[j-nsp] SRX IPSEC VPN dynamic-to-static
Bikash Bhattarai
bikash at dristi.com.np
Sun Feb 20 22:20:34 EST 2011
Dear Lewies,
I have been using this scenario. Unfortunately I am using cisco SA520 and
cisco 881 on the dynamic side. This is working config on Head office
SRX-210H
security {
ike {
proposal TESTPROP {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 28800;
}
policy POL1 {
mode aggressive;
proposals TESTPROP;
pre-shared-key ascii-text SECRET-DATA
}
gateway REMOTE-GATE {
ike-policy POL1;
dynamic hostname biksh.test.com;
external-interface ge-0/0/0.0;
ipsec {
proposal TEST {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
policy vpn-policy1 {
proposals TEST;
}
vpn REM-VPN {
bind-interface st0.0;
ike {
gateway REMOTE-GATE;
no-anti-replay;
proxy-identity {
local 192.168.0.0/16;
remote 10.139.20.0/24;
service any;
}
ipsec-policy vpn-policy1;
}
establish-tunnels immediately;
*Branch Side Cisco 881* config
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxxxx address x.y.z.x(static ip of SRX-210)
crypto isakmp identity hostname
crypto isakmp profile PROF1
keyring default
self-identity fqdn bikash.test.com
match identity user-fqdn bikash.test.com
initiate mode aggressive
!
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto map SDM_CMAP_1 isakmp-profile PROF1
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer x.y.z.x(static ip of SRX-210)
set transform-set myset
match address 101
!
interface FastEthernet4
ip address dhcp
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
ip address 10.139.20.1 255.255.255.0
ip virtual-reassembly
!
access-list 101 permit ip 10.139.20.0 0.0.0.255 192.168.0.0 0.0.255.255
Hope this helps.
Regards,
Bikash
On Fri, Feb 18, 2011 at 3:57 PM, Mauritz Lewies <mauritz at three6five.com>wrote:
> Thanks
>
> I followed that as well and no luck....
>
> Can you see anything glaringly wrong?
>
> ----------------------Head Office--------------------------
> ike {
> traceoptions {
> file IKE-TEST-2;
> flag all;
> }
> proposal ONEPLAN {
> authentication-method pre-shared-keys;
> dh-group group5;
> authentication-algorithm md5;
> encryption-algorithm des-cbc;
> }
> policy ONEPLAN {
> mode aggressive;
> proposal ONEPLAN;
> pre-shared-key ascii-text "$9$y0/K87ZGifT3jHqfTQ9CuO1hlM8Lx"; ##
> SECRET-DATA
> }
> gateway ONEPLAN {
> ike-policy ONEPLAN;
> dynamic hostname openplan-srx-1.oneplan.co.za;
> dead-peer-detection;
> nat-keepalive 10;
> external-interface ge-0/0/0.0;
> }
> }
> ipsec {
> proposal ONEPLAN {
> protocol esp;
> authentication-algorithm hmac-md5-96;
> }
> policy ONEPLAN {
> perfect-forward-secrecy {
> keys group5;
> }
> proposals ONEPLAN;
> }
> vpn ONEPLAN {
> ike {
> gateway ONEPLAN;
> proxy-identity {
> local 192.168.16.0/24;
> remote 192.168.1.0/24;
> }
> ipsec-policy ONEPLAN;
> }
> establish-tunnels on-traffic;
> }
> }
> -----------------------------------------------------------------
>
>
> ------------------Remote Site-----------------------------
> ike {
> traceoptions {
> file ike-test;
> flag all;
> }
> proposal ipsec-ctn-jhb {
> description oneplan-jhb;
> authentication-method pre-shared-keys;
> dh-group group5;
> authentication-algorithm md5;
> encryption-algorithm des-cbc;
> lifetime-seconds 1800;
> }
> policy ipsec-ctn-jhb {
> mode aggressive;
> description ipsec-ctn-jhb;
> proposal ipsec-ctn-jhb;
> pre-shared-key ascii-text "$9$l0yMX-UDkTz6HqmTzFAtO1RSK8XxN"; ##
> SECRET-DATA
> }
