Solved: ASA Juniper site to site Ikev2 vpn -Not working

anilkumar.cisco · ‎08-13-2021

Hello Team

i have the below hardware at my side and Ikev1 is working perfectly with remote Juniper Peer

ASA Version 9.8(4)29

Hardware: FPR4K-SM-12

working in Multicontext mode

Now we have requirement to upgrade the VPN from Ikev1 to Ikev2 version with following parameter.

neither my encryption domain nor my NAT policy need to be change, as I have to create a new tunnel with new IP as Juniper side one new firewall has been installed because of this.

crypto ikev2 policy xx

encryption aes-256

integrity sha256

group 19

prf sha

lifetime seconds 86400

!

crypto ipsec ikev2 ipsec-proposal XYZ

protocol esp encryption aes-256

protocol esp integrity sha-256

access-list cryptomap_38 extended permit ip x.22.44.x 255.255.255.240 host x.218.40.x

!

access-list cryptomap_38 extended permit ip x.22.44.x 255.255.255.240 host x.22.240.241

crypto map internet_outside_map 38 match address cryptomap_38

crypto map internet_outside_map 38 set pfs group19

crypto map internet_outside_map 38 set peer Juniper IP

crypto map internet_outside_map 38 set ikev2 ipsec-proposal XYZ

crypto map internet_outside_map 38 set ikev2 pre-shared-key password

crypto map internet_outside_map 38 set security-association lifetime seconds 3600

crypto map internet_outside_map 38 set nat-t-disable

!

tunnel-group Juniper IP type ipsec-l2l

tunnel-group Juniper IP general-attributes

!

tunnel-group Juniper IP ipsec-attributes

ikev2 remote-authentication pre-shared-key password

ikev2 local-authentication pre-shared-key password

I struggle a lot, checked at both side the parameter are same.. but still phase 1 parameter did not came up..

Below are some logs i have collected during downtime..

to sum up , I am getting below error from remote site:-

Ev2-PROTO-2: (25759): Processing IKE_SA_INIT message
IKEv2-PROTO-5: (25759): Failed to verify the proposed policies
IKEv2-PROTO-1: (25759): Failed to find a matching policy
IKEv2-PROTO-1: (25759): Received Policies:
IKEv2-PROTO-1: (25759): Failed to find a matching policy
IKEv2-PROTO-1: (25759): Expected Policies:
IKEv2-PROTO-1: (25759): Failed to find a matching policy
IKEv2-PROTO-1: (25759):
IKEv2-PROTO-5: (25759): SM Trace-> SA: I_SPI=BE622FB1D64EB780 R_SPI=E9E04401A68C44B0 (R) MsgID = 00000000 CurState: R_INIT Event: EV_NO_PROP_CHOSEN
IKEv2-PROTO-2: (25759): Sending no proposal chosen notify
IKEv2-PROTO-5: (25759): SM Trace-> SA: I_SPI=BE622FB1D64EB780 R_SPI=E9E04401A68C44B0 (R) MsgID = 00000000 CurState: R_INIT Event: EV_ENCRYPT_MSG
IKEv2-PROTO-5: (25759): SM Trace-> SA: I_SPI=BE622FB1D64EB780 R_SPI=E9E04401A68C44B0 (R) MsgID = 00000000 CurState: R_INIT Event: EV_TRYSEND

