Hello, I have trouble establishing a site to site VPN from a Juniper SSG 140 (firmware up to date) with a Cisco Firewall and cant figure what is wrong...
My quite simple need is the following :
srvA from zone DMZ on Juniper side has to be able to talk to 3 servers srvB,srvC,srvD from a remote LAN behind the Cisco ASA.
My VPN is route based on Juniper side.
Here is the configuration
## proposals
set ike p1-proposal "xxx_p1" preshare group2 esp 3des sha-1 second 86400
set ike p2-proposal "xxx_p2" no-pfs esp 3des sha-1 second 3600
## gateway
set ike gateway "GW_name" address <peer_ip> Main outgoing-interface "ethernet0/9" preshare "xxxxx" proposal "xxx_p1"
ethernet0/9 is my internet interface in zone Untrust.
## Tunnel interface
set interface tunnel.1 ip unnumbered interface ethernet0/9
## Binding interface to tunnel + proxyID rules
set vpn "VPN_xx" gateway "GW_MTN" no-replay tunnel idletime 0 proposal "mtn_cg_p2"
set vpn "VPN_xx" id 0x54 bind interface tunnel.1
unset interface tunnel.1 acvpn-dynamic-routing
set vpn "VPN_xx" proxy-id check
set vpn "VPN_xx" proxy-id local-addr "DMZ" "<ip-srvA>" remote-addr "Untrust" "<ip-srvB>" "ANY"
set vpn "VPN_xx" proxy-id local-addr "DMZ" "<ip-srvA>" remote-addr "Untrust" "<ip-srvC>" "ANY"
set vpn "VPN_xx" proxy-id local-addr "DMZ" "<ip-srvA>" remote-addr "Untrust" "<ip-srvD>" "ANY"
## Creation of policy
set policy id 116 from "DMZ" to "Untrust" "<ip-srvA>" "<ip-srvB>" "ANY" permit log
set policy id 116
set dst-address "<ip-srvC>"
set dst-address "<ip-srvD>"
set log session-init
exit
Static routing is also properly configured to go through the tunnel.1 interface
When trying to ping from srvA to srvB the vpn is marqued UP on my sde and SA is created, but i can't ping remote hosts.
VPN is noted down on the Cisco side. I saw traffic matching policy 116.
IKE 197.149.137.2 Phase 2 msg ID
53d61654: Completed negotiations with
SPI 9b45a073, tunnel ID 85, and
lifetime 3600 seconds/0 KB.
Do you have some clues about this problem or how to troubleshoot it ?
I run "debug ide detail" and the log ends with a
## 2014-12-16 15:50:39 : reap_db. deleting p1sa 2b3faf8
## 2014-12-16 15:50:39 : terminate_SA: trying to delete SA cause: 0 cond: 2
## 2014-12-16 15:50:39 : peer_identity_unregister_p1_sa.
which I don't know what to think about...
Here is the cisco configuration
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ipsec ikev1 transform-set xx esp-3des esp-sha-hmac
crypto map outside_map 70 match address xx
crypto map outside_map 70 set peer <juniper-per-ip>
crypto map outside_map 70 set ikev1 transform-set xx
tunnel-group <juniper-peer-ip> type ipsec-l2l
tunnel-group <juniper-peer-ip> ipsec-attributes
ikev1 pre-shared-key ********
object network xx_srvA host <ip-srvA>
object network xx_srvB host <ip-srvB>
object network xx_srvC host <ip-srvC>
object network xx_srvD host <ip-srvD>
access-list xx extended permit ip object xx_srvB object xx_srvA
access-list xx extended permit ip object xx_srvC object xx_srvA
access-list xx extended permit ip object xx_srvD object xx_srvA
nat (inside,outside) source static xx_srvB xx_srvB destination static xx_srvA xx_srvA
nat (inside,outside) source static xx_srvC xx_srvC destination static xx_srvA xx_srvA
nat (inside,outside) source static xx_srvD xx_srvD destination static xx_srvA xx_srvA