SA with Phase-2 IDS: local_id=ipv4_subnet(any:0,[0..7]=10.192.0.0/13) remote_id=ipv4_subnet(any:0,[0..7]=172.31.14.0/24)

Contributor
Posts: 15
Registered: ‎02-17-2011
0 Kudos

Re: SRX 240 to Cisco VPN Help

Yeah, that's what I'm looking at.  I think that in one of the troubleshooting steps I filtered that stuff for this VPN to another log file.  Which I am sifting through now.  I will post when I've cleaned out all the specific information.  Just another minute or two. 

Contributor
Posts: 15
Registered: ‎02-17-2011
0 Kudos

Re: SRX 240 to Cisco VPN Help

Mar 14 12:09:15 Phase-1 negotiation succeeded for p1_local=ipv4(udp:500,[0..3]=X.X.X.100) p1_remote=ipv4(udp:500,[0..3]=Y.Y.Y.Y)

Mar 14 12:09:15 Phase-2 sa_cfg lookup with local_id=ipv4(any:0,[0..3]=X.X.X.126), remote_id=ipv4(any:0,[0..3]=Y.Y.Y.Y)

Mar 14 12:09:15 Updating DPD server entry for remote: Y.Y.Y.Y:500

Mar 14 12:09:15 Successfully updated DPD server entry for remote: Y.Y.Y.Y:500 [dpd SA_CFG=ipsec-vpn-cisco]

Mar 14 12:09:15 Negotiating IPsec SA with Phase-2 IDS: local_id=ipv4(any:0,[0..3]=X.X.X.126) remote_id=ipv4(any:0,[0..3]=Y.Y.Y.Y)

Mar 14 12:09:15 jnp_ike_connect_ipsec: Start, remote_name = Y.Y.Y.Y:500, flags = 00010000

Mar 14 12:09:15 ike_sa_find_ip_port: Remote = Y.Y.Y.Y:500, Found SA = { 51eb68eb e430f837 - 84b449c3 7d715ed4}

Mar 14 12:09:15 ike_alloc_negotiation: Start, SA = { 51eb68eb e430f837 - 84b449c3 7d715ed4}

Mar 14 12:09:15 jnp_ike_connect_ipsec: SA = { 51eb68eb e430f837 - 84b449c3 7d715ed4}, nego = 0

Mar 14 12:09:15 ike_init_qm_negotiation: Start, initiator = 1, message_id = 1234c330

Mar 14 12:09:15 ike_st_o_qm_hash_1: Start

Mar 14 12:09:15 ike_st_o_qm_sa_proposals: Start

Mar 14 12:09:15 ike_st_o_qm_nonce: Start

Mar 14 12:09:15 ike_policy_reply_qm_nonce_data_len: Start

Mar 14 12:09:15 ike_st_o_qm_optional_ke: Start

Mar 14 12:09:15 ike_st_o_qm_optional_ids: Start

Mar 14 12:09:15 ike_st_qm_optional_id: Start

Mar 14 12:09:15 ike_st_qm_optional_id: Start

Mar 14 12:09:15 ike_st_o_private: Start

Mar 14 12:09:15 ike_policy_reply_private_payload_out: Start

Mar 14 12:09:15 ike_st_o_encrypt: Marking encryption for packet

Mar 14 12:09:15 ike_encode_packet: Start, SA = { 0x51eb68eb e430f837 - 84b449c3 7d715ed4 } / 1234c330, nego = 0

Mar 14 12:09:15 ike_finalize_qm_hash_1: Hash[0..16] = 1ea5c797 9fec64f6 ...

Mar 14 12:09:15 ike_send_packet: Start, send SA = { 51eb68eb e430f837 - 84b449c3 7d715ed4}, nego = 0, src=X.X.X.100:500, dst = Y.Y.Y.Y:500, routing table id = 0

Mar 14 12:09:15 ike_get_sa: Start, SA = { 51eb68eb e430f837 - 84b449c3 7d715ed4 } / 571f0bcd, remote = Y.Y.Y.Y:500

Mar 14 12:09:15 ike_sa_find: Found SA = { 51eb68eb e430f837 - 84b449c3 7d715ed4 }

Mar 14 12:09:15 ike_alloc_negotiation: Start, SA = { 51eb68eb e430f837 - 84b449c3 7d715ed4}