Maximum number of retransmissions reached

NIT_DONE Event: EV_FAIL

Failed SA init exchange
IKEv2-PROTO-1: (25718): Initial exchange failed

when sending packet to remote peer Juniper, getting the below error:-

I_WAIT_INIT Event: EV_NO_EVENT

I_WAIT_INIT Event: EV_RE_XMT

Below are the detail logs

----------------------

IKEv2-PROTO-5: (25761): SM Trace-> SA: I_SPI=A5069EC8F38750D2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (25761): SM Trace-> SA: I_SPI=A5069EC8F38750D2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-2: (25761): Retransmitting packet
(25761):
IKEv2-PROTO-2: (25761): Sending Packet [To Juniper IP:500/From ASA IP:500/VRF i0:f0]
(25761): Initiator SPI : A5069EC8F38750D2 - Responder SPI : 0000000000000000 Message id: 0
(25761): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-3: (25761): Next payload: SA, version: 2.0 (25761): Exchange type: IKE_SA_INIT, flags: INITIATOR (25761): Message id: 0, length: 1006(25761):
Payload contents:
(25761): SA(25761): Next payload: KE, reserved: 0x0, length: 600
(25761): last proposal: 0x2, reserved: 0x0, length: 52
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 5(25761): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(25761): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
(25761): last proposal: 0x2, reserved: 0x0, length: 52
Proposal: 2, Protocol id: IKE, SPI size: 0, #trans: 5(25761): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(25761): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
(25761): last proposal: 0x2, reserved: 0x0, length: 52
Proposal: 3, Protocol id: IKE, SPI size: 0, #trans: 5(25761): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(25761): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
(25761): last proposal: 0x2, reserved: 0x0, length: 48
Proposal: 4, Protocol id: IKE, SPI size: 0, #trans: 5(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 1, reserved: 0x0, id: 3DES
(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(25761): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
(25761): last proposal: 0x2, reserved: 0x0, length: 48
Proposal: 5, Protocol id: IKE, SPI size: 0, #trans: 5(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 1, reserved: 0x0, id: DES
(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(25761): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
(25761): last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 6, Protocol id: IKE, SPI size: 0, #trans: 4(25761): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA384
(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA384
(25761): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP_256_PRIME/Group 24
(25761): last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 7, Protocol id: IKE, SPI size: 0, #trans: 4(25761): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(25761): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_384_ECP/Group 20
(25761): last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 8, Protocol id: IKE, SPI size: 0, #trans: 4(25761): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(25761): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
(25761): last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 9, Protocol id: IKE, SPI size: 0, #trans: 4(25761): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(25761): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(25761): last proposal: 0x2, reserved: 0x0, length: 36
Proposal: 10, Protocol id: IKE, SPI size: 0, #trans: 3(25761): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-GCM
(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(25761): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(25761): last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 11, Protocol id: IKE, SPI size: 0, #trans: 4(25761): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(25761): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(25761): last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 12, Protocol id: IKE, SPI size: 0, #trans: 4(25761): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(25761): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(25761): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 13, Protocol id: IKE, SPI size: 0, #trans: 4(25761): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(25761): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA384
(25761): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(25761): KE(25761): Next payload: N, reserved: 0x0, length: 200
(25761): DH group: 5, Reserved: 0x0
(25761):
(25761): e4 b0 d1 91 26 84 8e a9 0d b6 9b 6f ee fa c0 dd
(25761): 1b 4a 05 5f f7 47 18 09 1b 91 1c 27 39 e1 ac 53
(25761): c0 be cd 68 71 a1 cc b6 35 2a 79 13 b5 3b e2 ae
(25761): 05 05 89 a1 90 2f 87 14 b3 74 93 7d d0 6d 47 6d
(25761): 74 96 bf bd 64 62 d7 db 4e 1b c4 8a 6b ca b0 6d
(25761): ab 3f 1b 2b ae 43 a2 70 fb 02 75 69 fe b9 9b bf
(25761): 69 47 e4 e4 6b 28 9f 35 88 3d f5 22 bd 2c 41 f4
(25761): 82 77 9a 1a 28 bc 2b b1 6f ec bb 90 f8 a3 7d 40
(25761): 5e 09 0e 1f 47 be 7b b4 f0 a0 59 f2 17 a1 d9 18
(25761): 66 6a 1e 58 c1 38 6c bf 24 fc 01 e9 73 1a 64 47
(25761): 52 7a f3 12 51 eb 2b f0 9e 7c aa 53 81 69 4e 09
(25761): 56 63 ff d7 29 f3 90 ce 38 fc 2c f4 e7 da 7d 60
(25761): N(25761): Next payload: VID, reserved: 0x0, length: 68
(25761):
(25761): 18 40 1b 47 48 2a b2 4d c3 e4 53 a3 5e cb 53 60
(25761): 4a 1d d7 ac f6 fd a5 35 de 73 06 ed 31 6d a7 9b
(25761): 16 1a d0 9d 74 37 05 88 91 66 e8 63 8d 9b 00 56
(25761): 9b d1 69 e1 0f be a8 02 9c 6a 04 3a 07 e5 26 99
(25761): VID(25761): Next payload: VID, reserved: 0x0, length: 23
(25761):
(25761): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(25761): 53 4f 4e
(25761): VID(25761): Next payload: NOTIFY, reserved: 0x0, length: 59
(25761):
(25761): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(25761): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(25761): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(25761): 73 2c 20 49 6e 63 2e
(25761): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(25761): Next payload: VID, reserved: 0x0, length: 8
(25761): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(25761): VID(25761): Next payload: NONE, reserved: 0x0, length: 20
(25761):
(25761): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(25761):
IKEv2-PROTO-5: (25761): SM Trace-> SA: I_SPI=A5069EC8F38750D2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (25761): SM Trace-> SA: I_SPI=A5069EC8F38750D2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-2: (25761): Retransmitting packet
(25761):
IKEv2-PROTO-2: (25761): Sending Packet [To Juniper IP:500/From ASA IP:500/VRF i0:f0]

