Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3354
Views
0
Helpful
2
Replies

Cannot establish IPSec SA for site-to-site VPN from Juniper SSG5 (dynamic IP) to Cisco 2921 router

AndersAberg
Level 1
Level 1

‎11-06-2014 06:52 AM - edited ‎02-21-2020 07:55 PM

Hello, for several days I have been trying to establish a site-to-site VPN from a Juniper SSG5 (ScreenOS 6.3.0r12.0) to a Cisco 2921 router (with ISM crypto engine running IOS 15.4(2)T1 w/ securityk9 license). I am now reaching out to the forum hoping that someone will be able to pinpoint why my VPN won't establish.

 

Setup

SSG5 LAN side: interface bgroup0 in zone Trust, subnet 172.27.35.0/29.

SSG5 internet side: interface eth0/0 in zone Untrust, DHCP assigned public IP address (shown as 2.2.2.2 in attached logs).

SSG5 VPN is configured as route-based (bound to interface tunnel.1) with explicitly configured proxy ids.

Two Cisco 2921 routers running stateful switchover (SSO), which supports only crypto map based VPNs:

Cisco internet side: interface gig0/2.99 in global vrf with HSRP address 1.1.1.1.

Cisco LAN side: interface gig0/0.15 in vrf AUX-SITES with subnet 172.27.32.80/29.

Initially it will be sufficient to establish VPN communication between the 172.27.35.0/29 and 172.27.32.80/29 subnets.

Cisco router pair is in use for other static IP site-to-site VPNs (with Cisco ASA as remote gateways) - this problem is specifically about VPN to Juniper SSG5.

 

Results

There is full connectivity between the SSG5 and Cisco routers' internet facing interfaces.

When passing traffic from 172.27.35.0/29 to 172.27.32.80/29, IKE phase 1 completes successfully but phase 2 fails.

After hours of troubleshooting, I am fairly sure the proxy IDs/ACLs and transform sets are identically configured on both sides.

 

Cisco configuration

crypto keyring AUX-SITES
 description Juniper SSG5 remote sites
 pre-shared-key address 0.0.0.0 0.0.0.0 key <scrubbed>

crypto isakmp profile AUX-SITES
 vrf AUX-SITES
 keyring AUX-SITES
 match identity address 0.0.0.0

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
 mode tunnel

ip access-list extended AUX-REMOTE-A
 permit ip 172.27.32.80 0.0.0.7 172.27.35.0 0.0.0.7 log

crypto dynamic-map AUX-REMOTES 10
 set security-association lifetime kilobytes disable
 set security-association lifetime seconds 28800
 set transform-set ESP-AES256-SHA
 set pfs group2
 match address AUX-REMOTE-A
 reverse-route

crypto map VPN 65000 ipsec-isakmp dynamic AUX-REMOTES

interface GigabitEthernet0/0.15
 description INTERNAL NETWORK
 encapsulation dot1Q 15
 ip vrf forwarding AUX-SITES
 ip address 172.27.32.85 255.255.255.248
 standby 15 ip 172.27.32.84

interface GigabitEthernet0/2.99
 description INTERNET
 encapsulation dot1Q 3900
 ip address 1.1.1.2 255.255.255.240
 standby 99 ip 1.1.1.1
 standby 99 name HA-INTERNET
 standby 99 track 2 decrement 10
 crypto map VPN redundancy HA-INTERNET stateful

 

Juniper SSG5 configuration

set interface "ethernet0/0" zone "Untrust"
set interface ethernet0/0 route
set interface ethernet0/0 dhcp client enable     <-- ext i/f currently holds public IP address ("2.2.2.2")
set interface "tunnel.1" zone "Untrust"
set interface tunnel.1 ip unnumbered interface ethernet0/0
set interface "bgroup0" zone "Trust"
set interface bgroup0 ip 172.27.35.1/29
set interface bgroup0 route

set ike p1-proposal "PRE-G2-AES256-SHA" preshare group2 esp aes256 sha-1 minute 1440
set ike p2-proposal "PFS2-ESP-AES256-SHA-28800" group2 esp aes256 sha-1 second 28800

