SRX Services Gateway
Highlighted
SRX Services Gateway

Route-based ipsec SRX4100-ASA traffic selectors 1 subnet to many behind ASA

[ Edited ]
‎11-05-2019 08:51 AM

The IPsec configured is failing at phase 2 with the error "[Nov 5 11:02:00][165.X.X.X <-> 74.X.X.X] Authenticated Phase-2 notification `No proposal chosen’ (14) data size 4 from 74.X.X.X for protocol ESP with invalid spi[0...16]=ac 37 1d 45 16 59 9f a9 f2 c9 a0 54 37 5f 51 75 causes"

on the SRX I have the following:
traffic-selector PROD2SL_1 {
local-ip 10.120.72.0/24;
remote-ip 10.1.0.0/23;
}
traffic-selector PROD2SL_2 {
local-ip 10.120.72.0/24;
remote-ip 10.4.200.0/24;

on the ASA I have the following:
object-group network VLT_NETS_TO_SAV
network-object 10.1.0.0 255.255.254.0
network-object 10.4.200.0 255.255.255.0
object-group network SAV_NET_TO_VLT
network-object 10.120.72.0 255.255.255.0

access-list VLT-FW_TO_SAV_FW permit ip object-group VLT_NETS_TO_SAV object-group SAV_NET_TO_VLT

I assume this should work, but it doesn't fit quit into one of these: https://kb.juniper.net/InfoCenter/index?page=content&id=KB28861&actp=METADATA

I'm a bit stumped here. I have done this before, but its been a while and I don't recall.


detailed srx config:

SRX-01b> show configuration security ike proposal IKE_P1_PROPOSAL_1
authentication-method pre-shared-keys;
dh-group group5;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 86400;

SRX-01b> show configuration security ike policy VLTFW_CORE_IKE_POLICY
mode main;
proposals IKE_P1_PROPOSAL_1;
pre-shared-key ascii-text "$9$WfE8NbaJDH.5x7P5Fn7dY2"; ## SECRET-DATA

SRX-01b> show configuration security ike gateway VLTFW_CORE
ike-policy VLTFW_CORE_IKE_POLICY;
address 74.X.X.X;
external-interface reth3;

SRX-01b> show configuration security ipsec proposal IPSEC_P2_PROPOSAL_1
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;

SRX-01b> show configuration security ipsec policy VLTFW_CORE_POLICY
perfect-forward-secrecy {
keys group5;
}
proposals IPSEC_P2_PROPOSAL_1;

SRX-01b> show configuration security ipsec vpn VLTFW_CORE_VPN
bind-interface st0.13;
ike {
gateway VLTFW_CORE;
ipsec-policy VLTFW_CORE_POLICY;
}
traffic-selector PROD2SL_1 {
local-ip 10.120.72.0/24;
remote-ip 10.1.0.0/23;
}
traffic-selector PROD2SL_2 {
local-ip 10.120.72.0/24;
remote-ip 10.4.200.0/24;
}
establish-tunnels immediately;


details ASA config:

crypto ikev1 policy 40
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400


tunnel-group 165.X.X.X type ipsec-l2l
tunnel-group 165.X.X.X ipsec-attributes
ikev1 pre-shared-key ABCDEFG

object-group network VLT_NETS_TO_SAV
network-object 10.1.0.0 255.255.254.0
network-object 10.4.200.0 255.255.255.0
object-group network SAV_NET_TO_VLT
network-object 10.120.72.0 255.255.255.0

access-list VLT-FW_TO_SAV_FW permit ip object-group VLT_NETS_TO_SAV object-group SAV_NET_TO_VLT

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto map outside_vpn 60 match address VLT-FW_TO_SAV_FW
crypto map outside_vpn 60 set pfs group5
crypto map outside_vpn 60 set peer 165.X.X.X
crypto map outside_vpn 60 set ikev1 transform-set ESP-AES-256-SHA-TRANS
crypto map outside_vpn 60 set security-association lifetime seconds 86400

 

4 REPLIES 4
SRX Services Gateway

Re: Route-based ipsec SRX4100-ASA traffic selectors 1 subnet to many behind ASA

‎11-05-2019 09:43 AM

In Cisco config, mode should be "main" and the Phase2 lifetime should be 3600. Please modify and let know the result.

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Route-based ipsec SRX4100-ASA traffic selectors 1 subnet to many behind ASA

‎11-05-2019 10:07 AM

Added:

crypto map outside_vpn 60 match address VLT-FW_TO_SAV_FW
crypto map outside_vpn 60 set pfs group5
crypto map outside_vpn 60 set peer 165.X.X.X
crypto map outside_vpn 60 set ikev1 transform-set ESP-AES-256-SHA-TRANS
crypto map outside_vpn 60 set security-association lifetime seconds 3600 <<----

ran command:

crypto map outside_vpn 60 set ikev1 phase1-mode main

>doesn't show in configuration.

 

still see:

Nov 5 13:02:00]Authenticated Phase-2 notification `No proposal chosen' (14) data size 4 from 74.X.X.X for protocol ESP with invalid spi[0...16]=81 12 58 a3 b4 e0 b9 99 c8 45 d3 8b b5 f7 6a 4c causes IKE SA deletion and QM abort

 

and now:

st0.13 up down inet

 

 

 

SRX Services Gateway
Solution
Accepted by topic author ryan.milton@ibm.com
‎11-05-2019 10:30 AM

Re: Route-based ipsec SRX4100-ASA traffic selectors 1 subnet to many behind ASA

‎11-05-2019 10:24 AM
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport <----
Change mode to tunnel (not sure about this option) or remove this mode config
Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Route-based ipsec SRX4100-ASA traffic selectors 1 subnet to many behind ASA

‎11-05-2019 10:30 AM

That was it...I was attempting to "squeeze" in "tunnel mode" somewhere and couldn't..just removing transport mode was it.! Thanks