SRX

good eveninig 

i need some help in setting up vpn tunnel between srx and asa ike in juniper wont came up at all and give me this log message 

[Jan 22 20:56:15]10.10.10.38:500 (Initiator) <-> 40.40.219.2:500 { 96603848 9e448113 - 01d26445 ef56e0b7 [-1] / 0x00000000 } IP; MESSAGE: Phase 1 version = 1.0, auth_method = Pre shared keys, cipher = 3des-cbc, hash = sha1, prf = hmac-sh
[Jan 22 20:56:15]ike_send_notify: Connected, SA = { 96603848 9e448113 - 01d26445 ef56e0b7}, nego = -1
[Jan 22 20:56:15]iked_pm_ike_sa_done: local:10.10.10.38, remote:40.40.219.2 IKEv1
[Jan 22 20:56:15]IKE negotiation done for local:10.10.10.38, remote:40.40.219.2 IKEv1 with status: Error ok
[Jan 22 20:56:15]ssh_ike_connect_ipsec: Start, remote_name = :500, flags = 00000000
[Jan 22 20:56:15]ssh_ike_connect_ipsec: SA = { 96603848 9e448113 - 01d26445 ef56e0b7}, nego = 0
[Jan 22 20:56:15]ike_st_o_qm_hash_1: Start
[Jan 22 20:56:15]ike_st_o_qm_sa_proposals: Start
[Jan 22 20:56:15]ike_st_o_qm_nonce: Start
[Jan 22 20:56:15]ike_policy_reply_qm_nonce_data_len: Start
[Jan 22 20:56:15]ike_st_o_qm_optional_ke: Start
[Jan 22 20:56:15]ike_st_o_qm_optional_ids: Start
[Jan 22 20:56:15]ike_st_qm_optional_id: Start
[Jan 22 20:56:15]ike_st_qm_optional_id: Start
[Jan 22 20:56:15]ike_st_o_private: Start
[Jan 22 20:56:15]Construction NHTB payload for local:10.10.10.38, remote:40.40.219.2 IKEv1 P1 SA index 7584821 sa-cfg GT-ncb-ipsec-vpn_t10
[Jan 22 20:56:15]Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg GT-ncb-ipsec-vpn_t10, p1_sa=7584821
[Jan 22 20:56:15]ike_policy_reply_private_payload_out: Start
[Jan 22 20:56:15]ike_st_o_encrypt: Marking encryption for packet
[Jan 22 20:56:15]ike_finalize_qm_hash_1: Hash[0..20] = aa0aa4fd b125ac6f ...
[Jan 22 20:56:15]ike_send_packet: <-------- sending SA = { 96603848 9e448113 - 01d26445 ef56e0b7}, len = 156, nego = 0, local ip= 10.10.10.38, dst = 40.40.219.2:500, routing table id = 0
[Jan 22 20:56:16]---------> Received from 40.40.219.2:500 to 10.10.10.38:0, VR 0, length 196 on IF
[Jan 22 20:56:16]---------> Received from 40.40.219.2:500 to 10.10.10.38:0, VR 0, length 84 on IF
[Jan 22 20:56:16]ike_sa_find: Found SA = { 96603848 9e448113 - 01d26445 ef56e0b7 }
[Jan 22 20:56:16]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 22 20:56:16]ike_get_sa: Start, SA = { 96603848 9e448113 - 01d26445 ef56e0b7 } / c3f5e9b9, remote = 40.40.219.2:500
[Jan 22 20:56:16]ike_sa_find: Found SA = { 96603848 9e448113 - 01d26445 ef56e0b7 }
[Jan 22 20:56:16]ike_st_o_done: ISAKMP SA negotiation done
[Jan 22 20:56:16]ike_send_notify: Connected, SA = { 96603848 9e448113 - 01d26445 ef56e0b7}, nego = -1
[Jan 22 20:56:16]ike_st_i_encrypt: Check that packet was encrypted succeeded
[Jan 22 20:56:16]ike_st_i_gen_hash: Start, hash[0..20] = 7f2926e2 5db829c8 ...
[Jan 22 20:56:16]ike_st_i_n: Start, doi = 1, protocol = 3, code = Invalid ID information (18), spi[0..4] = 00000000 00000000 ..., data[0..128] = 01000018 aa0aa4fd ...
[Jan 22 20:56:16]Authenticated Phase-2 notification `Invalid ID information' (18) (size 128 bytes) from 40.40.219.2 for protocol ESP spi[0...4]=00 00 00 00 causes IKE SA deletion and QM abort
[Jan 22 20:56:16]ike_st_i_private: Start
[Jan 22 20:56:16]ike_send_notify: Connected, SA = { 96603848 9e448113 - 01d26445 ef56e0b7}, nego = 1
[Jan 22 20:56:16]ikev2_packet_st_input_v1_get_sa: Checking if unauthenticated IKEv1 notify is for an IKEv2 SA
[Jan 22 20:56:16]ikev2_packet_st_input_v1_create_sa: [113e800/0] No IKE SA for packet; requesting permission to create one.
[Jan 22 20:56:16]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 22 20:56:16]ike_get_sa: Start, SA = { 96603848 9e448113 - 01d26445 ef56e0b7 } / 7bc1b92a, remote = 40.40.219.2:500
[Jan 22 20:56:16]ike_sa_find_half: Not found half SA = { 96603848 9e448113 - 00000000 00000000 }
[Jan 22 20:56:16]ike_get_sa: Invalid cookie, no sa found, SA = { 96603848 9e448113 - 01d26445 ef56e0b7 } / 7bc1b92a, remote = 40.40.219.2:500
[Jan 22 20:56:16]unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 40.40.219.2:500
[Jan 22 20:56:16]ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
[Jan 22 20:56:16]ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
[Jan 22 20:56:16]ike_sa_delete: Start, SA = { 96603848 9e448113 - 01d26445 ef56e0b7 }
[Jan 22 20:56:16]IKE SA delete called for p1 sa 7584821 (ref cnt 2) local:10.10.10.38, remote:40.40.219.2, IKEv1
[Jan 22 20:56:16]P1 SA 7584821 reference count is not zero (1). Delaying deletion of SA
[Jan 22 20:56:16]iked_pm_p1_sa_destroy: p1 sa 7584821 (ref cnt 0), waiting_for_del 0x10b1420
[Jan 22 20:56:16]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)

