cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
656
Views
0
Helpful
4
Replies

ASAv and Juniper vSRX

Lance Wendel
Level 1
Level 1

Hello all,

I need some assistance trying to get a tunnel to work. from the debug I see my IPSec proposals are not matching. this is a lab setup. ASA has only 2 interfaces configured with INSIDE/outside and there is only 1 tunnel. transform set options are.

ASA(config-tunnel-ipsec)# crypto ipsec ikev1 transform-set ASA-cSRX ?

configure mode commands/options:
esp-3des esp 3des encryption
esp-aes esp aes 128 encryption
esp-aes-192 esp aes 192 encryption
esp-aes-256 esp aes 256 encryption
esp-des esp des encryption
esp-md5-hmac esp md5 authentication
esp-none esp no authentication
esp-null esp null encryption
esp-sha-hmac esp sha authentication

 

and on the juniper
Possible completions: Authentication
hmac-md5-96 HMAC-MD5-96 authentication algorithm
hmac-sha-256-128 HMAC-SHA-256-128 authentication algorithm
hmac-sha1-96 HMAC-SHA1-96 authentication algorithm

Possible completions: Encryption
3des-cbc 3DES-CBC encryption algorithm
aes-128-cbc AES-CBC 128-bit encryption algorithm
aes-128-gcm AES-GCM 128-bit encryption algorithm
aes-192-cbc AES-CBC 192-bit encryption algorithm
aes-192-gcm AES-GCM 192-bit encryption algorithm
aes-256-cbc AES-CBC 256-bit encryption algorithm
aes-256-gcm AES-GCM 256-bit encryption algorithm
des-cbc DES-CBC encryption algorithm

ASA transformset : esp-sha-hmac esp-aes-256 

Juniper
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;

I am assuming :  hmac-sha1-96 is not = esp-sha-hmac and esp-aes-256 not = aes-256-cbc

thx a lot

 

 

4 Replies 4

marce1000
VIP
VIP

 

 - Check this https://www.youtube.com/watch?v=OF6CuYOFQSM

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Thank you for the link, will check this. I guess IKEv1 is old. there are clients who would want to have an Ikev1 solution.

Harold Ritter
Cisco Employee
Cisco Employee

@Lance Wendel ,

From the JUNOS documentation:

 

  • The local identity and remote identity make up the proxy ID for the SA.

    A proxy ID mismatch is one of the most common causes for a Phase 2 failure. If no IPsec SA is listed, confirm that Phase 2 proposals, including the proxy ID settings, are correct for both peers. For route-based VPNs, the default proxy ID is local=0.0.0.0/0, remote=0.0.0.0/0, and service=any. Issues can occur with multiple route-based VPNs from the same peer IP. In this case, a unique proxy ID for each IPsec SA must be specified. For some third-party vendors, the proxy ID must be manually entered to match.

https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-ipsec-vpn-configuration-overview.html

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

HI Harold,
Thanks for the reply, the config on both are the same including the proxy-id. Only thing that goes through my mind whether the auth and encryption keys are the same
ASA has for an example esp-aes-256 and on junos has esp-aes-256-cbc
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: