Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1036
Views
0
Helpful
4
Replies

ASAv and Juniper vSRX

Lance Wendel
Level 1
Level 1

‎07-14-2022 01:08 AM

Hello all,

I need some assistance trying to get a tunnel to work. from the debug I see my IPSec proposals are not matching. this is a lab setup. ASA has only 2 interfaces configured with INSIDE/outside and there is only 1 tunnel. transform set options are.

ASA(config-tunnel-ipsec)# crypto ipsec ikev1 transform-set ASA-cSRX ?

configure mode commands/options:
esp-3des esp 3des encryption
esp-aes esp aes 128 encryption
esp-aes-192 esp aes 192 encryption
esp-aes-256 esp aes 256 encryption
esp-des esp des encryption
esp-md5-hmac esp md5 authentication
esp-none esp no authentication
esp-null esp null encryption
esp-sha-hmac esp sha authentication

 

and on the juniper
Possible completions: Authentication
hmac-md5-96 HMAC-MD5-96 authentication algorithm
hmac-sha-256-128 HMAC-SHA-256-128 authentication algorithm
hmac-sha1-96 HMAC-SHA1-96 authentication algorithm

Possible completions: Encryption
3des-cbc 3DES-CBC encryption algorithm
aes-128-cbc AES-CBC 128-bit encryption algorithm
aes-128-gcm AES-GCM 128-bit encryption algorithm
aes-192-cbc AES-CBC 192-bit encryption algorithm
aes-192-gcm AES-GCM 192-bit encryption algorithm
aes-256-cbc AES-CBC 256-bit encryption algorithm
aes-256-gcm AES-GCM 256-bit encryption algorithm
des-cbc DES-CBC encryption algorithm

ASA transformset : esp-sha-hmac esp-aes-256 

Juniper
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;

I am assuming :  hmac-sha1-96 is not = esp-sha-hmac and esp-aes-256 not = aes-256-cbc

thx a lot

 

 

0 Helpful
4 Replies 4

marce1000
VIP
VIP

‎07-14-2022 05:11 AM

 

 - Check this https://www.youtube.com/watch?v=OF6CuYOFQSM

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Lance Wendel
Level 1
Level 1
In response to marce1000

‎07-14-2022 07:11 AM

Thank you for the link, will check this. I guess IKEv1 is old. there are clients who would want to have an Ikev1 solution.

0 Helpful

Harold Ritter
Level 12
Level 12

‎07-14-2022 07:51 AM

@Lance Wendel ,

From the JUNOS documentation:

 

  • The local identity and remote identity make up the proxy ID for the SA.

    A proxy ID mismatch is one of the most common causes for a Phase 2 failure. If no IPsec SA is listed, confirm that Phase 2 proposals, including the proxy ID settings, are correct for both peers. For route-based VPNs, the default proxy ID is local=0.0.0.0/0, remote=0.0.0.0/0, and service=any. Issues can occur with multiple route-based VPNs from the same peer IP. In this case, a unique proxy ID for each IPsec SA must be specified. For some third-party vendors, the proxy ID must be manually entered to match.

https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-ipsec-vpn-configuration-overview.html

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful

Lance Wendel
Level 1
Level 1
In response to Harold Ritter

‎07-14-2022 07:57 AM

HI Harold,
Thanks for the reply, the config on both are the same including the proxy-id. Only thing that goes through my mind whether the auth and encryption keys are the same
ASA has for an example esp-aes-256 and on junos has esp-aes-256-cbc
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card