SRX

Dear all,

Actually im implementing a vpn ipsec tunnel on our srx3600.

The thing is, i already set up the configuration howeverbefore that i already test the connectivity of both peer (was working fine). When i set up the configuration, the tunnel is not going up...The weirdest thing is when i configure traceoptions on both ike and ipsec, i saw nothing between local peer and remote peer.

You will find hereafter the configuration on the SRX:

set interfaces st0 unit 12 description Tunnel_VIVI
set security ike proposal g1-aes256-sha-VIVI authentication-method pre-shared-keys
set security ike proposal g1-aes256-sha-VIVI dh-group group2
set security ike proposal g1-aes256-sha-VIVI authentication-algorithm sha1
set security ike proposal g1-aes256-sha-VIVI encryption-algorithm aes-256-cbc
set security ike proposal g1-aes256-sha-VIVI lifetime-seconds 86400
set security ike policy pol_VIVI mode main
set security ike policy pol_VIVI proposals g1-aes256-sha-VIVI
set security ike policy pol_VIVI pre-shared-key ascii-text "$9$RxucK8ws4DHmYg4JGDmPp0BIEyevLbwgdb"
set security ike gateway toVIVI ike-policy pol_VIVI
set security ike gateway toVIVI address W1.X1.Y1.Z1
set security ike gateway toVIVI external-interface reth9.1061
set security ike gateway toVIVI local-address W2.X2.Y2.Z2
set security ipsec proposal g2-aes256-sha-VIVI protocol esp
set security ipsec proposal g2-aes256-sha-VIVI authentication-algorithm hmac-sha1-96
set security ipsec proposal g2-aes256-sha-VIVI encryption-algorithm aes-256-cbc
set security ipsec proposal g2-aes256-sha-VIVI lifetime-seconds 3600
set security ipsec policy policy-VIVI-VPN perfect-forward-secrecy keys group2
set security ipsec policy policy-VIVI-VPN proposals g2-aes256-sha-VIVI
set security ipsec vpn VIVI-VPN bind-interface st0.12
set security ipsec vpn VIVI-VPN ike gateway toVIVI
set security ipsec vpn VIVI-VPN ike no-anti-replay
set security ipsec vpn VIVI-VPN ike proxy-identity local 0.0.0.0/0
set security ipsec vpn VIVI-VPN ike proxy-identity remote 192.168.10.0/24
set security ipsec vpn VIVI-VPN ike proxy-identity service any
set security ipsec vpn VIVI-VPN ike ipsec-policy policy-VIVI-VPN
set security ipsec vpn VIVI-VPN establish-tunnels immediately

 The Cisco configuration:

crypto isakmp policy 40
encr aes 256
authentication pre-share
group 2

crypto isakmp key 6 tobe@hidden address W2.X2.Y2.Z2
!
!
crypto ipsec transform-set VIVI-Building esp-aes 256 esp-sha-hmac 
!

crypto map shellmap 40 ipsec-isakmp 
 description Building Juniper Firewall SRX 3600
set peer W2.X2.Y2.Z2
set security-association lifetime seconds 3600
set transform-set ESP-AES_256-SHA 
 match address SNL_VPN2_TRAFFIC


interface Serial0/0/0
ip address W1.X1.Y1.Z1 255.255.255.248
ip nat outside
ip virtual-reassembly
load-interval 30
crypto map shellmap

 Thanks for your help

Have you configured ike under host-inbound-traffic section of zone configuration?

Could you paste compelte configuration with a network diagram?

Regards,

Raveen

Dear Raveen,

Hereafter the configuration of host-inbound-traffic which is allowing perfectly the ike.

set security zones security-zone Untrust interfaces reth9.1061 host-inbound-traffic system-services ike.

 You will attached the network design:

I am not sure to which zone your st0 interface is bound to!

Please refer below link and verify you have all necessary configuration for a route based VPN:

http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/example/ipsec-route-based-vpn-configuring.html

Note: Make sure you have same timers, proposals configured at both perrs.

Regards,

Raveen

Another issue that I see in your configuration is proxy-identity:

set security ipsec vpn VIVI-VPN ike proxy-identity local 0.0.0.0/0

You need to configure subnet of interesting traffic than using 0/0, as there can be interoperability with other vendor devices.

0/0 proxy identity works well only if peer device is also JunOS/ScreenOS

Regards,

Raveen

Hi Raaven,

Some parameters on Cisco was not matching and after correction of proxy identify, the tunnel goes up.

Thanks,

Baba