SRX Services Gateway
Reply
Trusted Contributor
bufo333
Posts: 50
Registered: ‎12-22-2009
0

Re: VPN is still not working --- SRX to ASA

[ Edited ]

I would have to give my thumbs up on the GRE based vpn policies. Not only does GRE make life simple going cisco to juniper, but I have managed a 200 plus location VPN network ALL cisco BTW, and as a standard we connected all the cisco boxes with GRE tunnels.

 

Not only does it work well, but it allows multicast traffic which is a must in some enterprise environments. Also it lets you connect all your remote sites to multiple VPN HUB concentrators  and have failover, you just run OSPF on each gre tunnel interface and advertise the local site subnet back into ospf.

 

This gives you a really robust vpn topology with automatic failover  and or traffic sharing between the different VPN HUBS.

 

Don't count out GRE. It is an awsome protocol.

John Burns
Contributor
tony zhang
Posts: 11
Registered: ‎12-29-2010
0

Re: VPN is still not working --- SRX to ASA

Hi, kullnd

  

I got the same error messages from log as you metioned, but i'm not sure weather the way you tried can solve it.

I use a srx3600 to create ipsec vpn with an asa5505, but the difference is the asa5505 gets dynamic ip address from

ISP by DSL and I dont need to setup VLAN.

From asa5505 debug infomation, I found negotiation phase 1 was completed, then failed at phase 2. So few error

message I could get to find the reason when i ping target address to initial the vpn.

 

The attachments are the configurations of srx3600 and asa5505 
and below is the debug info from the ASA:

 

 

hw(config)# Mar 09 23:54:22 [IKEv1]: Group = y.232.124.40, IP = y.232.124.40, QM FSM error (P2 struct &0x175ddb8,

mess id 0x1827933f)!
Mar 09 23:54:22 [IKEv1]: Group = y.232.124.40, IP = y.232.124.40, construct_ipsec_delete(): No SPI to identify Phase 2

SA!
Mar 09 23:54:22 [IKEv1]: Group = y.232.124.40, IP = y.232.124.40, Removing peer from correlator table failed, no

match!
Mar 09 23:54:49 [IKEv1]: Group = y.232.124.40, IP = y.232.124.40, construct_ipsec_delete(): No SPI to identify Phase 2

SA!
Mar 09 23:54:49 [IKEv1]: Group = y.232.124.40, IP = y.232.124.40, Removing peer from correlator table failed, no

match!

 

hw(config)# show crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: y.232.124.40
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : AM_ACTIVE

 

srx3600 log message:

Mar 10 06:34:53 KMD_INTERNAL_ERROR: iked_sa_cfg_delete_from_hash_table_for_one_gw: Failed to delete sa_cfg ike-vpn from sadb hash tbl with rip=0, lip=0
Mar 10 06:34:53 kmd_sa_cfg_free: Tunnel node for tunnel 0 (SA: ike-vpn) not found
Mar 10 06:34:53 KMD_INTERNAL_ERROR: iked_sa_cfg_delete_from_hash_table_for_one_gw: Failed to delete sa_cfg ike-vpn-test from sadb hash tbl with rip=0, lip=0
Mar 10 06:34:53 kmd_sa_cfg_free: Tunnel node for tunnel 0 (SA: ike-vpn-test) not found
Mar 10 06:34:53 Group/Shared IKE ID VPN configured: 0
Mar 10 06:34:53 kmd_diff_config_now, configuration diff complete
Mar 10 06:34:53 iked_process_ifl_ext_add: ifl tunnel-id lookup failed for ifl ge-0/0/1.0
Mar 10 06:34:53 kmd_sa_cfg_free: Tunnel node for tunnel 2 (SA: INSTANCE-ike-vpn_0002_0010_0000) not found
Mar 10 06:42:07 kmd_sa_cfg_free: Tunnel node for tunnel 4 (SA: INSTANCE-ike-vpn-test_0004_0005_0000) not found
Mar 10 07:33:32 iked_process_ifl_ext_add: ifl tunnel-id lookup failed for ifl ge-0/0/1.0

 

thanks in advance, any information will be appreciated!

 

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009

Re: VPN is still not working --- SRX to ASA

Try removing the aggressive mode from the ASA crypto map mymap.

 

Also, I would suggest using cipher suites more modern/robust/secure than DES and MD5.  My standard IPSec configuration these days (which works fine between numerous Juniper and Cisco devices) is:

 

 

proposal ike-prop-p1 {
    description "Custom - pre-g2-aes128-sha";
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm sha1;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 86400;
}

 And here is what I use for Phase 2:

 

 

proposal ipsec-prop-p2 {
    description "Custom - esp-aes128-sha";
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 28800;
    lifetime-kilobytes 1048576;
}
policy ipsec-pol-1 {
    description "Custom - DH Group 2 PFS";
    perfect-forward-secrecy {
        keys group2;
    }
    proposals ipsec-prop-p2;
}

 

 

On the Cisco side:

 

 

crypto isakmp policy 5
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

crypto ipsec transform-set ipsec-p2 esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 1048576

crypto map foo 5 match address MYACL
crypto map foo 5 set pfs 
crypto map foo 5 set peer 134.197.18.145 
crypto map foo 5 set transform-set ipsec-p2
crypto map foo interface outside

 

 

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Contributor
tony zhang
Posts: 11
Registered: ‎12-29-2010
0

Re: VPN is still not working --- SRX to ASA

hi,keithr

 

thanks for your information, I will try it later.

I think there is a little difference from our configuration. In my scenario, ASA will accquire dynamic IP

from the ISP, and it is supposed to use Aggressive mode when the peer has no static IP.

 Am I right?

Contributor
tony zhang
Posts: 11
Registered: ‎12-29-2010
0

Re: VPN is still not working --- SRX to ASA

My vpn went to work after modification as kullnd mentioned.

The policy in srx does not support mixture of different subnet in some case.

 

My solution is :

In SRX:

seperate different subnet source-address into different policy.

 

In Cisco:

seperate different subnet into different access-list

Visitor
amiones
Posts: 2
Registered: ‎05-19-2011
0

回复: VPN is still not working --- SRX to ASA

I think the keyword is,  this solution is, IPSec over GRE or GRE over IPSec.

If it is IPSec over GRE, the interesting traffic is protocol 47.

Visitor
msch00ley
Posts: 8
Registered: ‎08-23-2011
0

回复: VPN is still not working --- SRX to ASA

I have a couple more issues on this point, since some of my customers require me to nat on the outbound, I have to use route based vpns, as you cant source nat with policy based vpns, even to asa's.

Then next, is a lot of times I go to the same address at the customer site from multiple addresses on my set.  So the customer has to set up just an access-list on his cisco, I have to set up multiple vpns as mentioned earlier and set the st0 interface as multipoint, at this point I cant add a static route to the single host I am reaching as it wont be entered into the routing table, and i have to use tunnel based forwarding, but since I'm going to the same destination, I now have to base my routing on source, so I have to to fbf based on souce all pointing at different routing instances.  i.e. if from source a, then use tunnel a, if from source b use tunnel b.  I then ran into one more instance, my traffic was coming in on a vpn interface, and you cant apply fbf to an st0 interface.  I eventually solved it by combining my encryption domain into a larger subnet since my addresses were contigous in this case and had my customer change their access list.  Fortunately the customer was willing to do this.  If my addresses would have been non contigous, not sure what I would have done.

 

One other note, now that cisco has vti's you can do a route based vpn to a cisco router, of courses ASA's dont support this yet.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.