------------------------------

IKEv2-PROTO-5: (25718): SM Trace-> SA: I_SPI=293776A4D83BBCE2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (25718): SM Trace-> SA: I_SPI=293776A4D83BBCE2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-5: (25718): SM Trace-> SA: I_SPI=293776A4D83BBCE2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT_EXCEED
IKEv2-PROTO-1: (25718): Maximum number of retransmissions reached
IKEv2-PROTO-1: (25718):
IKEv2-PROTO-5: (25718): SM Trace-> SA: I_SPI=293776A4D83BBCE2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_FAIL
IKEv2-PROTO-2: (25718): Failed SA init exchange
IKEv2-PROTO-1: (25718): Initial exchange failed
IKEv2-PROTO-1: (25718): Initial exchange failed
IKEv2-PROTO-5: (25718): SM Trace-> SA: I_SPI=293776A4D83BBCE2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-5: (25718): SM Trace-> SA: I_SPI=293776A4D83BBCE2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-5: (25718): SM Trace-> SA: I_SPI=293776A4D83BBCE2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-2: (25718): Abort exchange
IKEv2-PROTO-2: (25718): Deleting SA
IKEv2-PROTO-5: (25761): SM Trace-> SA: I_SPI=A5069EC8F38750D2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-5: (25761): SM Trace-> SA: I_SPI=A5069EC8F38750D2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-5: (25761): SM Trace-> SA: I_SPI=A5069EC8F38750D2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-5: (25761): Setting configured policies
IKEv2-PROTO-5: (25761): SM Trace-> SA: I_SPI=A5069EC8F38750D2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-5: (25761): SM Trace-> SA: I_SPI=A5069EC8F38750D2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_PKI_SESH_OPEN
IKEv2-PROTO-5: (25761): Opening a PKI session
IKEv2-PROTO-5: (25761): SM Trace-> SA: I_SPI=A5069EC8F38750D2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-2: (25761): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
IKEv2-PROTO-2: (25761): Request queued for computation of DH key
IKEv2-PROTO-5: (25761): SM Trace-> SA: I_SPI=A5069EC8F38750D2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (25761): SM Trace-> SA: I_SPI=A5069EC8F38750D2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-5: (25761): Action: Action_Null
IKEv2-PROTO-5: (25761): SM Trace-> SA: I_SPI=A5069EC8F38750D2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (25761): SM Trace-> SA: I_SPI=A5069EC8F38750D2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-2: (25761): Generating IKE_SA_INIT message
IKEv2-PROTO-2: (25761): IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 5
(25761): AES-CBC(25761): SHA1(25761): SHA96(25761): DH_GROUP_1536_MODP/Group 5(25761): DH_GROUP_1024_MODP/Group 2IKEv2-PROTO-2: (25761): IKE Proposal: 2, SPI size: 0 (initial negotiation),
Num. transforms: 5
