[j-nsp] Help with vpn srx - asa

Per Westerlund p1 at westerlund.se
Mon Mar 5 07:47:33 EST 2012 

The ASAs are usually quite picky about Propxy-ID, and since you haven't specified one, the SRX will use "any, any, any" (all 0). That kind of Proxy-ID (or lack of) usually works well when you are using a route-based setup. The ASA on the other hand (almost) always use policy based VPN, where you have to specify source and destination networks.

I don't think this is your problem yet, since the phase 1 handshake doesn't work.

I would say: remove the local-identity from the gateway  definition. This can mess things up. It is normally enough that the remote end can see your external interface source address.

/Per

5 mar 2012 kl. 12:57 skrev bizza:

> Hi,
> I have some problem in to configure a vpn between a srx and a cisco asa.
> This is my configuration:
> 
>    ike {
>        proposal trans-vpn {
>            authentication-method pre-shared-keys;
>            dh-group group5;
>            authentication-algorithm sha-256;
>            encryption-algorithm aes-256-cbc;
>            lifetime-seconds 86400;
>        }
>        policy ike_pol_vpn2remote {
>            mode main;
>            proposals trans-vpn;
>            pre-shared-key ascii-text "1234567899"; ## SECRET-DATA
>        }
>        gateway gw_vpn2remote {
>            ike-policy ike_pol_vpn2remote;
>            address X.Y.W.Z;
>            local-identity inet A.B.C.D;
>            external-interface fe-0/0/7.0;
>            version v1-only;
>        }
>    }
>    ipsec {
>        policy ipsec_pol_vpn2remote {
>            proposal-set compatible;
>        }
>        vpn vpn2remote {
>            bind-interface st0.0;
>            ike {
>                gateway gw_vpn2remote;
>                ipsec-policy ipsec_pol_vpn2remote;
>            }
>            establish-tunnels immediately;
>        }
>    }
> 
> And in the asa side remote IT tech said that configuration is the
> same: encryption, hash, lifetime, group, ecc..
> 
> In /var/log/kmd I found:
> Mar  5 12:51:27   IKEv1 Error : Timeout
> Mar  5 12:52:06   IKEv1 Error : No proposal chosen
> Mar  5 12:52:27   IKEv1 Error : Timeout
> Mar  5 12:52:41   IKEv1 Error : No proposal chosen
> Mar  5 12:53:13   IKEv1 Error : No proposal chosen
> Mar  5 12:53:27   IKEv1 Error : Timeout
> Mar  5 12:53:47   IKEv1 Error : No proposal chosen
> Mar  5 12:54:27   IKEv1 Error : Timeout
> Mar  5 12:54:30   IKEv1 Error : No proposal chosen
> Mar  5 12:55:08   IKEv1 Error : No proposal chosen
> 
> 
> Any hints?
> 
> Regards
> Marco
> -- 
> bizza
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list