Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Cannot establish IPSec SA for site-to-site VPN from Juniper SSG5 (dynamic IP) to Cisco 2921 router

Hello, for several days I have been trying to establish a site-to-site VPN from a Juniper SSG5 (ScreenOS 6.3.0r12.0) to a Cisco 2921 router (with ISM crypto engine running IOS 15.4(2)T1 w/ securityk9 license). I am now reaching out to the forum hoping that someone will be able to pinpoint why my VPN won't establish.



SSG5 LAN side: interface bgroup0 in zone Trust, subnet

SSG5 internet side: interface eth0/0 in zone Untrust, DHCP assigned public IP address (shown as in attached logs).

SSG5 VPN is configured as route-based (bound to interface tunnel.1) with explicitly configured proxy ids.

Two Cisco 2921 routers running stateful switchover (SSO), which supports only crypto map based VPNs:

Cisco internet side: interface gig0/2.99 in global vrf with HSRP address

Cisco LAN side: interface gig0/0.15 in vrf AUX-SITES with subnet

Initially it will be sufficient to establish VPN communication between the and subnets.

Cisco router pair is in use for other static IP site-to-site VPNs (with Cisco ASA as remote gateways) - this problem is specifically about VPN to Juniper SSG5.



There is full connectivity between the SSG5 and Cisco routers' internet facing interfaces.

When passing traffic from to, IKE phase 1 completes successfully but phase 2 fails.

After hours of troubleshooting, I am fairly sure the proxy IDs/ACLs and transform sets are identically configured on both sides.


Cisco configuration

crypto keyring AUX-SITES
 description Juniper SSG5 remote sites
 pre-shared-key address key <scrubbed>

crypto isakmp profile AUX-SITES
 keyring AUX-SITES
 match identity address

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
 mode tunnel

ip access-list extended AUX-REMOTE-A
 permit ip log

crypto dynamic-map AUX-REMOTES 10
 set security-association lifetime kilobytes disable
 set security-association lifetime seconds 28800
 set transform-set ESP-AES256-SHA
 set pfs group2
 match address AUX-REMOTE-A

crypto map VPN 65000 ipsec-isakmp dynamic AUX-REMOTES

interface GigabitEthernet0/0.15
 encapsulation dot1Q 15
 ip vrf forwarding AUX-SITES
 ip address
 standby 15 ip

interface GigabitEthernet0/2.99
 description INTERNET
 encapsulation dot1Q 3900
 ip address
 standby 99 ip
 standby 99 name HA-INTERNET
 standby 99 track 2 decrement 10
 crypto map VPN redundancy HA-INTERNET stateful


Juniper SSG5 configuration

set interface "ethernet0/0" zone "Untrust"
set interface ethernet0/0 route
set interface ethernet0/0 dhcp client enable     <-- ext i/f currently holds public IP address ("")
set interface "tunnel.1" zone "Untrust"
set interface tunnel.1 ip unnumbered interface ethernet0/0
set interface "bgroup0" zone "Trust"
set interface bgroup0 ip
set interface bgroup0 route

set ike p1-proposal "PRE-G2-AES256-SHA" preshare group2 esp aes256 sha-1 minute 1440
set ike p2-proposal "PFS2-ESP-AES256-SHA-28800" group2 esp aes256 sha-1 second 28800

set ike gateway "GW" address Main outgoing-interface "ethernet0/0" preshare "<scrubbed>" proposal "PRE-G2-AES256-SHA"

set vpn "VPN" gateway "GW" no-replay tunnel idletime 0 proposal "PFS2-ESP-AES256-SHA-28800" 
set vpn "VPN" id 0x3 bind interface tunnel.1
set vpn "VPN" proxy-id check
set vpn "VPN" proxy-id local-ip remote-ip "ANY" 

set policy id 1 from "Trust" to "Untrust"  "net-" "net-" "ANY" permit log 
set policy id 1

set route interface tunnel.1 permanent


Cisco router status after unsuccessful attempt to send traffic from SSG5 LAN to Cisco LAN

Cisco2921#sh crypto isakmp sa detail
C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.
20131         AUX-SI ACTIVE aes  sha    psk  2  23:51:39
       Engine-id:Conn-id =  ISM VPN:131

Cisco2921#show crypto ipsec sa peer

Cisco2921#sh crypto session
Interface: GigabitEthernet0/2.99
Profile: AUX-SITES
Session status: UP-IDLE
Peer: port 500
  Session ID: 0
  IKEv1 SA: local remote Active


Debug outputs

As attachments.


Any help with this would be greatly appreciated!



Anders Aberg

Everyone's tags (1)
Cisco Employee




Thanks for contacting the Cisco Support Community! I analysed the debug provided and I was able to find the following:

Nov  6 11:39:50.506: Cannot find crypto swsb : in ipsec_process_proposal (), 1590
Nov  6 11:39:50.506: IPSEC(ipsec_process_proposal): proxy identities not supported
Nov  6 11:39:50.506: ISAKMP:(20131): IPSec policy invalidated proposal with error 32
Nov  6 11:39:50.506: ISAKMP:(20131): phase 2 SA policy not acceptable! (local remote

This messages appear when there is a mismatch in the ACLs configured in both devices, I went further and check how a Juniper Firewall should be configured for a route-based VPN and it seems that they match

I have seen case that after re-entering the ACL in the Juniper device the VPN is created and starts sending traffic.

So, could you please try to re-enter the ACL in the Juniper and test again the connection?

Also this problem could be related that one of the devices is behind a NAT device, so if this is true, you need to point to the real-IP Address and not the Public IP Address.



Please let me know if this works for you,

Have a great day!

Best regards,


Osvaldo Garcia

New Member

Hi Osvaldo, Many thanks for

Hi Osvaldo,


Many thanks for your feedback. I have followed your advice to remove the VPN ACL on the Juniper box and re-create it, however the result is still the same and logs look identical on both sides. The Juniper box was also rebooted in the process.


None of the endpoints is behind a NAT device. Ultimately I would want this setup to work with the Juniper SSG5 located behind a NAT/PAT router, but this is not the case today. The Juniper SSG5 is currently getting a public routable IP address via DHCP.


One line in the Cisco log comes across as strange - should I really be seeing transform=NONE in the proposal from the SSG5:


Nov  6 11:39:50.506: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local=, remote=,
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0



Anders Aberg

CreatePlease to create content