(25761): AES-CBC(25761): SHA1(25761): SHA96(25761): DH_GROUP_1536_MODP/Group 5(25761): DH_GROUP_1024_MODP/Group 2IKEv2-PROTO-2: (25761): IKE Proposal: 3, SPI size: 0 (initial negotiation),
Num. transforms: 5
(25761): AES-CBC(25761): SHA1(25761): SHA96(25761): DH_GROUP_1536_MODP/Group 5(25761): DH_GROUP_1024_MODP/Group 2IKEv2-PROTO-2: (25761): IKE Proposal: 4, SPI size: 0 (initial negotiation),
Num. transforms: 5
(25761): 3DES(25761): SHA1(25761): SHA96(25761): DH_GROUP_1536_MODP/Group 5(25761): DH_GROUP_1024_MODP/Group 2IKEv2-PROTO-2: (25761): IKE Proposal: 5, SPI size: 0 (initial negotiation),
Num. transforms: 5
(25761): DES(25761): SHA1(25761): SHA96(25761): DH_GROUP_1536_MODP/Group 5(25761): DH_GROUP_1024_MODP/Group 2IKEv2-PROTO-2: (25761): IKE Proposal: 6, SPI size: 0 (initial negotiation),
Num. transforms: 4
(25761): AES-CBC(25761): SHA384(25761): SHA384(25761): DH_GROUP_2048_MODP_256_PRIME/Group 24IKEv2-PROTO-2: (25761): IKE Proposal: 7, SPI size: 0 (initial negotiation),
Num. transforms: 4
(25761): AES-CBC(25761): SHA256(25761): SHA256(25761): DH_GROUP_384_ECP/Group 20IKEv2-PROTO-2: (25761): IKE Proposal: 8, SPI size: 0 (initial negotiation),
Num. transforms: 4
(25761): AES-CBC(25761): SHA256(25761): SHA256(25761): DH_GROUP_2048_MODP/Group 14IKEv2-PROTO-2: (25761): IKE Proposal: 9, SPI size: 0 (initial negotiation),
Num. transforms: 4
(25761): AES-CBC(25761): SHA256(25761): SHA256(25761): DH_GROUP_256_ECP/Group 19IKEv2-PROTO-2: (25761): IKE Proposal: 10, SPI size: 0 (initial negotiation),
Num. transforms: 3
(25761): AES-GCM(25761): SHA256(25761): DH_GROUP_256_ECP/Group 19IKEv2-PROTO-2: (25761): IKE Proposal: 11, SPI size: 0 (initial negotiation),
Num. transforms: 4
(25761): AES-CBC(25761): SHA1(25761): SHA256(25761): DH_GROUP_256_ECP/Group 19IKEv2-PROTO-2: (25761): IKE Proposal: 12, SPI size: 0 (initial negotiation),
Num. transforms: 4
(25761): AES-CBC(25761): SHA1(25761): SHA256(25761): DH_GROUP_256_ECP/Group 19IKEv2-PROTO-2: (25761): IKE Proposal: 13, SPI size: 0 (initial negotiation),
Num. transforms: 4
(25761): AES-CBC(25761): SHA1(25761): SHA384(25761): DH_GROUP_256_ECP/Group 19(25761):
IKEv2-PROTO-2: (25761): Sending Packet [To Juniper IP:500/From ASA IP:500/VRF i0:f0]

---------------------------------------------

ASA/sec/act/ASA-context#
IKEv2-PROTO-2: Received Packet [From Juniper SRX IP:500/To ASA IP:500/VRF i0:f0]
Initiator SPI : BE622FB1D64EB780 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-3: Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 326
Payload contents:
SA Next payload: KE, reserved: 0x0, length: 48
last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA384
last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
last transform: 0x0, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA384
KE Next payload: N, reserved: 0x0, length: 72
DH group: 19, Reserved: 0x0

