Cannot establish IPSec SA for site-to-site VPN from Juniper SSG5 (dynamic IP) to Cisco 2921 router
Hello, for several days I have been trying to establish a site-to-site VPN from a Juniper SSG5 (ScreenOS 6.3.0r12.0) to a Cisco 2921 router (with ISM crypto engine running IOS 15.4(2)T1 w/ securityk9 license). I am now reaching out to the forum hoping that someone will be able to pinpoint why my VPN won't establish.
SSG5 LAN side: interface bgroup0 in zone Trust, subnet 172.27.35.0/29.
SSG5 internet side: interface eth0/0 in zone Untrust, DHCP assigned public IP address (shown as 18.104.22.168 in attached logs).
SSG5 VPN is configured as route-based (bound to interface tunnel.1) with explicitly configured proxy ids.
Two Cisco 2921 routers running stateful switchover (SSO), which supports only crypto map based VPNs:
Cisco internet side: interface gig0/2.99 in global vrf with HSRP address 22.214.171.124.
Cisco LAN side: interface gig0/0.15 in vrf AUX-SITES with subnet 172.27.32.80/29.
Initially it will be sufficient to establish VPN communication between the 172.27.35.0/29 and 172.27.32.80/29 subnets.
Cisco router pair is in use for other static IP site-to-site VPNs (with Cisco ASA as remote gateways) - this problem is specifically about VPN to Juniper SSG5.
There is full connectivity between the SSG5 and Cisco routers' internet facing interfaces.
When passing traffic from 172.27.35.0/29 to 172.27.32.80/29, IKE phase 1 completes successfully but phase 2 fails.
After hours of troubleshooting, I am fairly sure the proxy IDs/ACLs and transform sets are identically configured on both sides.
ip access-list extended AUX-REMOTE-A permit ip 172.27.32.80 0.0.0.7 172.27.35.0 0.0.0.7 log
crypto dynamic-map AUX-REMOTES 10 set security-association lifetime kilobytes disable set security-association lifetime seconds 28800 set transform-set ESP-AES256-SHA set pfs group2 match address AUX-REMOTE-A reverse-route
interface GigabitEthernet0/0.15 description INTERNAL NETWORK encapsulation dot1Q 15 ip vrf forwarding AUX-SITES ip address 172.27.32.85 255.255.255.248 standby 15 ip 172.27.32.84
interface GigabitEthernet0/2.99 description INTERNET encapsulation dot1Q 3900 ip address 126.96.36.199 255.255.255.240 standby 99 ip 188.8.131.52 standby 99 name HA-INTERNET standby 99 track 2 decrement 10 crypto map VPN redundancy HA-INTERNET stateful
Juniper SSG5 configuration
set interface "ethernet0/0" zone "Untrust" set interface ethernet0/0 route set interface ethernet0/0 dhcp client enable <-- ext i/f currently holds public IP address ("184.108.40.206") set interface "tunnel.1" zone "Untrust" set interface tunnel.1 ip unnumbered interface ethernet0/0 set interface "bgroup0" zone "Trust" set interface bgroup0 ip 172.27.35.1/29 set interface bgroup0 route
set ike p1-proposal "PRE-G2-AES256-SHA" preshare group2 esp aes256 sha-1 minute 1440 set ike p2-proposal "PFS2-ESP-AES256-SHA-28800" group2 esp aes256 sha-1 second 28800
set ike gateway "GW" address 220.127.116.11 Main outgoing-interface "ethernet0/0" preshare "<scrubbed>" proposal "PRE-G2-AES256-SHA"
set vpn "VPN" gateway "GW" no-replay tunnel idletime 0 proposal "PFS2-ESP-AES256-SHA-28800" set vpn "VPN" id 0x3 bind interface tunnel.1 set vpn "VPN" proxy-id check set vpn "VPN" proxy-id local-ip 172.27.35.0/29 remote-ip 172.27.32.80/29 "ANY"
set policy id 1 from "Trust" to "Untrust" "net-172.27.35.0/29" "net-172.27.32.80/29" "ANY" permit log set policy id 1 exit
set route 172.27.32.80/29 interface tunnel.1 permanent
Cisco router status after unsuccessful attempt to send traffic from SSG5 LAN to Cisco LAN
Cisco2921#sh crypto isakmp sa detail IPv4 Crypto ISAKMP SA C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap. 20131 18.104.22.168 22.214.171.124 AUX-SI ACTIVE aes sha psk 2 23:51:39 Engine-id:Conn-id = ISM VPN:131
Cisco2921#show crypto ipsec sa peer 126.96.36.199
Cisco2921#sh crypto session Interface: GigabitEthernet0/2.99 Profile: AUX-SITES Session status: UP-IDLE Peer: 188.8.131.52 port 500 Session ID: 0 IKEv1 SA: local 184.108.40.206/500 remote 220.127.116.11/500 Active
Thanks for contacting the Cisco Support Community! I analysed the debug provided and I was able to find the following:
Nov 6 11:39:50.506: Cannot find crypto swsb : in ipsec_process_proposal (), 1590
Nov 6 11:39:50.506: IPSEC(ipsec_process_proposal): proxy identities not supported
Nov 6 11:39:50.506: ISAKMP:(20131): IPSec policy invalidated proposal with error 32
Nov 6 11:39:50.506: ISAKMP:(20131): phase 2 SA policy not acceptable! (local 18.104.22.168 remote 22.214.171.124)
This messages appear when there is a mismatch in the ACLs configured in both devices, I went further and check how a Juniper Firewall should be configured for a route-based VPN and it seems that they match
I have seen case that after re-entering the ACL in the Juniper device the VPN is created and starts sending traffic.
So, could you please try to re-enter the ACL in the Juniper and test again the connection?
Also this problem could be related that one of the devices is behind a NAT device, so if this is true, you need to point to the real-IP Address and not the Public IP Address.
Many thanks for your feedback. I have followed your advice to remove the VPN ACL on the Juniper box and re-create it, however the result is still the same and logs look identical on both sides. The Juniper box was also rebooted in the process.
None of the endpoints is behind a NAT device. Ultimately I would want this setup to work with the Juniper SSG5 located behind a NAT/PAT router, but this is not the case today. The Juniper SSG5 is currently getting a public routable IP address via DHCP.
One line in the Cisco log comes across as strange - should I really be seeing transform=NONE in the proposal from the SSG5:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :