[c-nsp] Help with an IPSec scenario
Nick Cutting
ncutting at edgetg.co.uk
Fri Mar 13 12:25:16 EDT 2015
I tried to get this to work for weeks, in the end, I used dyn-dns on the Juniper side, and ran an EMM script on the cisco router (2911 - 15.3) that looked up the dyn-dys juniper name, then rewrote the tunnel destination, every 5 minutes.
I can't see your config, as it is blocked at my work - I was using 0.0.0.0/0 as the proxy id on the juniper side, and a "normal" static VTI tunnel on the Juniper side.
This works, as it is my home setup back to the office.
I did not try DVTI, And I'm not sure if it uses NHRP in the same way as DMVPN would (with no gre) - which wouldn't probably work with a juniper routed tunnel anyway.
-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tom Storey
Sent: 13 March 2015 15:35
To: cisco-nsp; juniper-nsp at puck.nether.net
Subject: [c-nsp] Help with an IPSec scenario
Hi everyone,
Trying to establish an IPSec tunnel (route based) between a Juniper SRX and a Cisco IOS router.
The topology is two routers with DSL services, the SRX is on a dynamic IP, the Cisco on a static. No NAT is involved in the path between the two routers.
Heres the configs Im working on: http://pastebin.com/gUEFVTau
Basically what Im getting is this...
In main mode, phase 1 is OK, and I get probably 99% of the way in phase 2, but it doesnt quite complete, with errors like "proxy identities not supported".
I can fix this by configuring Tunnel0's destination as the IP of the SRX /at the time/ and can then ping across the tunnel. But this obviously isnt a long term solution because if the IP of the SRX changes (and it does, frequently, because the DSL is notoriously
unstable) then the VPN stops working.
So I try to go aggressive mode, but this is even worse, with phase 1 not completing with errors like "IKE packet from x.x.x.x was not encrypted and it should've been", and never really making it past AG_INIT_EXCH.
This is a debug of aggressive mode: http://pastebin.com/RUAaXDyE
Based on my supplied configs, can anyone help me come up with a solution that allows the SRX to initiate a connection from any random IP, and the Cisco accepts it but I dont have to configure the IP of the SRX on the Cisco in order for it to work? I feel like Im tantalisingly close, but after several hours at it so far and copious amounts of googling, I just cant see the solution...
Thanks.
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list