07 aa 91 7d 88 7c e1 92 7c 17 de 57 c5 33 57 3a
d7 be 5e 28 c0 02 0f 5f e0 82 91 5c f2 5c f5 79
61 19 73 39 75 d1 0b ae 4e 6d ec 38 36 45 5d 9a
f3 44 aa 42 47 3d 46 a8 98 99 47 62 a0 a2 01 c0
N Next payload: NOTIFY, reserved: 0x0, length: 36

46 85 4f dd 3c e2 b3 c6 71 32 5c 66 3d ba c5 47
e7 91 ff 78 b3 88 d7 f5 b9 c2 53 6b be 4f ed b3
NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_SOURCE_IP

0f 88 60 82 78 dd ac e4 c4 47 ad 5d db 85 d6 78
ea 23 c3 4c
NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_DESTINATION_IP

68 66 da 97 6e ca b9 0e 98 08 1d 3f c1 4e 56 4b
95 5f 1a dd
NOTIFY(Unknown - 40002) Next payload: NOTIFY, reserved: 0x0, length: 10
Security protocol id: Unknown - 0, spi size: 0, type: Unknown - 0

01 01
NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) Next payload: VID, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
VID Next payload: VID, reserved: 0x0, length: 32

69 93 69 22 87 41 c6 d4 ca 09 4c 93 e2 42 c9 de
19 e7 b7 c6 00 00 00 05 00 00 05 00
VID Next payload: VID, reserved: 0x0, length: 12

09 00 26 89 df d6 b7 12
VID Next payload: NONE, reserved: 0x0, length: 24

fd 80 88 04 df 73 b1 51 50 70 9d 87 80 44 cd e0
ac 1e fc de

Decrypted packet:Data: 326 bytes
IKEv2-PROTO-5: (25759): SM Trace-> SA: I_SPI=BE622FB1D64EB780 R_SPI=E9E04401A68C44B0 (R) MsgID = 00000000 CurState: IDLE Event: EV_RECV_INIT
IKEv2-PROTO-2: (25759): Checking NAT discovery
IKEv2-PROTO-5: (25759): SM Trace-> SA: I_SPI=BE622FB1D64EB780 R_SPI=E9E04401A68C44B0 (R) MsgID = 00000000 CurState: IDLE Event: EV_CHK_REDIRECT
IKEv2-PROTO-5: (25759): Redirect check is not needed, skipping it
IKEv2-PROTO-5: (25759): SM Trace-> SA: I_SPI=BE622FB1D64EB780 R_SPI=E9E04401A68C44B0 (R) MsgID = 00000000 CurState: IDLE Event: EV_CHK_CAC
IKEv2-PROTO-5: (25759): SM Trace-> SA: I_SPI=BE622FB1D64EB780 R_SPI=E9E04401A68C44B0 (R) MsgID = 00000000 CurState: IDLE Event: EV_CHK_COOKIE
IKEv2-PROTO-5: (25759): SM Trace-> SA: I_SPI=BE622FB1D64EB780 R_SPI=E9E04401A68C44B0 (R) MsgID = 00000000 CurState: IDLE Event: EV_CHK4_COOKIE_NOTIFY
IKEv2-PROTO-5: (25759): SM Trace-> SA: I_SPI=BE622FB1D64EB780 R_SPI=E9E04401A68C44B0 (R) MsgID = 00000000 CurState: R_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-2: (25759): Verify SA init message
IKEv2-PROTO-5: (25759): SM Trace-> SA: I_SPI=BE622FB1D64EB780 R_SPI=E9E04401A68C44B0 (R) MsgID = 00000000 CurState: R_INIT Event: EV_INSERT_SA
IKEv2-PROTO-2: (25759): Insert SA
IKEv2-PROTO-5: (25759): SM Trace-> SA: I_SPI=BE622FB1D64EB780 R_SPI=E9E04401A68C44B0 (R) MsgID = 00000000 CurState: R_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-5: (25759): SM Trace-> SA: I_SPI=BE622FB1D64EB780 R_SPI=E9E04401A68C44B0 (R) MsgID = 00000000 CurState: R_INIT Event: EV_PROC_MSG
IKEv2-PROTO-2: (25759): Processing IKE_SA_INIT message
IKEv2-PROTO-5: (25759): Failed to verify the proposed policies
IKEv2-PROTO-1: (25759): Failed to find a matching policy
IKEv2-PROTO-1: (25759): Received Policies:
IKEv2-PROTO-1: (25759): Failed to find a matching policy
IKEv2-PROTO-1: (25759): Expected Policies:
IKEv2-PROTO-1: (25759): Failed to find a matching policy
IKEv2-PROTO-1: (25759):
IKEv2-PROTO-5: (25759): SM Trace-> SA: I_SPI=BE622FB1D64EB780 R_SPI=E9E04401A68C44B0 (R) MsgID = 00000000 CurState: R_INIT Event: EV_NO_PROP_CHOSEN
IKEv2-PROTO-2: (25759): Sending no proposal chosen notify
IKEv2-PROTO-5: (25759): SM Trace-> SA: I_SPI=BE622FB1D64EB780 R_SPI=E9E04401A68C44B0 (R) MsgID = 00000000 CurState: R_INIT Event: EV_ENCRYPT_MSG
IKEv2-PROTO-5: (25759): SM Trace-> SA: I_SPI=BE622FB1D64EB780 R_SPI=E9E04401A68C44B0 (R) MsgID = 00000000 CurState: R_INIT Event: EV_TRYSEND

