SRX Services Gateway
Highlighted
SRX Services Gateway

Inestable VPN between juniper srx240 and asa firewall.

[ Edited ]
‎04-01-2015 09:10 AM

Hello junos guy ...  please provide some help setting my vpn.

After many attempts , this is what I get:

 

Tunel is established only after remote site sends  traffic.

Only one network at time can send me traffic. (im trying to encript multiple source networks)

 

note:

I tryed the vpn generation tool but I have some problems when I tray to attach untrust zone to a second address-book as the aplication suggest.

Mine is running:

JUNOS Software Release [11.4R9.4]

is any problem with this release?

 

Please if some body can take a look to mi lines I will apreciate.

Regards.

Leandro.

leandro@SRX01COR-cluster# show security address-book bsas_lan  
address bsas_net 172.22.162.0/23;
address bsas_net2 172.22.6.0/24;
address bsas_net3 172.22.165.0/24;
address bsas_net4 172.21.104.0/24;
address bsas_net5 172.22.164.0/24;
address bsas_net6 172.22.118.0/24;
address bsas_net7 172.22.11.0/24;
address bsas_net8 172.22.46.0/24;
attach {
    zone untrust;
}

leandro@SRX01COR-cluster# show security address-book cdba_mgmt 
address mgmt_server 172.31.160.250/32;
attach {
    zone OAM;
}


leandro@SRX01COR-cluster# show security policies from-zone OAM to-zone untrust 
policy vpn-OAM-untrust {
    match {
        source-address mgmt_server;
        destination-address [ bsas_net bsas_net2 bsas_net3 bsas_net4 bsas_net5 bsas_net6 bsas_net7 bsas_net8 ];
        application any;
    }
    then {
        permit {
            tunnel {
                ipsec-vpn BSAS_tunnel;
                pair-policy vpn-untr-OAM;
            }
        }
    }
}
policy permit-any {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit;
    }
}

leandro@SRX01COR-cluster# show security policies from-zone untrust to-zone OAM 
policy vpn-untr-OAM {
    match {
        source-address [ bsas_net bsas_net2 bsas_net3 bsas_net4 bsas_net5 bsas_net6 bsas_net7 bsas_net8 ];
        destination-address mgmt_server;
        application any;
    }
    then {
        permit {
            tunnel {
                ipsec-vpn BSAS_tunnel;
                pair-policy vpn-OAM-untrust;
            }
        }
    }
}


leandro@SRX01COR-cluster# show security ike      
respond-bad-spi 20;

proposal to_BSAS_ike-prop {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm sha1;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 86400;
}

policy BSAS_ike_policy {
    mode main;
    proposals to_BSAS_ike-prop;
    pre-shared-key ascii-text "$9$wxsaZDi.Q36qmRhSlXxqmP5nCIEcylMSyVY"; ## SECRET-DATA
}

gateway BSAS_GW {
    ike-policy BSAS_ike_policy;
    address XXX.XXX.XXX.XXX;
    external-interface reth0.10;
}



leandro@SRX01COR-cluster# show security ipsec                                                                                       
vpn-monitor-options {
    interval 2;
    threshold 5;
}
proposal BSAS_ipsec_prop {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 3600;
}

policy BSAS_ipsec_policy {
    perfect-forward-secrecy {
        keys group2;
    }
    proposals BSAS_ipsec_prop;
}

vpn BSAS_tunnel {
    ike {
        gateway BSAS_GW;
        ipsec-policy BSAS_ipsec_policy;
    }
    establish-tunnels immediately;
}

 

 

 

3 REPLIES 3
Highlighted
SRX Services Gateway
Solution
Accepted by topic author leostereo
‎08-26-2015 01:27 AM

Re: Inestable VPN between juniper srx240 and asa firewall.

‎04-01-2015 09:21 AM
On your vpn policy vpn-untr-OAM you have specified multiple destination address, which is not supported. We can only use single source address and destination. Or you have to use a supernet of these address. Other available options are given below.

1. Create multiple policies for same vpn as in below kb

http://kb.juniper.net/InfoCenter/index?page=content&id=KB28197

2. Create multiple vpns and use st0 interfaces for each subnets as in below kb
http://kb.juniper.net/InfoCenter/index?page=content&id=KB28198

3. Upgrade to 12.1X46 or latest to use traffic selectors as in below kb
http://kb.juniper.net/InfoCenter/index?page=content&id=KB28820

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: Inestable VPN between juniper srx240 and asa firewall.

‎04-10-2015 07:12 AM

Thanks for the response rsuraj !!!

I will try with defininig one policy per subnet.

I don`t want to change to route based,

I will try and back to you !!

Thanks.

Leandro.

 

Highlighted
SRX Services Gateway

Re: Inestable VPN between juniper srx240 and asa firewall.

‎05-12-2015 07:01 AM

Solution was defining a policy per subnet.