[c-nsp] Help with an IPSec scenario

Tom Storey tom at snnap.net
Fri Mar 13 11:35:15 EDT 2015


Hi everyone,

Trying to establish an IPSec tunnel (route based) between a Juniper
SRX and a Cisco IOS router.

The topology is two routers with DSL services, the SRX is on a dynamic
IP, the Cisco on a static. No NAT is involved in the path between the
two routers.

Heres the configs Im working on: http://pastebin.com/gUEFVTau

Basically what Im getting is this...

In main mode, phase 1 is OK, and I get probably 99% of the way in
phase 2, but it doesnt quite complete, with errors like "proxy
identities not supported".

I can fix this by configuring Tunnel0's destination as the IP of the
SRX /at the time/ and can then ping across the tunnel. But this
obviously isnt a long term solution because if the IP of the SRX
changes (and it does, frequently, because the DSL is notoriously
unstable) then the VPN stops working.

So I try to go aggressive mode, but this is even worse, with phase 1
not completing with errors like "IKE packet from x.x.x.x was not
encrypted and it should've been", and never really making it past
AG_INIT_EXCH.

This is a debug of aggressive mode: http://pastebin.com/RUAaXDyE

Based on my supplied configs, can anyone help me come up with a
solution that allows the SRX to initiate a connection from any random
IP, and the Cisco accepts it but I dont have to configure the IP of
the SRX on the Cisco in order for it to work? I feel like Im
tantalisingly close, but after several hours at it so far and copious
amounts of googling, I just cant see the solution...

Thanks.


More information about the cisco-nsp mailing list