I'm trying to build tunnel between our ASA 5510 and service providers Juniper Netscreen.
IKE phase 1 tunnel works fine, but IPsec phase 2 tunnel dosen't. Based on logs on both sides, it seems that problem is in proxy-id configurations, so protected networks doesn't match. I have tried to do everything I understund to ASA, but can't get it work. Could someone help me what else could be the problem? Is there any known issues between ASA and Netscreen? SP points to me and says that I have to configure proxy-ids correctly.
SP said that they have configured next networks to Netscreen proxy-id (route based):
I attach my ASA configuration related to tunnel. Below you can see the log messages from ASA and Netscreen.
Thanks in Advance,
ASA log -->
asa5510# Mar 24 10:57:58 [IKEv1]: Group = Netscreen_IP, IP = Netscreen_IP,
QM FSM error (P2 struct &0xd8cfcf80, mess id 0x50bcdd6b)!
Mar 24 10:57:58 [IKEv1]: Group = Netscreen_IP, IP = Netscreen_IP, construc
Mar 24 10:57:58 [IKEv1]: Group = Netscreen_IP, IP = Netscreen_IP, Removing
peer from correlator table failed, no match!
IKE ASA_IP Phase 2: No policy exists for the proxy ID received: local ID (ASA_IP/255.255.255.255, 0, 0) remote ID (ASA_IP/255.255.255.255, 0, 0)
The error relates to the information you have in your ACL OUTSIDE_1_cryptomap, I think you have these the wrong way round
You have configured
Local Encrytion domain: z.z.z.0/24
Remote Encryption domain: host1, host2, host3
So perhaps it should be
access-list OUTSIDE_1_cryptomap extended permit ip object-group VPN_hostgroup z.z.z.0 255.255.255.0
Also be aware that Juniper is very fussy about these settings so you need to ensure that your ISP has EXACTLY the same subnets/masks configured.
Thanks James for fast reply.
I changed the access-list as you suggest, but result is still same. And as far as I undestund it should be as it was first. First I must define local network(s) and after remote network(s) in access-list?
So, problem still occurs, any help/ideas?
What if you were to rem out the following
crypto map OUTSIDE_map 1 set nat-t-disable. What happens?
crypto map OUTSIDE_map 1 Whci will apply the crypto-map to the outside interface.
What I meant in my earlier comment was to rem out just the following
crypto map OUTSIDE_map 1 match address OUTSIDE_1_cryptomap
crypto map OUTSIDE_map 1 set pfs
crypto map OUTSIDE_map 1 set connection-type originate-only
crypto map OUTSIDE_map 1 set peer remote_IP
crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA
crypto map OUTSIDE_map 1 Rem this section out set nat-t-disable
crypto map OUTSIDE_map 1
can you post working config for route based vpns ( ASA --- Juniper) for reference ?
I am also in same kind of situation.
If you think your ACL is good then you need to verify with your ISP that they have configured EXACTLY the same on their side. Juniper is quite particular so if you have configured 192.168.1.206 and they have configured 192.168.1.0/24 then it will not work.
The error you're getting relates to the negotiation of the network IDs between the two VPN peers. If you read the error carefully and look at the Cisco ACL and the Juniper ACL then you will see where the problem is.
I have the exact same problem. Some more detailed logs on the Juniper shows:
## 2009-04-21 16:39:49 : rcv_local_addr = 10.20.1.0, rcv_local_mask = 255.255.255.0, p_rcv_local_real = 10.20.1.0
## 2009-04-21 16:39:49 : rcv_remote_addr = 126.96.36.199, rcv_remote_mask = 255.255.255.248, p_rcv_remote_real = 188.8.131.52
## 2009-04-21 16:39:49 : ike_p2_id->local_ip = 184.108.40.206, cfg_local_mask = 255.255.255.248, p_cfg_local_real = 220.127.116.11
## 2009-04-21 16:39:49 : ike_p2_id->remote_ip = 10.20.1.0, cfg_remote_mask = 255.255.255.0, p_cfg_remote_real = 10.20.1.0
## 2009-04-21 16:39:49 : IKE<18.104.22.168> local address NOT matched.
I've spent a lot of time troubleshooting this one and haven't gotten anywhere...unfortunately it doesn't look like there are any working ASA to Juniper configs when using policy-based VPN on the Juniper side.
Got it working with the route based VPNs...we found that policy-based VPNs don't work if you are trying to pass multiple subnets across the VPN.
access-list VPN extended permit ip 172.16.10.0 255.255.255.0 10.20.1.0 255.255.255.0
access-list VPN2 extended permit ip 172.17.10.0 255.255.255.0 10.20.1.0 255.255.255.0
crypto ipsec transform-set AES256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto map NS-map 10 match address VPN
crypto map NS-map 10 set pfs
crypto map NS-map 10 set peer 10.20.20.1
crypto map NS-map 10 set transform-set AES256-SHA
crypto map NS-map 10 set security-association lifetime seconds 3600
crypto map NS-map 20 match address VPN2
crypto map NS-map 20 set pfs
crypto map NS-map 20 set peer 10.20.20.1
crypto map NS-map 20 set transform-set AES256-SHA
crypto map NS-map 20 set security-association lifetime seconds 3600
crypto map NS-map interface inside
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp policy 30
no crypto isakmp nat-traversal
Just follow the vanilla route-based VPN instructions in any Juniper documentaiton
Hope this helps...