Mar 14 12:09:15 ike_decode_packet: Start

Mar 14 12:09:15 ike_decode_packet: Start, SA = { 51eb68eb e430f837 - 84b449c3 7d715ed4} / 571f0bcd, nego = 1

Mar 14 12:09:15 X.X.X.100:500 (Responder) <-> Y.Y.Y.Y:500 { 51eb68eb e430f837 - 84b449c3 7d715ed4 [1] / 0x571f0bcd } Info; Warning, junk after packet len = 56, decoded = 48

Mar 14 12:09:15 ike_st_i_encrypt: Check that packet was encrypted succeeded

Mar 14 12:09:15 ike_st_i_gen_hash: Start, hash[0..16] = 90fb7a64 67ce15a1 ...

Mar 14 12:09:15 ike_st_i_n: Start, doi = 1, protocol = 3, code = No proposal chosen (14), spi[0..4] = 4bcb8b83 00000000 ..., data[0..12] = 0a000040 00000001 ...

Mar 14 12:09:15 DPD; updating EoL (P2 Notify)

Mar 14 12:09:15 Notification message received "No proposal chosen" from Y.Y.Y.Y:500 for protocol ESP spi[0..4]=4b cb 8b 83

Mar 14 12:09:15 ike_remove_callback: Start, delete SA = { 51eb68eb e430f837 - 84b449c3 7d715ed4}, nego = 0

Mar 14 12:09:15 X.X.X.100:500 (Initiator) <-> Y.Y.Y.Y:500 { 51eb68eb e430f837 - 84b449c3 7d715ed4 [0] / 0x1234c330 } QM; Connection got error = 14, calling callback

Mar 14 12:09:15 kmd_pm_ike_p2qm_notify_callback

Mar 14 12:09:15 Quick mode negotiation failed for p1_local=ipv4(udp:500,[0..3]=X.X.X.100) p1_remote=ipv4(udp:500,[0..3]=Y.Y.Y.Y) p2_local=ipv4(any:0,[0..3]=X.X.X.126) p2_remote=ipv4(any:0,[0..3]=Y.Y.Y.Y)

Mar 14 12:09:15 Phase-2 [initiator] failed with error(No proposal chosen) for p1_local=ipv4(udp:500,[0..3]=X.X.X.100) p1_remote=ipv4(udp:500,[0..3]=Y.Y.Y.Y) p2_local=ipv4(any:0,[0..3]=X.X.X.126) p2_remote=ipv4(any:0,[0..3]=Y.Y.Y.Y)

Mar 14 12:09:15 ike_delete_negotiation: Start, SA = { 51eb68eb e430f837 - 84b449c3 7d715ed4}, nego = 0

Mar 14 12:09:15 ike_free_negotiation_qm: Start, nego = 0

Mar 14 12:09:15 ike_free_negotiation: Start, nego = 0

Mar 14 12:09:15 ike_free_id_payload: Start, id type = 1

Mar 14 12:09:15 ike_free_id_payload: Start, id type = 1

Mar 14 12:09:15 ike_st_i_private: Start

Mar 14 12:09:15 ike_send_notify: Connected, SA = { 51eb68eb e430f837 - 84b449c3 7d715ed4}, nego = 1

Mar 14 12:09:15 ike_delete_negotiation: Start, SA = { 51eb68eb e430f837 - 84b449c3 7d715ed4}, nego = 1

Mar 14 12:09:15 ike_free_negotiation_info: Start, nego = 1

Mar 14 12:09:15 ike_free_negotiation: Start, nego = 1

Mar 14 12:10:15 kmd_pm_ike_start_p1

 

 

And then it pretty much repeats. 