set ike gateway "GW" address 194.14.80.10 Main outgoing-interface "ethernet0/0" preshare "<scrubbed>" proposal "PRE-G2-AES256-SHA"

set vpn "VPN" gateway "GW" no-replay tunnel idletime 0 proposal "PFS2-ESP-AES256-SHA-28800" 
set vpn "VPN" id 0x3 bind interface tunnel.1
set vpn "VPN" proxy-id check
set vpn "VPN" proxy-id local-ip 172.27.35.0/29 remote-ip 172.27.32.80/29 "ANY" 

set policy id 1 from "Trust" to "Untrust"  "net-172.27.35.0/29" "net-172.27.32.80/29" "ANY" permit log 
set policy id 1
exit

set route 172.27.32.80/29 interface tunnel.1 permanent

 

Cisco router status after unsuccessful attempt to send traffic from SSG5 LAN to Cisco LAN

Cisco2921#sh crypto isakmp sa detail
IPv4 Crypto ISAKMP SA
C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.
20131 1.1.1.1         2.2.2.2         AUX-SI ACTIVE aes  sha    psk  2  23:51:39
       Engine-id:Conn-id =  ISM VPN:131

Cisco2921#show crypto ipsec sa peer 2.2.2.2

Cisco2921#sh crypto session
Interface: GigabitEthernet0/2.99
Profile: AUX-SITES
Session status: UP-IDLE
Peer: 2.2.2.2 port 500
  Session ID: 0
  IKEv1 SA: local 1.1.1.1/500 remote 2.2.2.2/500 Active

 

Debug outputs

As attachments.

 

Any help with this would be greatly appreciated!

 

Cheers,

Anders Aberg

Labels:
Preview file
9 KB
Preview file
14 KB
0 Helpful
2 Replies 2

Jorge Garcia
Cisco Employee
Cisco Employee

‎11-07-2014 12:39 PM

Hi,

 

Thanks for contacting the Cisco Support Community! I analysed the debug provided and I was able to find the following:

Nov  6 11:39:50.506: Cannot find crypto swsb : in ipsec_process_proposal (), 1590
Nov  6 11:39:50.506: IPSEC(ipsec_process_proposal): proxy identities not supported
Nov  6 11:39:50.506: ISAKMP:(20131): IPSec policy invalidated proposal with error 32
Nov  6 11:39:50.506: ISAKMP:(20131): phase 2 SA policy not acceptable! (local 1.1.1.1 remote 2.2.2.2)

This messages appear when there is a mismatch in the ACLs configured in both devices, I went further and check how a Juniper Firewall should be configured for a route-based VPN and it seems that they match

I have seen case that after re-entering the ACL in the Juniper device the VPN is created and starts sending traffic.

So, could you please try to re-enter the ACL in the Juniper and test again the connection?

Also this problem could be related that one of the devices is behind a NAT device, so if this is true, you need to point to the real-IP Address and not the Public IP Address.

 

 

Please let me know if this works for you,

Have a great day!

Best regards,

 

Osvaldo Garcia

0 Helpful

AndersAberg
Level 1
Level 1
In response to Jorge Garcia

‎11-14-2014 01:47 PM

Hi Osvaldo,

 

Many thanks for your feedback. I have followed your advice to remove the VPN ACL on the Juniper box and re-create it, however the result is still the same and logs look identical on both sides. The Juniper box was also rebooted in the process.

 

None of the endpoints is behind a NAT device. Ultimately I would want this setup to work with the Juniper SSG5 located behind a NAT/PAT router, but this is not the case today. The Juniper SSG5 is currently getting a public routable IP address via DHCP.

 

One line in the Cisco log comes across as strange - should I really be seeing transform=NONE in the proposal from the SSG5:

 

Nov  6 11:39:50.506: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 1.1.1.1:0, remote= 2.2.2.2:0,
    local_proxy= 172.27.32.80/255.255.255.248/256/0,
    remote_proxy= 172.27.35.0/255.255.255.248/256/0,
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0

 

Cheers,

Anders Aberg

0 Helpful
Customers Also Viewed These Support Documents