[j-nsp] SRX to vshield lan2lan

Farrukh Haroon farrukhharoon at gmail.com
Fri Jun 21 23:16:31 EDT 2013 

Hello Bizza

Please try to match the configuration settings mentioned in the following
KB Article, it seems they are looking for 3DES/SHA1 by default which is not
mentioned in your list.  The lifetime (28800) seems to be same as the SRX
default value, so that should be fine.

http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=2016891&sliceId=1&docTypeID=DT_KB_1_1&dialogID=951914608&stateId=1%200%20951934785

Also as other folks have mentioned, I would re-check the PSK on both sides,
as that can usually be the cause for the error mentioned in your email.

Regards
Farrukh Haroon
CCIE-SEC(#20184), JNCIE-SEC (#91)


On Thu, Jun 20, 2013 at 7:33 PM, bizza <bizzam at gmail.com> wrote:

> Hi all,
> does anyone has setup a lan to lan ipsec vpn between juniper srx and vmware
> vshield?
> I tried various configuration, but I still have some problems.
>
> [...]
>
> root at srx210h-fw1# show ike
> proposal 1 {
>     authentication-method pre-shared-keys;
>     authentication-algorithm sha-256;
>     encryption-algorithm aes-256-cbc;
> }
> proposal 2 {
>     authentication-method pre-shared-keys;
>     authentication-algorithm md5;
>     encryption-algorithm 3des-cbc;
> }
> proposal  3 {
>     authentication-method pre-shared-keys;
>     authentication-algorithm md5;
>     encryption-algorithm aes-256-cbc;
> }
> proposal 4 {
>     authentication-method pre-shared-keys;
>     authentication-algorithm sha-256;
>     encryption-algorithm 3des-cbc;
> }
> proposal 5 {
>     authentication-method pre-shared-keys;
>     authentication-algorithm sha1;
>     encryption-algorithm aes-256-cbc;
> }
> policy ike_pol_lan_to_remote {
>     mode main;
>     proposals [ 1 2 3 4 5 ];
>     pre-shared-key ascii-text "xxx"; ## SECRET-DATA
> }
> gateway gw_lan_to_remote {
>     ike-policy ike_pol_lan_to_remote;
>     address x.y.w.z;
>     local-identity inet my.ip.add.res;
>     external-interface reth2.0;
> }
>
> [...]
>
> root at srx210h-fw1# show ipsec
> policy ipsec_pol_lan_to_remote {
>     proposal-set compatible;
> }
> vpn lan_to_remote {
>     bind-interface st0.0;
>     ike {
>         gateway gw_lan_to_remote;
>         ipsec-policy ipsec_pol_lan_to_remote;
>     }
>     establish-tunnels immediately;
> }
>
>
> In /var/log/kmd i found
>
> Jun 20 18:25:50   IKEv1 Error : Payload malformed
> Jun 20 18:26:50   IKEv1 Error : Payload malformed
> Jun 20 18:27:50   IKEv1 Error : Payload malformed
> Jun 20 18:28:50   IKEv1 Error : Payload malformed
> Jun 20 18:29:50   IKEv1 Error : Payload malformed
> Jun 20 18:30:50   IKEv1 Error : Payload malformed
> Jun 20 18:31:50   IKEv1 Error : Payload malformed
>
>
>
> Any help?
>
> Regards
> bizza
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list