Trusted Contributor
Posts: 57
Registered: ‎08-25-2010
0 Kudos

Re: SRX 240 to Cisco VPN Help

This shows that the proxy ids are incorrect, I would change what you have to the internal address

Trusted Contributor
Posts: 57
Registered: ‎08-25-2010

Re: SRX 240 to Cisco VPN Help

So your config should look like this

 

 

vpn ipsec-vpn-cisco {
            bind-interface st0.1;
            ike {
                gateway ike-gate-cisco;
                proxy-identity {
                    local 10.10.2.0/24;
                    remote 192.168.0.0/24;

Contributor
Posts: 15
Registered: ‎02-17-2011
0 Kudos

Re: SRX 240 to Cisco VPN Help

Thanks so much for the help.  One last question before I give that a try.  The Routing option.  Would I need to change that at all?  Or should I just leave it as is:

routing-options {
    static {
        route 192.168.0.0/24 next-hop st0.1;

Trusted Contributor
Posts: 57
Registered: ‎08-25-2010
0 Kudos

Re: SRX 240 to Cisco VPN Help

The route that you have is correct

Contributor
Posts: 15
Registered: ‎02-17-2011
0 Kudos

Re: SRX 240 to Cisco VPN Help

I've made those changes.  I'm now getting.

 

Mar 14 13:51:22 Phase-1 negotiation succeeded for p1_local=ipv4(udp:500,[0..3]=X.X.X.100) p1_remote=ipv4(udp:500,[0..3]=Y.Y.Y.Y)
Mar 14 13:51:22 Phase-2 sa_cfg lookup with local_id=ipv4_subnet(any:0,[0..7]=10.10.2.0/24), remote_id=ipv4_subnet(any:0,[0..7]=192.168.0.0/24)
Mar 14 13:51:22 Updating DPD server entry for remote: Y.Y.Y.Y:500
Mar 14 13:51:22 Successfully updated DPD server entry for remote: Y.Y.Y.Y:500 [dpd SA_CFG=ipsec-vpn-cisco]
Mar 14 13:51:22 Negotiating IPsec SA with Phase-2 IDS: local_id=ipv4_subnet(any:0,[0..7]=10.10.2.0/24) remote_id=ipv4_subnet(any:0,[0..7]=192.168.0.0/24)
Mar 14 13:51:22 jnp_ike_connect_ipsec: Start, remote_name = Y.Y.Y.Y:500, flags = 00010000
Mar 14 13:51:22 ike_sa_find_ip_port: Remote = Y.Y.Y.Y:500, Found SA = { 51eb68eb e430f837 - 84b449c3 7d715ed4}
Mar 14 13:51:22 ike_alloc_negotiation: Start, SA = { 51eb68eb e430f837 - 84b449c3 7d715ed4}
Mar 14 13:51:22 jnp_ike_connect_ipsec: SA = { 51eb68eb e430f837 - 84b449c3 7d715ed4}, nego = 0
Mar 14 13:51:22 ike_init_qm_negotiation: Start, initiator = 1, message_id = 9ff403d7
Mar 14 13:51:22 ike_st_o_qm_hash_1: Start
Mar 14 13:51:22 ike_st_o_qm_sa_proposals: Start
Mar 14 13:51:22 ike_st_o_qm_nonce: Start
Mar 14 13:51:22 ike_policy_reply_qm_nonce_data_len: Start
Mar 14 13:51:22 ike_st_o_qm_optional_ke: Start
Mar 14 13:51:22 ike_st_o_qm_optional_ids: Start
Mar 14 13:51:22 ike_st_qm_optional_id: Start
Mar 14 13:51:22 ike_st_qm_optional_id: Start
Mar 14 13:51:22 ike_st_o_private: Start
Mar 14 13:51:22 ike_policy_reply_private_payload_out: Start
Mar 14 13:51:22 ike_st_o_encrypt: Marking encryption for packet
Mar 14 13:51:22 ike_encode_packet: Start, SA = { 0x51eb68eb e430f837 - 84b449c3 7d715ed4 } / 9ff403d7, nego = 0
Mar 14 13:51:22 ike_finalize_qm_hash_1: Hash[0..16] = 30418702 58e26d48 ...
Mar 14 13:51:22 ike_send_packet: Start, send SA = { 51eb68eb e430f837 - 84b449c3 7d715ed4}, nego = 0, src=X.X.X.100:500, dst = Y.Y.Y.Y:500, routing table id = 0
Mar 14 13:51:27 ike_retransmit_callback: Start, retransmit SA = { 51eb68eb e430f837 - 84b449c3 7d715ed4}, nego = 0
Mar 14 13:51:27 ike_send_packet: Start, retransmit previous packet SA = { 51eb68eb e430f837 - 84b449c3 7d715ed4}, nego = 0, src=X.X.X.100:500, dst = Y.Y.Y.Y:500, routing table id = 0
Mar 14 13:51:37 ike_retransmit_callback: Start, retransmit SA = { 51eb68eb e430f837 - 84b449c3 7d715ed4}, nego = 0
Mar 14 13:51:37 ike_send_packet: Start, retransmit previous packet SA = { 51eb68eb e430f837 - 84b449c3 7d715ed4}, nego = 0, src=X.X.X.100:500, dst = Y.Y.Y.Y:500, routing table id = 0
Mar 14 13:51:57 ike_retransmit_callback: Start, retransmit SA = { 51eb68eb e430f837 - 84b449c3 7d715ed4}, nego = 0
Mar 14 13:51:57 ike_send_packet: Start, retransmit previous packet SA = { 51eb68eb e430f837 - 84b449c3 7d715ed4}, nego = 0, src=X.X.X.100:500, dst = Y.Y.Y.Y:500, routing table id = 0
Mar 14 13:52:22 kmd_pm_ike_start_p1

