topic ASAv and Juniper vSRX in Network Security

ASAv and Juniper vSRX

Lance Wendel — Thu, 14 Jul 2022 08:08:04 GMT

Hello all,

I need some assistance trying to get a tunnel to work. from the debug I see my IPSec proposals are not matching. this is a lab setup. ASA has only 2 interfaces configured with INSIDE/outside and there is only 1 tunnel. transform set options are.

ASA(config-tunnel-ipsec)# crypto ipsec ikev1 transform-set ASA-cSRX ?

configure mode commands/options:
esp-3des esp 3des encryption
esp-aes esp aes 128 encryption
esp-aes-192 esp aes 192 encryption
esp-aes-256 esp aes 256 encryption
esp-des esp des encryption
esp-md5-hmac esp md5 authentication
esp-none esp no authentication
esp-null esp null encryption
esp-sha-hmac esp sha authentication

and on the juniper
Possible completions: Authentication
hmac-md5-96 HMAC-MD5-96 authentication algorithm
hmac-sha-256-128 HMAC-SHA-256-128 authentication algorithm
hmac-sha1-96 HMAC-SHA1-96 authentication algorithm

Possible completions: Encryption
3des-cbc 3DES-CBC encryption algorithm
aes-128-cbc AES-CBC 128-bit encryption algorithm
aes-128-gcm AES-GCM 128-bit encryption algorithm
aes-192-cbc AES-CBC 192-bit encryption algorithm
aes-192-gcm AES-GCM 192-bit encryption algorithm
aes-256-cbc AES-CBC 256-bit encryption algorithm
aes-256-gcm AES-GCM 256-bit encryption algorithm
des-cbc DES-CBC encryption algorithm

ASA transformset : esp-sha-hmac esp-aes-256

Juniper
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;

I am assuming : hmac-sha1-96 is not = esp-sha-hmac and esp-aes-256 not = aes-256-cbc

thx a lot

Re: ASAv and Juniper vSRX

Mark Elsen — Thu, 14 Jul 2022 12:11:49 GMT

- Check this https://www.youtube.com/watch?v=OF6CuYOFQSM

Re: ASAv and Juniper vSRX

Lance Wendel — Thu, 14 Jul 2022 14:11:14 GMT

Thank you for the link, will check this. I guess IKEv1 is old. there are clients who would want to have an Ikev1 solution.

Re: ASAv and Juniper vSRX

Harold Ritter — Thu, 14 Jul 2022 14:51:20 GMT

@Lance Wendel ,

From the JUNOS documentation:

The local identity and remote identity make up the proxy ID for the SA.

A proxy ID mismatch is one of the most common causes for a Phase 2 failure. If no IPsec SA is listed, confirm that Phase 2 proposals, including the proxy ID settings, are correct for both peers. For route-based VPNs, the default proxy ID is local=0.0.0.0/0, remote=0.0.0.0/0, and service=any. Issues can occur with multiple route-based VPNs from the same peer IP. In this case, a unique proxy ID for each IPsec SA must be specified. For some third-party vendors, the proxy ID must be manually entered to match.

https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-ipsec-vpn-configuration-overview.html

Regards,

Re: ASAv and Juniper vSRX

Lance Wendel — Thu, 14 Jul 2022 14:57:44 GMT

HI Harold,
Thanks for the reply, the config on both are the same including the proxy-id. Only thing that goes through my mind whether the auth and encryption keys are the same
ASA has for an example esp-aes-256 and on junos has esp-aes-256-cbc