Hi Elbeshti,

We are getting the below error as "Invalid ID information (18)" which is causing the VPN Phase-2 to fail.

Most probably it is failing may be due to Proxy id mismatch between Juniper and Cisco end.

Proxy-id's is nothing but subnets used across vpn devices as you have mentioned in the traffic selector.

Local subnets of SRX needs to match remote subnets of ASA on the secyurity policy and vice versa.

Please also check that you are not using the 0.0.0.0/0 or "any" on the cisco end.

-Regards,

Rishi

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]

Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg GT-ncb-ipsec-vpn_t10, p1_sa=7584821

Do you have another VPN tunnel also using the st0.0 interface?

NHTB (next hop tunnel binding) typically kicks in when you terminate more than one VPN on the same st0 sub interface.  NHTB deteremines which tunnel to send the traffic into of the multiple applied there.  This process is typically not compatible cross vendors.

no i donot have another VPN just 10 IP need to pass through VPN tunnel in interface st0.0 

I assume you have confirmed the ACL on the ASA matches the subnets on the traffic selectors.  This and the routes look good.

I do notice that you have a private address on the outbound gateway interface.  So I assume you have NAT involved meaning that the Cisco side will need to enable NAT-T for the tunnel to come up.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_ike.html#wp1120836

And typically the SRX wants to see local and remote ID configured then when you have NAT-T in use.

http://www.juniper.net/techpubs/en_US/junos15.1x49/topics/example/ipsec-route-based-vpn-respndr-behind-nat-configuring.html

Can you chek if the ASA is using IKEv2 because Juniper is at IKEv1; and also ensure they are using ESP foir IPSec.

dear all 

i connect the other company that have cisco asa and give me thair configuration 

Try this command. The ASA is using ike v2, so you should configure Juniper for using same.
#set security ike gateway bbb-visa-gw version v2-only

I also notice that the ASA notes include ports on the "interesting traffic" filter.  This is the filter we need to match with traffic selectors as it generates the proxy-id for the connection.  I am pretty sure we are not able to go to the port level using traffic selectors.  You might need to try a policy based VPN for this one.

Sorry for the confusion,  There are TWO independent differences between the ASA configuration posted and your SRX config.

IKE version

SRX
Version: IKEv1

ASA

IKEv2

As mentioned you need to configure IKEv2 also on your VPN

Proxy-ID mismatch

SRX 

Local Identity: ipv4_subnet(any:0,[0..7]=a.30.30.0/24)
Remote Identity: ipv4_subnet(any:0,[0..7]=b.131.67.0/24)

ASA remote (needs to match SRX local

a.a.a.206  (sFTP server) port 22 and 443

a.a.a.201  (Citrix Production) port 443

a.a.a.202  (Citrix Production) port 443

a.a.a.207 (Production Server) Port will be provided by PM team.

a.a.a.210  (Citrix Test) port 443

a.a.a.211  (Citrix Test) port 443

a.a.a.214 (Test Server) port will be provided by PM team.

Basics are your single pair here show one /24 on each side where the ASA config shows multiple hosts on their side and I assume one /24 on yours.  This should generate multiple proxy-id pairs with the local your subnet and the remote all the listed hosts. 

