SRX

last person joined: 2 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  IPSec between juniper SRX and Cisco ASA getting disconnect

    Posted 05-21-2015 07:52

    Hi,

     

    We have cretaed Policy based IPSec between juniper srx and cisco ASA. 

     

    After few days it is observed that the cisco ip phones connected behind cisco ASA is getting ungregistered.

     

    Is there any permanent solutions for this ?

     

     

     

    Regards,

    Bhavin V



  • 2.  RE: IPSec between juniper SRX and Cisco ASA getting disconnect

     
    Posted 05-21-2015 08:01
    Why do you think its an issue with SRX?


  • 3.  RE: IPSec between juniper SRX and Cisco ASA getting disconnect

    Posted 05-21-2015 08:26

    Am not sure what is the issue. Below is the configuration details

     

     

    Cisco Config

    ===============

     

    access-list 50 extended permit ip 192.168.202.0 255.255.255.224 172.16.2.0 255.255.254.0

    nat (inside) 0 access-list 50

    crypto ipsec transform-set strong-NEWBARRY esp-des esp-md5-hmac

    crypto map welmap 25 match address 50
    crypto map welmap 25 set peer 63.116.21.194
    crypto map welmap 25 set transform-set strong-NEWBARRY
    crypto map welmap 25 set security-association lifetime seconds 28800
    crypto map welmap 25 set security-association lifetime kilobytes 4608000

    crypto isakmp policy 5
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400

    tunnel-group 1.1.1.1 type ipsec-l2l
    tunnel-group 1.1.1.1 ipsec-attributes
    pre-shared-key *

     

     

     

    Juniper config

    ==============

    show security ike
    proposal NewYork-Barry-proposal {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm sha1;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 86400;
    }
    policy ike-policy-NewYork-Barry {
    mode main;
    proposals NewYork-Barry-proposal;
    pre-shared-key ascii-text "$9$xPaN-w2gJDjqY25Qn6At"; ## SECRET-DATA
    }
    gateway ike-gate-NewYork-Barry {
    ike-policy ike-policy-NewYork-Barry;
    address 2.2.2.2;
    inactive: local-identity inet 1.1.1.1;
    external-interface ge-0/0/0.0;
    }

    show security ipsec
    proposal P2-NewYork-Barry-proposal {
    protocol esp;
    authentication-algorithm hmac-md5-96;
    encryption-algorithm des-cbc;
    lifetime-seconds 28800;
    }
    policy vpn-policy-NewYork-Barry {
    inactive: perfect-forward-secrecy {
    keys group2;
    }
    proposals P2-NewYork-Barry-proposal;
    }
    vpn VPN-Tunnel-NewYork-Barry {
    vpn-monitor {
    optimized;
    }
    ike {
    gateway ike-gate-NewYork-Barry;
    ipsec-policy vpn-policy-NewYork-Barry;
    }
    establish-tunnels immediately;
    }

     

    show security policies from-zone trust to-zone untrust
    policy IPSEC-TR-BARRY-1 {
    match {
    source-address 172.16.2.0/23;
    destination-address 192.168.202.0/27;
    application any;
    }
    then {
    permit {
    tunnel {
    ipsec-vpn VPN-Tunnel-NewYork-Barry;
    }
    }
    }
    }



  • 4.  RE: IPSec between juniper SRX and Cisco ASA getting disconnect
    Best Answer

    Posted 05-24-2015 21:01

    Hi,

     

    By removing vpn monitor from juniper the issue got resolved.

     

     

    Thanks



  • 5.  RE: IPSec between juniper SRX and Cisco ASA getting disconnect

    Posted 05-26-2015 12:21

    I was about to say so. I've had several problems with VPN monitor myself. Unless needed, it's unnecessary