SSG-140 and ASA 5525 VPN works/doesn't work

last person joined: 8 months ago

This is a legacy community with limited Juniper monitoring.

Back to discussions

Expand all | Collapse all

SSG-140 and ASA 5525 VPN works/doesn't work

Jump to Best Answer

1. SSG-140 and ASA 5525 VPN works/doesn't work

0 Recommend
Erdem
Posted 08-12-2014 17:17
I have a very odd problem with passing traffic through a VPN. I have an SSG140 connected via VPN with a Cisco ASA 5525. On both sides I have a cisco router:

Router1——SSG140 ——Internet—— ASA 5525 —— Router2.

When I ping from router 1 to router 2 it activates the tunnel between the SSG140 and ASA and the ping works.

However, ICMP is definitely not the intended traffic. The idea is to pass a second IPSEC tunnel through the IPSEC tunnel that goes between the SSG and ASA.

The router1 is connected to the SSG using 172.27.135.8/29

SSG is connected to the internet using 172.27.135.0/29

The router2 is connected to the ASA on 172.27.137.8/29.

ASA connects to the internet using 10.17.1.188/30.

The ESP traffic never makes it through, it complains of a proxy id that did not match the one in the SA config.

On my ASA I assure you the proxy ID (ACLs) are correct, I’m not too clear if what I’m doing on the SSG is correct.

Below are a few snippets from the SSG side:

This is the ping that works across the tunnel:

SSG_225-> get sa active

Total active sa: 1

total configured sa: 1

HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys

0000000f< 10.17.1.189 500 esp:a256/sha1 7327e143 2357 4094M A/- -1 0

0000000f> 10.17.1.189 500 esp:a256/sha1 a2a9f061 2357 4094M A/- -1 0

SSG_225-> get sa active stat

stat show feature statistics of sa

SSG_225-> get sa active stat

Total active sa: 1

total configured sa: 1

HEX ID Gateway Fragment Auth-Fail Other Totalbytes

0000000f< 10.17.1.189 0 0 0 1097360

0000000f> 10.17.1.189 0 0 0 1218132

SSG_225->

SSG_225->

SSG_225->

SSG_225-> get event

Total event entries = 3072

Date Time Module Level Type Description

2014-08-12 19:23:18 system info 00536 IKE 10.17.1.189 Phase 2 msg ID

   5b1ebf1d: Completed negotiations with

   SPI 7327e145, tunnel ID 15, and

   lifetime 3600 seconds/4194303 KB.

2014-08-12 19:23:18 system notif 00625 Session (id 48046 src-ip 172.27.135.2

   dst-ip 10.17.1.189 dst port 0) route

   is valid.

2014-08-12 19:23:18 system info 00536 IKE 10.17.1.189 phase 2:The symmetric

   crypto key has been generated

   successfully.

2014-08-12 19:23:18 system info 00536 IKE 10.17.1.189 Phase 2 msg ID

   5b1ebf1d: Responded to the peer's

   first message.

2014-08-12 19:23:18 system notif 00625 Session (id 47871 src-ip 172.27.135.2

   dst-ip 10.17.1.189 dst port 0) route

   is valid.

2014-08-12 19:23:17 system notif 00625 Session (id 47836 src-ip 172.27.135.2

   dst-ip 10.17.1.189 dst port 500) route

   is invalid.

2014-08-12 19:23:17 system notif 00625 Session (id 47944 src-ip 172.27.135.2

   dst-ip 172.27.137.9 dst port 182)

   route is invalid.

2014-08-12 19:23:17 system notif 00625 Session (id 47894 src-ip 172.27.135.2

   dst-ip 172.27.137.9 dst port 182)

   route is invalid.

2014-08-12 19:23:17 system notif 00625 Session (id 47856 src-ip 172.27.135.2

   dst-ip 172.27.137.9 dst port 182)

   route is invalid.

2014-08-12 19:23:17 system notif 00625 Session (id 47905 src-ip 172.27.135.2

   dst-ip 172.27.137.9 dst port 182)

   route is invalid.

2014-08-12 19:23:17 system notif 00625 Session (id 47875 src-ip 172.27.135.2

   dst-ip 172.27.137.9 dst port 182)

   route is invalid.

2014-08-12 19:23:17 system notif 00625 Session (id 48038 src-ip 172.27.135.2

   dst-ip 172.27.137.9 dst port 182)

   route is invalid.

2014-08-12 19:23:17 system notif 00625 Session (id 48040 src-ip 172.27.135.2

set interface "tunnel.1" zone "Untrust"

This is the internal interface:

set interface ethernet0/0 ip 172.27.135.11/29

set interface ethernet0/0 nat

External interface:

set interface ethernet0/2 ip 172.27.135.2/29

set interface ethernet0/2 route

set interface ethernet0/7 ip 172.27.132.181/28

set interface tunnel.1 ip unnumbered interface ethernet0/2

set pki authority default scep mode "auto"

set pki x509 default cert-path partial

set address "Trust" "172.27.135.9/32" 172.27.135.9 255.255.255.255

set address "Trust" "225" 172.27.135.8 255.255.255.248 "172.27.135.8/29"

set address "Untrust" "172.27.137.9/32" 172.27.137.9 255.255.255.255

set address "Untrust" "250" 172.27.137.8 255.255.255.248 "172.27.137.8/29"

set crypto-policy

exit

set ike p1-proposal "SUITE-B-P1" preshare group19 esp aes256 sha2-256 second 28800

