Hello,
I’m trying to configure a site to site VPN between a Juniper SRX 550 (my side) and a Cisco ASA 5555 (partner side). They imposed the configuration and I try to match it. I have no detail of the configuration on their side.
The phase 1 is ok. The phase 2 isn’t not: Phase 2 Mismatch
That’s clear but I don’t know which parameter isn’t.
== Parameters ==
IKE/IPSEC Parameters
Support Key Exchanged for Subnets : ON
IKE Encryption Method : AES256 SHA
IKE Diffie-Hellman Groups for Phase 1 : Group 2 (1024 bit)
IKE (Phase-1) Timeout : 1440 Min
IPSEC Encryption Method : AES256 SHA
IPSEC (Phase-2) Timeout : 3600 sec
PFS (Perfect Forward Secrecy) : Disabled
Keepalive : Disabled
VPN Gateway : X.X.X.X
Here is what I don’t know how to configure.
- encryption domain
We agreed that the domain encryption (on my side?) is my public IP (y.y.y.y/32). They will accept in the tunnel only packet with the source IP my public IP. So, I need to NAT inside the tunnel.
Questions 1: How do I configure that?
- They are using on the ASA 8 encryption domain
And on their side, they give me that:
VPN Encryption Domain 1 : 1.x.x.x/x
VPN Encryption Domain 2 : 2.x.x.x/x
VPN Encryption Domain 3 : 3.x.x.x/x
VPN Encryption Domain 4 : 4.x.x.x/x
VPN Encryption Domain 5 : 5.x.x.x/x
VPN Encryption Domain 6 : 6.x.x.x/x
VPN Encryption Domain 7 : 7.x.x.x/x
VPN Encryption Domain 8 : 8.x.x.x/x
Questions 2: how do I match that ?
proxy-identity local and a proxy-identity remote in the same IP sec vpn configuration?
or with a
ipsec vpn vpn-partnaire traffic-selector domaine1 local-ip
ipsec vpn vpn-partnaire traffic-selector domaine1 remote-ip
And I need to declare multiple IP sec vpn configuration and many st0.X ?
Here is my configuration:
#Conf interface + Zone
set interfaces st0 unit 6 family inet
set security zones security-zone Internet1 interfaces st0.6
set routing-instances PRODUCTION protocols ospf area 0.0.0.0 interface st0.6
#Conf Routing-instance + route
set routing-instances PRODUCTION interface st0.6
#Conf Phase 1
set security ike proposal Proposal-Ph1-partenaire1 authentication-method pre-shared-keys
set security ike proposal Proposal-Ph1-partenaire1 dh-group group2
set security ike proposal Proposal-Ph1-partenaire1 authentication-algorithm sha1
set security ike proposal Proposal-Ph1-partenaire1 encryption-algorithm aes-256-cbc
set security ike proposal Proposal-Ph1-partenaire1 lifetime-seconds 86400
set security ike policy IKE-Pha1-Policy-partenaire1 mode main
set security ike policy IKE-Pha1-Policy-partenaire1 proposals Proposal-Ph1-partenaire1
set security ike policy IKE-Pha1-Policy-partenaire1 pre-shared-key ascii-text "XXXXXXXXXXXXXXXXXXXXX"
set security ike gateway gw-partenaire1 ike-policy IKE-Pha1-Policy-partenaire1
set security ike gateway gw-partenaire1 address X.X.X.X
set security ike gateway gw-partenaire1 external-interface reth0.200
#Conf Phase 2
set security ipsec proposal Proposal-Ph2-partenaire1 protocol esp
set security ipsec proposal Proposal-Ph2-partenaire1 authentication-algorithm hmac-sha-256-128
set security ipsec proposal Proposal-Ph2-partenaire1 encryption-algorithm aes-256-cbc
set security ipsec proposal Proposal-Ph2-partenaire1 lifetime-seconds 3600
set security ipsec policy IPSEC-Pha2-policy-partenaire1 proposals Proposal-Ph2-partenaire1
set security ipsec vpn vpn-partenaire1-primaire bind-interface st0.6
set security ipsec vpn vpn-partenaire1-primaire ike gateway gw-partenaire1
set security ipsec vpn vpn-partenaire1-primaire ike ipsec-policy IPSEC-Pha2-policy-partenaire1
set security ipsec vpn vpn-partenaire1-primaire establish-tunnels on-traffic
#Rules
set security policies from-zone Trust to-zone Internet1 policy rule-3to1-666-partenaire1-test match source-address my-net
set security policies from-zone Trust to-zone Internet1 policy rule-3to1-666-partenaire1-test match destination-address partenaire1-net
set security policies from-zone Trust to-zone Internet1 policy rule-3to1-666-partenaire1-test match application any
set security policies from-zone Trust to-zone Internet1 policy rule-3to1-666-partenaire1-test then permit
When it will work I will filter.
##### NAT Options #####
set security nat source pool src-nat-partenaire1 address mypublicIP
set security nat source rule-set trust-to-Internet1 from zone Trust
set security nat source rule-set trust-to-Internet1 to zone Internet1
set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match source-address 0.0.0.0/0
set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 1.x.x.x/x
set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 2.x.x.x/x
set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 3.x.x.x/x
set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 4.x.x.x/x
set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 5.x.x.x/x
set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 6.x.x.x/x
set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 7.x.x.x/x
set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 8.x.x.x/x
set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 then source-nat pool src-nat-partenaire1
Thanks a lot.
Mickael.