AND this one I am not sure how to solve, note that the ASA is including PORTS not just ip addresses into the interesting traffic filter.  There is no way to do this with traffic selectors which is why a suggested trying policy VPN where your policy would include the specified ports and you would create 1 policy per line in the ASA ACL.  I've never connected to an ASA using ports in the interesting traffic ACL and don't know if there is a way to make this work.  

Bottom line is the ASA ACL must match the proxy-id pair selections you create on the SRX.

Hi Team,

First thing to remember is that CIsco ASA crypto ACL does not support application ports. You can configure them however they will not be off any use.

So you can only configure the Crypto ACL using the IP addresses.

However once the Crypto ACLs match and the tunnel is up you can use VPN filters to restrict the traffic that you want to allow through the tunnel.

Hope this helps in clearing some doubt about the use of application ports in the interesting traffic ACLs on both the SRX and as well as the Cisco side.

Warm regards,

Guru Prasad

---

@elbeshti mohamed wrote:

dear all 

 

i connect the other company that have cisco asa and give me thair configuration 

 

 

VPN Parameters
Peer Device / IOS:	Cisco-ASA
Authentication:	Pre-shared Keys Will be exchanged through SMS Or Skype
ISAKMP Hashing:	SHA
ISAKMP Encryption:	AES-256, IKEv2
ISAKMP group:	Group2
IPSec Transform-set:	esp-AES-256, esp-SHA-hmac
SA Lifetime:	Isakmp(86400 Secs) Ipsec(3600s)
Peer Addresses:	x.x.x.2
Interesting traffic:	a.a.a.206  (sFTP server) port 22 and 443   a.a.a.201  (Citrix Production) port 443   a.a.a.202  (Citrix Production) port 443 a.a.a.207 (Production Server) Port will be provided by PM team. a.a.a.210  (Citrix Test) port 443 a.a.a.211  (Citrix Test) port 443 a.a.a.214 (Test Server) port will be provided by PM team.

From Juniper:

Traffic selectors cannot be configured with the following features:

• Policy-based VPNs
• IKE version 2
• VPNs configured with proxy identity values used in negotiation
• Remote address value 0.0.0.0/0 (IPv4) or 0::0 (IPv6)

---

Unless there is some new development, it seems like your setup will not work for multiple reasons. However I will keep track so I can learn when a solution is arrived at.

