I am trying to connect a Juniper SRX300 (running 15.1X49-D170.4) to a Cisco ASA using a route-based VPN but getting the following error:
Apr 12 18:37:40 jnx kmd[1883]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: VPN-NAME, Peer Proposed traffic-selector local-ip: ipv4(192.168.0.11),ipv4(192.168.0.0-192.168.0.255), Peer Proposed traffic-selector remote-ip: ipv4(10.1.100.1),ipv4(10.1.0.0-10.1.255.255)
Apr 12 18:37:40 jnx kmd[1883]: IPSec negotiation failed with error: Peer proposed unsupported multiple traffic-selector attributes for a single IPSec SA. Negotiation failed.. IKE Version: 2, VPN: VPN-NAME Gateway: VPN-NAME, Local: X.X.X.X/500, Remote: Y.Y.Y.Y/500, Local IKE-ID: X.X.X.X, Remote IKE-ID: Y.Y.Y.Y, VR-ID: 0
Apr 12 18:37:48 jnx kmd[1883]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: VPN-NAME, Peer Proposed traffic-selector local-ip: ipv4(192.168.0.17),ipv4(192.168.0.0-192.168.0.255), Peer Proposed traffic-selector remote-ip: ipv4(192.168.2.148),ipv4(192.168.2.0-192.168.2.255)
Apr 12 18:37:48 jnx kmd[1883]: IPSec negotiation failed with error: Peer proposed unsupported multiple traffic-selector attributes for a single IPSec SA. Negotiation failed.. IKE Version: 2, VPN: VPN-NAME Gateway: VPN-NAME, Local: X.X.X.X/500, Remote: Y.Y.Y.Y/500, Local IKE-ID: X.X.X.X, Remote IKE-ID: Y.Y.Y.Y, VR-ID: 0
Apr 12 18:37:48 jnx kmd[1883]: IPSec negotiation failed with error: No proposal chosen. IKE Version: 2, VPN: VPN-NAME Gateway: VPN-NAME, Local: X.X.X.X/500, Remote: Y.Y.Y.Y/500, Local IKE-ID: X.X.X.X, Remote IKE-ID: Y.Y.Y.Y, VR-ID: 0
Phase 1 comes up with just fine:
Index State Initiator cookie Responder cookie Mode Remote Address
320684 UP 40b2cdbb9208bedb 379b3b93cef1d7b7 IKEv2 Y.Y.Y.Y
Local configuration:
set security ipsec proposal PROPOSAL protocol esp
set security ipsec proposal PROPOSAL authentication-algorithm hmac-sha-256-128
set security ipsec proposal PROPOSAL encryption-algorithm aes-256-cbc
set security ipsec proposal PROPOSAL lifetime-seconds 3600
set security ipsec policy PROPOSAL proposals PROPOSAL
set security ipsec vpn VPN-NAME bind-interface st0.0
set security ipsec vpn VPN-NAME ike gateway VPN-NAME
set security ipsec vpn VPN-NAME ike ipsec-policy PROPOSAL
set security ipsec vpn VPN-NAME traffic-selector AGGREGATE local-ip 192.168.0.0/24
set security ipsec vpn VPN-NAME traffic-selector AGGREGATE remote-ip 10.1.0.0/16
set security ipsec vpn VPN-NAME traffic-selector LEGACY local-ip 192.168.0.0/24
set security ipsec vpn VPN-NAME traffic-selector LEGACY remote-ip 192.168.2.0/24
set security ipsec vpn VPN-NAME traffic-selector DMZ local-ip 192.168.0.0/24
set security ipsec vpn VPN-NAME traffic-selector DMZ remote-ip 192.168.253.0/24
set security ipsec vpn VPN-NAME establish-tunnels immediately
The other side is a Cisco ASA 5515 with the following configuration:
crypto map outside 2001 match address ACL-REMOTE-PEER
crypto map outside 2001 set peer X.X.X.X
crypto map outside 2001 set ikev2 ipsec-proposal AES256
access-list ACL-REMOTE-PEER; 4 elements; name hash: 0x9132bea2
access-list ACL-REMOTE-PEER line 1 extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0 (hitcnt=32138) 0x9dd1206f
access-list ACL-REMOTE-PEER line 1 extended permit ip 10.1.0.0 255.255.0.0 192.168.0.0 255.255.255.0 (hitcnt=96254) 0xb8676dd0
access-list ACL-REMOTE-PEER line 1 extended permit ip 10.3.0.0 255.255.0.0 192.168.0.0 255.255.255.0 (hitcnt=7222) 0x59e24aa9
access-list ACL-REMOTE-PEER line 1 extended permit ip 192.168.253.0 255.255.255.0 192.168.0.0 255.255.255.0 (hitcnt=7263) 0x6c631e57
Has anybody been successful in connecting Juniper with Cisco with multiple traffic selectors?
Any hints ?