IPSec L2L tunnel problem

Unanswered Question
Mar 27th, 2009
User Badges:

Hi,


I'm trying to build tunnel between our ASA 5510 and service providers Juniper Netscreen.


IKE phase 1 tunnel works fine, but IPsec phase 2 tunnel dosen't. Based on logs on both sides, it seems that problem is in proxy-id configurations, so protected networks doesn't match. I have tried to do everything I understund to ASA, but can't get it work. Could someone help me what else could be the problem? Is there any known issues between ASA and Netscreen? SP points to me and says that I have to configure proxy-ids correctly.


SP said that they have configured next networks to Netscreen proxy-id (route based):


local

x.x.x.206/32

x.x.x.169/32

x.x.x.187/32

remote

z.z.z.0/24


I attach my ASA configuration related to tunnel. Below you can see the log messages from ASA and Netscreen.


Thanks in Advance,

~Teemu~



ASA log -->


asa5510# Mar 24 10:57:58 [IKEv1]: Group = Netscreen_IP, IP = Netscreen_IP,


QM FSM error (P2 struct &0xd8cfcf80, mess id 0x50bcdd6b)!


Mar 24 10:57:58 [IKEv1]: Group = Netscreen_IP, IP = Netscreen_IP, construc


t_ipsec_delete(): !


Mar 24 10:57:58 [IKEv1]: Group = Netscreen_IP, IP = Netscreen_IP, Removing


peer from correlator table failed, no match!


Netscreen log-->


IKE ASA_IP Phase 2: No policy exists for the proxy ID received: local ID (ASA_IP/255.255.255.255, 0, 0) remote ID (ASA_IP/255.255.255.255, 0, 0)




Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (3 ratings)
Loading.
JamesLuther Fri, 03/27/2009 - 09:09
User Badges:
  • Silver, 250 points or more

Hi,


The error relates to the information you have in your ACL OUTSIDE_1_cryptomap, I think you have these the wrong way round


You have configured


Local Encrytion domain: z.z.z.0/24

Remote Encryption domain: host1, host2, host3


So perhaps it should be


access-list OUTSIDE_1_cryptomap extended permit ip object-group VPN_hostgroup z.z.z.0 255.255.255.0


Also be aware that Juniper is very fussy about these settings so you need to ensure that your ISP has EXACTLY the same subnets/masks configured.



Regards

tvaris Tue, 03/31/2009 - 00:16
User Badges:

Thanks James for fast reply.


I changed the access-list as you suggest, but result is still same. And as far as I undestund it should be as it was first. First I must define local network(s) and after remote network(s) in access-list?


So, problem still occurs, any help/ideas?



~Teemu~

sdoremus33 Tue, 03/31/2009 - 14:12
User Badges:
  • Bronze, 100 points or more

What if you were to rem out the following

crypto map OUTSIDE_map 1 set nat-t-disable. What happens?

sdoremus33 Tue, 03/31/2009 - 18:12
User Badges:
  • Bronze, 100 points or more

What if you were to rem out the following

crypto map OUTSIDE_map 1 set nat-t-disable. What happens?


Instead


crypto map OUTSIDE_map 1 Whci will apply the crypto-map to the outside interface.

sdoremus33 Tue, 03/31/2009 - 18:15
User Badges:
  • Bronze, 100 points or more

What I meant in my earlier comment was to rem out just the following


crypto map OUTSIDE_map 1 match address OUTSIDE_1_cryptomap

crypto map OUTSIDE_map 1 set pfs

crypto map OUTSIDE_map 1 set connection-type originate-only

crypto map OUTSIDE_map 1 set peer remote_IP

crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA

crypto map OUTSIDE_map 1 Rem this section out set nat-t-disable

crypto map OUTSIDE_map 1

sdoremus33 Tue, 03/31/2009 - 20:00
User Badges:
  • Bronze, 100 points or more

Disregard earlier comments, I was assuming it was a different issue, sorry for the inconvienance

Dwarakanath Gharge Wed, 12/09/2015 - 04:04
User Badges:

Hello ,


can you post working config for route based vpns ( ASA --- Juniper) for reference ?

I am also in same kind of situation.


Thank you,

Dwarakanath

JamesLuther Wed, 04/01/2009 - 07:28
User Badges:
  • Silver, 250 points or more

Hi Teemu,


If you think your ACL is good then you need to verify with your ISP that they have configured EXACTLY the same on their side. Juniper is quite particular so if you have configured 192.168.1.206 and they have configured 192.168.1.0/24 then it will not work.


The error you're getting relates to the negotiation of the network IDs between the two VPN peers. If you read the error carefully and look at the Cisco ACL and the Juniper ACL then you will see where the problem is.




Regards

JamesLuther Wed, 04/01/2009 - 07:31
User Badges:
  • Silver, 250 points or more

Hi Teemu,


Try running "debug crypto isakmp" too, that should give you a good idea of what is really happening



Regards

pdesch Tue, 04/21/2009 - 13:54
User Badges:

I have the exact same problem. Some more detailed logs on the Juniper shows:


## 2009-04-21 16:39:49 : rcv_local_addr = 10.20.1.0, rcv_local_mask = 255.255.255.0, p_rcv_local_real = 10.20.1.0

## 2009-04-21 16:39:49 : rcv_remote_addr = 65.1.1.1, rcv_remote_mask = 255.255.255.248, p_rcv_remote_real = 65.1.1.1

## 2009-04-21 16:39:49 : ike_p2_id->local_ip = 65.1.1.1, cfg_local_mask = 255.255.255.248, p_cfg_local_real = 65.1.1.1

## 2009-04-21 16:39:49 : ike_p2_id->remote_ip = 10.20.1.0, cfg_remote_mask = 255.255.255.0, p_cfg_remote_real = 10.20.1.0

## 2009-04-21 16:39:49 : IKE<65.1.1.1> local address NOT matched.


I've spent a lot of time troubleshooting this one and haven't gotten anywhere...unfortunately it doesn't look like there are any working ASA to Juniper configs when using policy-based VPN on the Juniper side.

pdesch Thu, 04/23/2009 - 12:01
User Badges:

Got it working with the route based VPNs...we found that policy-based VPNs don't work if you are trying to pass multiple subnets across the VPN.



access-list VPN extended permit ip 172.16.10.0 255.255.255.0 10.20.1.0 255.255.255.0

access-list VPN2 extended permit ip 172.17.10.0 255.255.255.0 10.20.1.0 255.255.255.0

crypto ipsec transform-set AES256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association lifetime kilobytes 4608000

crypto map NS-map 10 match address VPN

crypto map NS-map 10 set pfs

crypto map NS-map 10 set peer 10.20.20.1

crypto map NS-map 10 set transform-set AES256-SHA

crypto map NS-map 10 set security-association lifetime seconds 3600

crypto map NS-map 20 match address VPN2

crypto map NS-map 20 set pfs

crypto map NS-map 20 set peer 10.20.20.1

crypto map NS-map 20 set transform-set AES256-SHA

crypto map NS-map 20 set security-association lifetime seconds 3600

crypto map NS-map interface inside

crypto isakmp identity address

crypto isakmp enable inside

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 28800

no crypto isakmp nat-traversal


Just follow the vanilla route-based VPN instructions in any Juniper documentaiton


Hope this helps...

Actions

This Discussion