Contributor
Posts: 15
Registered: ‎02-17-2011
0 Kudos

Re: SRX 240 to Cisco VPN Help

Hey, alright so here's what I have now.

 

show security ike security-associations
Index   Remote Address  State  Initiator cookie  Responder cookie  Mode
5138           Y.Y.Y.Y               UP    abcdefg             abcdefg                      Main

 

show security ipsec security-associations
  Total active tunnels: 2
  ID    Gateway          Port  Algorithm       SPI      Life:sec/kb  Mon vsys
  <131074 Y.Y.Y.Y  500   ESP:3des/md5    b4f43294 1395/  1048576 -  root
  >131074 Y.Y.Y.Y  500   ESP:3des/md5    710e6c8f 1395/  1048576 -  root

 

But then if I try to ping their end I get nothing. 

 

traceroute 192.168.0.10
traceroute to 192.168.0.10 (192.168.0.10), 30 hops max, 40 byte packets
 1  * * *
 2  * * *

and so on...

 

Their guy is telling me that I should have everything pointing to ge-0/0/0, our x.x.x.100 and because we have st0.1 as x.x.x.126 that's why it's failing.  Now, he told me he's never worked with junipers before, all he does is cisco's so he's not srue on this point.  I'm not sure either. 

 

Any suggestions?

Distinguished Expert
Posts: 979
Registered: ‎09-10-2009
0 Kudos

Re: SRX 240 to Cisco VPN Help

Since you're obscuring all your addresses with x.x.x, the question comes up:  is your st0.1 interface addressed in the same subnet as your ge-0/0/0.0 address?

 

If so, you will want to change st0.1 to be in a subnet other than ge-0/0/0.0.  Or else, set st0.1 to be unnumbered.  I don't do much route-based VPN interaction with Cisco boxes, I usually use policy-based VPN because of compatibility issues.  I think if you're numbering your st0.1 interface, that address will need to be allowed on the Cisco's ACLs.

 

Also, in your security zone trust address book, you have the remote Cisco LAN defined.  That's not going to be in your Trust zone, I would remove that or put the address book entry in the proper zone (vpn).

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Contributor
Posts: 15
Registered: ‎02-17-2011
0 Kudos

Re: SRX 240 to Cisco VPN Help

Hey thanks for the reply.

ge-0/0/0 and St0.1 are in the same /27 subnet.  st0.1 is unnumbered.  But to be honest I'm not entirely sure what your'e asking here.  As I've said before, forgive my ignorance, I'm new to juniper vpns (and vpns in general).  I've read horror stories of trying to get policy-based vpns with Cisco (then again all I've read are horror stories about ciscos to junipers...).


As for the security zones.  I'm a little confused about what you've said here.  "Also, in your security zone trust address book, you have the remote Cisco LAN defined."  From what I'm looking at:

zones {
        security-zone trust {
            address-book {
                     address net-cisco_10-10-2-0--24 10.10.2.0/24;
            }

The 10.10.2.0/24 is our internal subnet.  Not the cisco subnet.


Under security-zone vpn should I add the address entry like so:

security-zone vpn {
            address-book {
                address cisco 192.168.0.0/24;
            }
            interfaces {
                st0.1 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;


Thanks again for the responses.