[j-nsp] [c-nsp] Help with an IPSec scenario

Ivan Ivanov ivanov.ivan at gmail.com
Fri Mar 13 12:37:16 EDT 2015 

Hi Tom,

Try with 'general-ikeid' on SRX side under the definition of ike gateway.
You might need to upgrade Junos to have that option.

host at srx# set security ike gateway <name> general-ikeid


HTH,
Ivan,


On Fri, Mar 13, 2015 at 3:35 PM, Tom Storey <tom at snnap.net> wrote:

> Hi everyone,
>
> Trying to establish an IPSec tunnel (route based) between a Juniper
> SRX and a Cisco IOS router.
>
> The topology is two routers with DSL services, the SRX is on a dynamic
> IP, the Cisco on a static. No NAT is involved in the path between the
> two routers.
>
> Heres the configs Im working on: http://pastebin.com/gUEFVTau
>
> Basically what Im getting is this...
>
> In main mode, phase 1 is OK, and I get probably 99% of the way in
> phase 2, but it doesnt quite complete, with errors like "proxy
> identities not supported".
>
> I can fix this by configuring Tunnel0's destination as the IP of the
> SRX /at the time/ and can then ping across the tunnel. But this
> obviously isnt a long term solution because if the IP of the SRX
> changes (and it does, frequently, because the DSL is notoriously
> unstable) then the VPN stops working.
>
> So I try to go aggressive mode, but this is even worse, with phase 1
> not completing with errors like "IKE packet from x.x.x.x was not
> encrypted and it should've been", and never really making it past
> AG_INIT_EXCH.
>
> This is a debug of aggressive mode: http://pastebin.com/RUAaXDyE
>
> Based on my supplied configs, can anyone help me come up with a
> solution that allows the SRX to initiate a connection from any random
> IP, and the Cisco accepts it but I dont have to configure the IP of
> the SRX on the Cisco in order for it to work? I feel like Im
> tantalisingly close, but after several hours at it so far and copious
> amounts of googling, I just cant see the solution...
>
> Thanks.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
Best Regards!

Ivan Ivanov

More information about the juniper-nsp mailing list