SRX Using DHCP on UNTRUST (BRANCH)-- Connected to Static VTI Cisco Router (HQ)
Good morning Gentlemen, I need some advice. I am primarily a cisco IOS chap, but have recently been delving into some JUNOS action.
I cannot find an example on the Juniper Forums/Documentation or the Cisco Forums/Documentation to my specific Issue.
Firstly, I am not interested in Policy Based VPNs. I do not know if it is possible to use a DHCP assigned public address on remote device with a "static VTI" - when using IKE identities. However as Phase one is up, I think the issue is more to do with Phase2 proposals when not explicitly defining a Tunnel destination.
In the scenario I am trying to sort now, I have an SRX-100 device, that gets its public address from a DHCP server.
I have back at the HQ, a cisco router.
The Cisco router has various VTI tunnels out to other branch devices, that are smaller Cisco routers. These VTI tunnels are working fine - note all using static Public IP's
I have my phase1 up fine, (from both sides' perspective) and am sending a local-identity hostname instead of a defining a destination address on the Tunnel on the cisco side.
Index State Initiator cookie Responder cookie Mode Remote Address 5048723 UP 41ee08a4a0fde661 517176fea0f23989 Aggressive 18.104.22.168
IPv4 Crypto ISAKMP SA dst src state conn-id status
22.214.171.124 126.96.36.199 QM_IDLE 1110 ACTIVE NICK-SRX-ISAKMP-PROFILE
A working VTI tunnel has an SA of : (cisco perspecive)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
I have tried sending this as the proxy-id on the Juniper to no avail.
The error is still :
*Jun 6 10:20:07.244: ISAKMP1110):atts are acceptable.
IPSec policy invalidated proposal with error 64 *Jun 6 10:20:07.244: ISAKMP1110): phase 2 SA policy not acceptable!
The IPSEC transform-Set attributes are accepted though,
transform 0, ESP_3DES *Jun 6 10:20:07.244: ISAKMP: attributes in transform: *Jun 6 10:20:07.244: ISAKMP: authenticator is HMAC-SHA *Jun 6 10:20:07.244: ISAKMP: SA life type in seconds *Jun 6 10:20:07.244: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10 *Jun 6 10:20:07.244: ISAKMP: SA life type in kilobytes *Jun 6 10:20:07.244: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 *Jun 6 10:20:07.244: ISAKMP: encaps is 1 (Tunnel) *Jun 6 10:20:07.244: ISAKMP1110):atts are acceptable.
So it is something to do with the SA/Proxy ID's being sent.
FYI - If I use the Provider given DHCP address on the Cisco Tunnel config, as a destination - the tunnel comes up immediately....So ' thinking this may be a limitation of static VTI. I have not tested the IKE identity on a remote cisco router also using VTI yet.
So I guess my question is Is this possible using a static VTI?
What does this comand do - does it turn on dynamic VTI (all that virtual-template business)- or just tell the tunnel to expect and IKE identity?
tunnel destination dynamic
Does Dynamic VTI work with Different Vendors, and if so how can you control what VRF is assigned to the tunnels - I will need in the future multiple VRF's for each branch device, some using DHCP public addresses.
The VTI design guide does not mention Identity IKE for branch sites without using dynamic VTI.
I would like to avoid using the whole easyVPN / dynamic VTI, as I need to use multiple VRF;s on the endpoints.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...