set ike p1-proposal "ASA5525-P1" preshare group2 esp aes256 sha-1 second 86400

set ike p2-proposal "SUITE-B-P2" group19 esp aes256 sha2-256 second 3600

set ike p2-proposal "ASA5525-P2" group2 esp aes256 sha-1 second 3600

set ike gateway "VPN225-GW" address 10.17.1.189 Main outgoing-interface "ethernet0/2" preshare "ybbbb" proposal "ASA5525-P1"

set ike gateway "VPN225-GW" dpd-liveness always-send

set ike respond-bad-spi 1

set ike gateway "VPN225-GW" heartbeat hello 5

set ike ikev2 ike-sa-soft-lifetime 60

unset ike ikeid-enumeration

unset ike dos-protection

set ipsec access-session enable

set ipsec access-session maximum 5000

set ipsec access-session upper-threshold 4000

set ipsec access-session lower-threshold 1000

set ipsec access-session dead-p2-sa-timeout 10

set vpn "VPN225" gateway "VPN225-GW" no-replay tunnel idletime 0 proposal "ASA5525-P2"

set vpn "VPN225" id 0xf bind interface tunnel.1

set url protocol websense

exit

set vpn "VPN225" proxy-id local-addr "Trust" "172.27.135.9/32" remote-addr "Untrust" "172.27.137.9/32" "ANY"

set policy id 5 from "Untrust" to "Trust" "172.27.137.9/32" "172.27.135.9/32" "ANY" permit log count

set policy id 5

exit

set policy id 4 from "Trust" to "Untrust" "172.27.135.9/32" "172.27.137.9/32" "ANY" permit log count

set policy id 4

exit

set policy id 2 name "Untrust-Trust" from "Untrust" to "Trust" "Any" "Any" "ANY" permit log

set policy id 2

set log session-init

exit

set policy id 1 name "Trust-Untrust" from "Trust" to "Untrust" "Any" "Any" "ANY" permit log

set policy id 1

set log session-init

exit

set policy id 3 from "Trust" to "Trust" "Any" "Any" "ANY" permit log

set policy id 3

set log session-init

exit

set policy id 6 from "Trust" to "Untrust" "172.27.135.9/32" "172.27.137.9/32" "ESP" permit

set policy id 6

This is the traffic that does not get passed:

Date Time Module Level Type Description

2014-08-12 19:37:05 system info 00536 Rejected an IKE packet on ethernet0/2

   from 10.17.1.189:500 to 172.27.135.2:

   500 with cookies 8d470ee268333fd8 and

   a6ab0e372b9c5ace because The peer sent

   a proxy ID that did not match the one

   in the SA config.

2014-08-12 19:37:05 system info 00536 IKE 10.17.1.189 Phase 2: No policy

   exists for the proxy ID received:

   local ID (172.27.135.9/255.255.255.255,

   50, 0) remote ID (172.27.137.9/

   255.255.255.255, 50, 0).

2014-08-12 19:37:05 system info 00536 IKE 10.17.1.189 Phase 2 msg ID

   655ee9fe: Responded to the peer's

   first message.

2014-08-12 19:37:05 system info 00536 IKE 10.17.1.189 Phase 1: Completed

   Main mode negotiations with a

   86400-second lifetime.

2014-08-12 19:37:05 system info 00536 IKE 10.17.1.189 phase 1:The symmetric

   crypto key has been generated

   successfully.

2014-08-12 19:37:05 system info 00536 IKE 10.17.1.189 Phase 1: Responder

   starts MAIN mode negotiations.



Any help would be greatly appreciated,

Thanks
2. RE: SSG-140 and ASA 5525 VPN works/doesn't work

0 Recommend
Erdem
Posted 08-12-2014 17:23
It sounds like you might have the configuration wrong for the passthrough VPN. From what it looks like, you are trying to terminate the second (passthrough) to the SSG. You might want to verify that the gateway for the second VPN is the IP of router1.
3. RE: SSG-140 and ASA 5525 VPN works/doesn't work

0 Recommend
Erdem
Posted 08-13-2014 06:15
I may need to point out that I'm not very smart when it comes to the Juniper SSG. It's been a struggle to get as far as I have.

When I ping between the routers the packets initiate the IPSEC tunnel and I can ping the interface. However, when the VPN tries to build across I get the strange messages. I assure you I'm not sending the router's ipsec traffic to the SSG. The very strange part is that the VPN builds between the routers, but packets aren't making it across.

And this is why I'm suspecting my SSG config, when I ping from RTR1 to RTR 2 it won't initially ping until I ping from RTR2 to RTR1 then initiate the ping from RTR1 will it work. I see the ASA establish the tunnel to the SSG when I start the ping from RTR2, so it requires the tunnel to be built from the ASA side before I can ping the other direction.

Once again, thanks for any assistance in sorting this out,
4. RE: SSG-140 and ASA 5525 VPN works/doesn't work
Best Answer

0 Recommend
Erdem
Posted 08-13-2014 07:36
I've actually amazed myself, i solved the issue and the issue was NOT the SSG.

The proxy-id only can match on a single ACL from the ASA, I had two lines on my ASA crypto ACL. As soon as I deleted on of them, everything magically worked.

I hope this post helps others.

Thanks

Screen OS

SSG-140 and ASA 5525 VPN works/doesn't work

Erdem08-12-2014 17:17

Erdem08-12-2014 17:23

Erdem08-13-2014 06:15

Erdem08-13-2014 07:36Best Answer

1. SSG-140 and ASA 5525 VPN works/doesn't work

2. RE: SSG-140 and ASA 5525 VPN works/doesn't work

3. RE: SSG-140 and ASA 5525 VPN works/doesn't work

4. RE: SSG-140 and ASA 5525 VPN works/doesn't work Best Answer

4. RE: SSG-140 and ASA 5525 VPN works/doesn't work
Best Answer