Hi, kullnd

I got the same error messages from log as you metioned, but i'm not sure weather the way you tried can solve it.

I use a srx3600 to create ipsec vpn with an asa5505, but the difference is the asa5505 gets dynamic ip address from

ISP by DSL and I dont need to setup VLAN.

From asa5505 debug infomation, I found negotiation phase 1 was completed, then failed at phase 2. So few error

message I could get to find the reason when i ping target address to initial the vpn.

hw(config)# Mar 09 23:54:22 [IKEv1]: Group = y.232.124.40, IP = y.232.124.40, QM FSM error (P2 struct &0x175ddb8,

mess id 0x1827933f)!
Mar 09 23:54:22 [IKEv1]: Group = y.232.124.40, IP = y.232.124.40, construct_ipsec_delete(): No SPI to identify Phase 2

SA!
Mar 09 23:54:22 [IKEv1]: Group = y.232.124.40, IP = y.232.124.40, Removing peer from correlator table failed, no

match!
Mar 09 23:54:49 [IKEv1]: Group = y.232.124.40, IP = y.232.124.40, construct_ipsec_delete(): No SPI to identify Phase 2

SA!
Mar 09 23:54:49 [IKEv1]: Group = y.232.124.40, IP = y.232.124.40, Removing peer from correlator table failed, no

match!

hw(config)# show crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: y.232.124.40
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : AM_ACTIVE

srx3600 log message:

Mar 10 06:34:53 KMD_INTERNAL_ERROR: iked_sa_cfg_delete_from_hash_table_for_one_gw: Failed to delete sa_cfg ike-vpn from sadb hash tbl with rip=0, lip=0
Mar 10 06:34:53 kmd_sa_cfg_free: Tunnel node for tunnel 0 (SA: ike-vpn) not found
Mar 10 06:34:53 KMD_INTERNAL_ERROR: iked_sa_cfg_delete_from_hash_table_for_one_gw: Failed to delete sa_cfg ike-vpn-test from sadb hash tbl with rip=0, lip=0
Mar 10 06:34:53 kmd_sa_cfg_free: Tunnel node for tunnel 0 (SA: ike-vpn-test) not found
Mar 10 06:34:53 Group/Shared IKE ID VPN configured: 0
Mar 10 06:34:53 kmd_diff_config_now, configuration diff complete
Mar 10 06:34:53 iked_process_ifl_ext_add: ifl tunnel-id lookup failed for ifl ge-0/0/1.0
Mar 10 06:34:53 kmd_sa_cfg_free: Tunnel node for tunnel 2 (SA: INSTANCE-ike-vpn_0002_0010_0000) not found
Mar 10 06:42:07 kmd_sa_cfg_free: Tunnel node for tunnel 4 (SA: INSTANCE-ike-vpn-test_0004_0005_0000) not found
Mar 10 07:33:32 iked_process_ifl_ext_add: ifl tunnel-id lookup failed for ifl ge-0/0/1.0

thanks in advance, any information will be appreciated!

Try removing the aggressive mode from the ASA crypto map mymap.

Also, I would suggest using cipher suites more modern/robust/secure than DES and MD5.  My standard IPSec configuration these days (which works fine between numerous Juniper and Cisco devices) is:

proposal ike-prop-p1 {
    description "Custom - pre-g2-aes128-sha";
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm sha1;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 86400;
}

 And here is what I use for Phase 2:

proposal ipsec-prop-p2 {
    description "Custom - esp-aes128-sha";
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 28800;
    lifetime-kilobytes 1048576;
}
policy ipsec-pol-1 {
    description "Custom - DH Group 2 PFS";
    perfect-forward-secrecy {
        keys group2;
    }
    proposals ipsec-prop-p2;
}

On the Cisco side:

crypto isakmp policy 5
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

crypto ipsec transform-set ipsec-p2 esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 1048576

crypto map foo 5 match address MYACL
crypto map foo 5 set pfs 
crypto map foo 5 set peer 134.197.18.145 
crypto map foo 5 set transform-set ipsec-p2
crypto map foo interface outside

hi,keithr

thanks for your information, I will try it later.

I think there is a little difference from our configuration. In my scenario, ASA will accquire dynamic IP

from the ISP, and it is supposed to use Aggressive mode when the peer has no static IP.

 Am I right?

I think the keyword is,  this solution is, IPSec over GRE or GRE over IPSec.

If it is IPSec over GRE, the interesting traffic is protocol 47.

I have a couple more issues on this point, since some of my customers require me to nat on the outbound, I have to use route based vpns, as you cant source nat with policy based vpns, even to asa's.

Then next, is a lot of times I go to the same address at the customer site from multiple addresses on my set.  So the customer has to set up just an access-list on his cisco, I have to set up multiple vpns as mentioned earlier and set the st0 interface as multipoint, at this point I cant add a static route to the single host I am reaching as it wont be entered into the routing table, and i have to use tunnel based forwarding, but since I'm going to the same destination, I now have to base my routing on source, so I have to to fbf based on souce all pointing at different routing instances.  i.e. if from source a, then use tunnel a, if from source b use tunnel b.  I then ran into one more instance, my traffic was coming in on a vpn interface, and you cant apply fbf to an st0 interface.  I eventually solved it by combining my encryption domain into a larger subnet since my addresses were contigous in this case and had my customer change their access list.  Fortunately the customer was willing to do this.  If my addresses would have been non contigous, not sure what I would have done.

One other note, now that cisco has vti's you can do a route based vpn to a cisco router, of courses ASA's dont support this yet.