i change the vpn from route to policy based vpn and this is the configuration 

root@site-a-dahra-ly# show |display set |no-more   
set version 12.3X48-D35.7
set system host-name site-a-dahra-ly
set system root-authentication encrypted-password "$1$1tBoYfRI$ZOtY2ggiMhZFmaZnDro301"
set system name-server 8.8.8.8
set system name-server 8.8.4.4
set system login class ssh idle-timeout 60
set system services ssh
set system services web-management https system-generated-certificate
set chassis alarm ethernet link-down ignore
set security ike proposal ike-proposal-site-a-DH authentication-method pre-shared-keys
set security ike proposal ike-proposal-site-a-DH dh-group group2
set security ike proposal ike-proposal-site-a-DH authentication-algorithm sha1
set security ike proposal ike-proposal-site-a-DH encryption-algorithm aes-256-cbc
set security ike proposal ike-proposal-site-a-DH lifetime-seconds 86400
set security ike policy ike-policy-site-a-DH mode main
set security ike policy ike-policy-site-a-DH proposals ike-proposal-site-a-DH
set security ike policy ike-policy-site-a-DH pre-shared-key ascii-text "$9$.fznCAuB1E9CS7ev8LNdb82gJjH.Qz6sYT3"
set security ike gateway ike-gate-site-a-DH ike-policy ike-policy-site-a-DH
set security ike gateway ike-gate-site-a-DH address x.x.x.x
set security ike gateway ike-gate-site-a-DH external-interface ge-0/0/0
set security ipsec proposal ipsec-proposal-site-a-DH protocol esp
set security ipsec proposal ipsec-proposal-site-a-DH authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-proposal-site-a-DH encryption-algorithm aes-256-cbc
set security ipsec proposal ipsec-proposal-site-a-DH lifetime-seconds 3600
set security ipsec policy ipsec-policy-site-a-DH proposals ipsec-proposal-site-a-DH
set security ipsec vpn ipsec-vpn-site-a-DH ike gateway ike-gate-site-a-DH
set security ipsec vpn ipsec-vpn-site-a-DH ike ipsec-policy ipsec-policy-site-a-DH
set security ipsec vpn ipsec-vpn-site-a-DH establish-tunnels immediately
set security flow tcp-mss ipsec-vpn mss 1350
set security nat source rule-set trust-to-untrust from zone site-a-dahra
set security nat source rule-set trust-to-untrust to zone egy-mscc
set security nat source rule-set trust-to-untrust rule nonat match source-address a.30.30.0/24
set security nat source rule-set trust-to-untrust rule nonat match destination-address b.131.67.0/24
set security nat source rule-set trust-to-untrust rule nonat then source-nat off
set security policies from-zone site-a-dahra to-zone egy-mscc policy vpnpolicy-site-a-dahra-egy-mscc match source-address site-a-DH-a-30-30
set security policies from-zone site-a-dahra to-zone egy-mscc policy vpnpolicy-site-a-dahra-egy-mscc match destination-address egy-mscc-b-131-67
set security policies from-zone site-a-dahra to-zone egy-mscc policy vpnpolicy-site-a-dahra-egy-mscc match application any
set security policies from-zone site-a-dahra to-zone egy-mscc policy vpnpolicy-site-a-dahra-egy-mscc then permit tunnel ipsec-vpn ipsec-vpn-site-a-DH
set security policies from-zone egy-mscc to-zone site-a-dahra policy vpnpolicy-egy-mscc-site-a-dahra match source-address egy-mscc-b-131-67
set security policies from-zone egy-mscc to-zone site-a-dahra policy vpnpolicy-egy-mscc-site-a-dahra match destination-address site-a-DH-a-30-30
set security policies from-zone egy-mscc to-zone site-a-dahra policy vpnpolicy-egy-mscc-site-a-dahra match application any
set security policies from-zone egy-mscc to-zone site-a-dahra policy vpnpolicy-egy-mscc-site-a-dahra then permit tunnel ipsec-vpn ipsec-vpn-site-a-DH
set security zones security-zone site-a-dahra address-book address site-a-DH-a-30-30 a.30.30.0/24
set security zones security-zone site-a-dahra host-inbound-traffic system-services all
set security zones security-zone site-a-dahra host-inbound-traffic protocols all
set security zones security-zone site-a-dahra interfaces ge-0/0/1.0
set security zones security-zone site-a-dahra interfaces lo0.0
set security zones security-zone egy-mscc address-book address egy-mscc-b-131-67 b.131.67.0/24
set security zones security-zone egy-mscc host-inbound-traffic system-services ike
set security zones security-zone egy-mscc host-inbound-traffic system-services ping
set security zones security-zone egy-mscc interfaces ge-0/0/0.0
set interfaces ge-0/0/0 unit 0 family inet address x.x.x.38/29
set interfaces ge-0/0/1 unit 0 family inet address a.30.30.1/24
set interfaces ge-0/0/15 unit 0 family inet address 192.168.4.1/24
set interfaces lo0 unit 0 family inet address a.30.30.2/24
set routing-options static route 0.0.0.0/0 next-hop x.x.x.33

and give me this warring 

ID: 2 Virtual-system: root, VPN Name: ipsec-vpn-NCB-DH
Local Gateway: x.x.x.38, Remote Gateway: x.x.x.2
Local Identity: ipv4_subnet(any:0,[0..7]=a.30.30.0/24)
Remote Identity: ipv4_subnet(any:0,[0..7]=b.131.67.0/24)
Version: IKEv1
DF-bit: clear , Policy-name: vpnpolicy-egy-mscc-ncb-dahra
Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x600829
Tunnel events:
Tue Feb 07 2017
: IKE SA negotiation successfully completed (3 times)
Tue Feb 07 2017
: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times)
Tue Feb 07 2017
: External interface's address received. Information updated (1 times)
Tue Feb 07 2017
: External interface's zone received. Information updated (1 times)

Simply changing to policy-based VPN will not resolve the issue, if the other side is not configured as policybased. Secondly, the ASA is using IKEv2. You did not configure IKEv2 when you were using route-based. IKEv2 on Juniper does not (yet) support policy-based Juniper VPNs. 

dear all 

i spent last week try on srx side and make configuration 

Your output is still showing that the SRX is sending IKEv1 and the ASA is setup for IKEv2.

You need to add the IKEv2 setup to your SRX.

set security ike gateway ike-gate-SITE-A-DH IKEv2

http://www.juniper.net/documentation/en_US/junos/topics/example/ipsec-route-based-vpn-configuring-ikev2.html

dear eng.spuluka

I did what you say but still I can not commit .:( 

It would be good to be sure you are reaeding all the suggestions. If you go back through the comments, you will see that your configuration as it is will NOT work. Just look at these and check if any of your configurations match:

• Policy-based VPNs
• IKE version 2
• VPNs configured with proxy identity values used in negotiation
• Remote address value 0.0.0.0/0 (IPv4) or 0::0 (IPv6)

it wont commit because it was policy based VPN not route based vpn

Ok did some quick checks in my lab.  First the syntax for IKEv2 was wrong here is the correct command.

set security ike gateway ike-gate-SITE-A-DH version v2-only

Second, remove policy vpn and go back to the traffic selectors version on the route vpn.  This does seem to commit without error.

is thair any update???