> gateway ipsec-ctn-jhb {
> ike-policy ipsec-ctn-jhb;
> address zzz.zzz.zzz.zzz;
> dead-peer-detection;
> nat-keepalive 10;
> local-identity hostname openplan-srx-1.oneplan.co.za;
> external-interface pp0.1;
> }
> }
> ipsec {
> proposal ipsec-ctn-jhb {
> description ipsec-ctn-jhb;
> protocol esp;
> authentication-algorithm hmac-md5-96;
> lifetime-kilobytes 1500;
> }
> policy ipsec-ctn-jhb {
> perfect-forward-secrecy {
> keys group5;
> }
> proposals ipsec-ctn-jhb;
> }
> vpn ipsec-ctn-jhb {
> bind-interface st0.0;
> ike {
> gateway ipsec-ctn-jhb;
> proxy-identity {
> local 192.168.1.0/24;
> remote 192.168.16.0/24;
> }
> ipsec-policy ipsec-ctn-jhb;
> }
> establish-tunnels immediately;
> }
> }
> -----------------------------------------------------------------
>
> The error in the Head Office logs:
>
> ----------------------------------------------------------------
> Feb 18 12:05:44 Not doing MM check since initiator=FALSE and exch_type=4
> Feb 18 12:05:44 Unable to find ike gateway as remote peer:196.215.zzz.zzz
> is not recognized.
> Feb 18 12:05:44 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1
> [responder] failed for p1_local=ipv4(any:0,[0..3]=10.0.0.10)
> p1_remote=fqdn(udp:500,[0..27]=openplan-srx-1.oneplan.co.za)
> Feb 18 12:05:44 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1
> [responder] failed for p1_local=ipv4(any:0,[0..3]=10.0.0.10)
> p1_remote=fqdn(udp:500,[0..27]=openplan-srx-1.oneplan.co.za)
> Feb 18 12:05:44 ike_isakmp_sa_reply: Start
> Feb 18 12:05:44 ike_st_i_nonce: Start, nonce[0..64] = 0ecbc9f8 fc1d422a ...
> Feb 18 12:05:44 ike_st_i_cert: Start
> Feb 18 12:05:44 ike_st_i_hash_key: Start, no key_hash
> Feb 18 12:05:44 ike_st_i_ke: Ke[0..128] = 51ad806d 497efe51 ...
> Feb 18 12:05:44 ike_st_i_cr: Start
> Feb 18 12:05:44 ike_st_i_private: Start
> Feb 18 12:05:44 ike_st_o_sa_values: Start
> Feb 18 12:05:44 10.0.0.10:500 (Responder) <-> 196.215.zzz.zzz:500 {
> 4b6d2059 bf8ccb39 - 0bf91a18 ab9c5e4c [-1] / 0x00000000 } Aggr; Error = No
> proposal chosen (14)
> ------------------------------------------------------------
>
> On 17 Feb 2011, at 4:41 PM, Kevin Vuong wrote:
>
> > This should get you going in the right direction:
> >
> >
> http://forums.juniper.net/t5/SRX-Services-Gateway/Site-to-Site-Tunnel-Dynamic-Peer/td-p/33613
> >
> > -Kevin
> >
> >
> >
> > On Feb 17, 2011, at 8:28 AM, Mauritz Lewies wrote:
> >
> >> Hi
> >>
> >> For what ever reason I can't find documentation on this anywhere. (I'm
> just hoping my google-foo is lacking and that it's not an unsupported
> feature)
> >>
> >> I have 2 x SRX-210's, one with a static public IP and another behind a
> dynamic ADSL account.
> >> I'm trying to get an IPSEC session established from the dynamic site to
> the static site.
> >>
> >> But I can't get a combination of config options to work.
> >>
> >> Does anyone know how to get this done or point me in the right
> direction?
> >>
> >> Kind Regards,
> >>
> >> Mauritz
> >> _______________________________________________
> >> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
>
> Mauritz Lewies
> email: mo at three6five.com
> mobile: +27 83 647 4901
> Skype Phone: +27 11 08 365 02
> three6five network solutions
> www.three6five.com
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
--
Regards,
Bikash Bhattarai
Dristi Tech (P.) Ltd.
Lazimpat, Kathmandu
Mob: +977-9851039710
More information about the juniper-nsp
mailing list