04-21-2016 12:13 AM
I am having an issue with site to site vpn between an asa 5520 and juniper ss 505m. The tunnel comes up, but we seem to be unable to pass traffic over the vpn tunnel. It appears the remote side makes a ftp server connection to the Local server but is never prompted for login credentials.
Apr 19 2016 13:27:13 SQL-B2B-01 : %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xD167A5E8, sequence number= 0xD) from X.X.
241.90 (user= X.X.241.90) to X.X.167.230. The decapsulated inner packet doesn't match the negotiated policy in the SA. The
packet specifies its destination as X.X.167.233, its source as X.X.2.68, and its protocol as tcp. The SA specifies its loc
al proxy as X.X.167.233/255.255.255.255/tcp/5376 and its remote_proxy as X.X.2.68/255.255.255.255/tcp/5376.
access-list West extended permit ip object-group Local object-group Remote
nat (inside,outside) source static Local Local_Pub destination static Remote Remote
crypto ipsec ikev1 transform-set Remote esp-aes-256 esp-sha-hmac
crypto map West-Map 95 match address Remote
crypto map West-Map 95 set peer X.X.241.90
crypto map West-Map 95 set ikev1 transform-set Remote
crypto map West-Map 95 set security-association lifetime seconds 28800
juniper-
"Remote-ftp" X.X.167.233 255.255.255.255
P1 proposal gateway preshare "SonoraQ@OT32" proposal "pre-g2-aes256-sha-28800"
p2-proposal "no-pfs-esp-aes256-sha-28800" no-pfs esp aes256 sha-1 second 28800
----------------------
set policy top from "Trust" to "Untrust" "X.X.2.68/32" "Remote-ftp" "ftp" tunnel vpn "Remote-vpn" log
set policy top from "Untrust" to "Trust" "Remote-ftp" "X.X.2.68/32" "ftp" tunnel vpn "SonoraQ-vpn" log
Solved! Go to Solution.
04-21-2016 01:21 AM
I don't know Juniper, but it looks like it is try to negotiate the use of just tcp/5376 on the tunnel, when it should be negotiating just the protocol "ip".
04-21-2016 01:21 AM
I don't know Juniper, but it looks like it is try to negotiate the use of just tcp/5376 on the tunnel, when it should be negotiating just the protocol "ip".
04-22-2016 10:40 AM
Good catch. They were defining traffic as FTP and not ip. There are additional issues, but for this portion you were correct.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide