SRX

Hello,

I’m trying to configure a site to site VPN between a Juniper SRX 550 (my side) and a Cisco ASA 5555 (partner side). They imposed the configuration and I try to match it. I have no detail of the configuration on their side.

The phase 1 is ok. The phase 2 isn’t not: Phase 2 Mismatch
That’s clear but I don’t know which parameter isn’t.

== Parameters ==

IKE/IPSEC Parameters

Support Key Exchanged for Subnets     : ON

IKE Encryption Method                          : AES256 SHA

IKE Diffie-Hellman Groups for Phase 1   : Group 2 (1024 bit)

IKE (Phase-1) Timeout                           : 1440 Min        

IPSEC Encryption Method                     : AES256 SHA

IPSEC (Phase-2) Timeout                       : 3600 sec

PFS (Perfect Forward Secrecy)              : Disabled

Keepalive                                              : Disabled
VPN Gateway                            : X.X.X.X                 

Here is what I don’t know how to configure.

1. encryption domain

We agreed that the domain encryption (on my side?) is my public IP (y.y.y.y/32). They will accept in the tunnel only packet with the source IP my public IP. So, I need to NAT inside the tunnel.

Questions 1: How do I configure that?

2. They are using on the ASA 8 encryption domain

And on their side, they give me that:

VPN Encryption Domain 1         : 1.x.x.x/x

VPN Encryption Domain 2         : 2.x.x.x/x

VPN Encryption Domain 3         : 3.x.x.x/x

VPN Encryption Domain 4         : 4.x.x.x/x

VPN Encryption Domain 5         : 5.x.x.x/x

VPN Encryption Domain 6         : 6.x.x.x/x

VPN Encryption Domain 7         : 7.x.x.x/x

VPN Encryption Domain 8         : 8.x.x.x/x

Questions 2: how do I match that ?

proxy-identity local and a proxy-identity remote in the same IP sec vpn configuration?

or with a

ipsec vpn vpn-partnaire traffic-selector domaine1 local-ip

ipsec vpn vpn-partnaire traffic-selector domaine1 remote-ip

And I need to declare multiple IP sec vpn configuration and many st0.X ?

Here is my configuration:

 #Conf interface + Zone

set interfaces st0 unit 6 family inet

set security zones security-zone Internet1 interfaces st0.6

set routing-instances PRODUCTION protocols ospf area 0.0.0.0 interface st0.6

#Conf Routing-instance + route

set routing-instances PRODUCTION interface st0.6

#Conf Phase 1

set security ike proposal Proposal-Ph1-partenaire1 authentication-method pre-shared-keys

set security ike proposal Proposal-Ph1-partenaire1 dh-group group2

set security ike proposal Proposal-Ph1-partenaire1 authentication-algorithm sha1

set security ike proposal Proposal-Ph1-partenaire1 encryption-algorithm aes-256-cbc

set security ike proposal Proposal-Ph1-partenaire1 lifetime-seconds 86400

set security ike policy IKE-Pha1-Policy-partenaire1 mode main

set security ike policy IKE-Pha1-Policy-partenaire1 proposals Proposal-Ph1-partenaire1

set security ike policy IKE-Pha1-Policy-partenaire1 pre-shared-key ascii-text "XXXXXXXXXXXXXXXXXXXXX"

set security ike gateway gw-partenaire1 ike-policy IKE-Pha1-Policy-partenaire1

set security ike gateway gw-partenaire1 address X.X.X.X

set security ike gateway gw-partenaire1 external-interface reth0.200

#Conf Phase 2

set security ipsec proposal Proposal-Ph2-partenaire1 protocol esp

set security ipsec proposal Proposal-Ph2-partenaire1 authentication-algorithm hmac-sha-256-128

set security ipsec proposal Proposal-Ph2-partenaire1 encryption-algorithm aes-256-cbc

set security ipsec proposal Proposal-Ph2-partenaire1 lifetime-seconds 3600

set security ipsec policy IPSEC-Pha2-policy-partenaire1 proposals Proposal-Ph2-partenaire1

set security ipsec vpn vpn-partenaire1-primaire bind-interface st0.6

set security ipsec vpn vpn-partenaire1-primaire ike gateway gw-partenaire1

set security ipsec vpn vpn-partenaire1-primaire ike ipsec-policy IPSEC-Pha2-policy-partenaire1

set security ipsec vpn vpn-partenaire1-primaire establish-tunnels on-traffic

#Rules

set security policies from-zone Trust to-zone Internet1 policy rule-3to1-666-partenaire1-test match source-address my-net

set security policies from-zone Trust to-zone Internet1 policy rule-3to1-666-partenaire1-test match destination-address partenaire1-net

set security policies from-zone Trust to-zone Internet1 policy rule-3to1-666-partenaire1-test match application any

set security policies from-zone Trust to-zone Internet1 policy rule-3to1-666-partenaire1-test then permit

When it will work I will filter.

##### NAT Options #####

set security nat source pool src-nat-partenaire1 address mypublicIP

set security nat source rule-set trust-to-Internet1 from zone Trust

set security nat source rule-set trust-to-Internet1 to zone Internet1

set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match source-address 0.0.0.0/0

set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 1.x.x.x/x

set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 2.x.x.x/x

set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 3.x.x.x/x

set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 4.x.x.x/x

set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 5.x.x.x/x

set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 6.x.x.x/x

set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 7.x.x.x/x

set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 8.x.x.x/x

set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 then source-nat pool src-nat-partenaire1

Thanks a lot.

Mickael.

---

set security ipsec proposal Proposal-Ph2-partenaire1 authentication-algorithm hmac-sha-256-128

---

This is probably the incorrect line. They appear to be using SHA-1 (although it's not very clear from the way they have phrased it).

By the way, using Diffie-Hellman Group 2 makes absolutely no sense in combination with AES-256. This is an extremely strong encryption algorithm being combined with a weak key exchange method. They should be using Group 14 (or one of the newer ECDH groups if available). The chain of security is only as strong as its weakest link.

Well I feel s*****.  The tunnel is up.
Thanks a lot. 
I still have no communication but I will look again on the TS or proxy-identity. I'm not comfortable with this notion.

I agree the combo encryption / authentication isn't good but they are working like this..

Hello,

My vpn is up, I can see the route in the routing table. But I have no paquets going throught.

How can I see where my packet is blocked or refused?

Thanks,
Mickael.

This gives you the steps to walk through a VPN up but not passing traffic.  If you have confirmed the route the next step is verifying the security policy in place.  Then check to see if sessions are created and if not enable the trace options to find out why.  If you have trouble interpreting the trace options output post them here.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB10093

Hello,

It's exactly what I needed! Step by step check everything. And I look at the junos flow module..
I'm using nat inside my VPN tunnel so from the srx I tried ping X.X.X.X source {myPublic IP} routing-instance PRODUCTION and it's works, so the vpn tunnel is up and packet going through.

So it's my rules or my NAT.

A show security flow session (step 7) show nothing at all.
A show security nat source rule all shown my dedicated rule for this VPN is never matched.
And because I'm using NAT inside my VPN with the same public IP as my default NAT I was never matching the dedicated NAT rule for the vpn. Ok it's maybe not the best to do that..

I switched the VPN dedicated rule before my default NAT and it's working normally.
insert security nat source rule-set {rule number2} before rule-set {rule default}

Thanks for the step.

Subjet closed.

Mickael.

Hello,

I am facing the same issue to established a tunnel with a client in China.

I will appreciate if you share your change settting IKE and Ipsec.

Thank you.

Your settings for ike and ipsec will depend on what your remote site has on their side as they must match.

To help narrow down mismatches there are some guides but it depends on how far in the process of creating the tunnel you site is.  For this thread the site-to-site was showing established both ike and ipsec but no traffic was flowing.  If your tunnel is not coming up start with this document to narrow down where the issue is.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB10100

Also since your partner is in China, there is a possibility that the vpn is being blocked by the "great firewall" of China.  When I worked at one company we had to get government permission to have a vpn to the site which was then permitted.  But start with the technical kb first.

Hi,

I know this is marked as resolved but might be worth to mention... The Cisco ASA uses Policy Based IPSEC, and it looks like the Juniper side is Route Based. This will work, if there is only 1 encryption domain. Not several traffic selectors as usually used when doing route-based between to devices.

There is KBs within Juniper side that explains this in detail.

Ref: https://kb.juniper.net/InfoCenter/index?page=content&id=KB20543&cat=SRX_SERIES&actp=LIST

So one thing is to setup policy based on the Juniper as well, or simplify the encryption domain a bit to get it to one.

I've been told that some ASAs (maybe older) cant handle the setup by using the peer-ip(gateway ip) as both peer ip and encryption domain to NAT the network behind it. But I havent been able to try it myself 🙂

I hope this information might help someone out there!

//Rob