______________________

anilkumar.cisco · ‎08-16-2021

You are superstar ++++++ unlimited rating for you..

Thanks for your help..

View solution in original post

Rob Ingram · ‎08-13-2021

@anilkumar.cisco

From your output, you receive a packet from the Juniper which proposes using SHA384 and the subsequent result is failure to match the policy.

ASA/sec/act/ASA-context#
IKEv2-PROTO-2: Received Packet [From Juniper SRX IP:500/To ASA IP:500/VRF i0:f0]
Initiator SPI : BE622FB1D64EB780 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-3: Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 326
Payload contents:
SA Next payload: KE, reserved: 0x0, length: 48
last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA384
last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
last transform: 0x0, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA384
KE Next payload: N, reserved: 0x0, length: 72
DH group: 19, Reserved: 0x0
!SNIP!IKEv2-PROTO-2: (25759): Processing IKE_SA_INIT message
IKEv2-PROTO-5: (25759): Failed to verify the proposed policies
IKEv2-PROTO-1: (25759): Failed to find a matching policy

Your crypto ikev2 policy is set to use SHA256 integrity.

crypto ikev2 policy xx
encryption aes-256
integrity sha256

Double check the configuration on both devices or if you only control the ASA change the integrity to SHA384 or create another IKEv2 Policy and try again.

anilkumar.cisco · ‎08-15-2021

Hello Rob,

thanks for your reply..

This was not the case.. during troubleshooting we have changed the configuration and added two crypto policy map..

crypto ikev2 policy 80
encryption aes-256
integrity sha256
group 19
prf sha
lifetime seconds 86400
crypto ikev2 policy 90
encryption aes-256
integrity sha256
group 19
prf sha
lifetime seconds 86400
crypto ikev2 policy 100
encryption aes-256
integrity sha384
group 19
prf sha
lifetime seconds 86400

But still no negotiation.

As per the Initial logs:- the IKEV2 is coming up with Delete status and role was Initiator

when we were using crypto ikev2 policy 80

IKEv2 SAs:

Session-id:50641, Status:UP-IDLE, IKE count:1, CHILD count:0

Tunnel-id Local Remote Status Role
3218435897 ASA IP/500 Juniper IP/500 DELETE INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/118 sec

Pls find the below logs for more detail on it.

debug crypto ikev2 protocol

# IKEv2-PROTO-1: decrypt queuedIKEv2-PROTO-1: Asynchronous request queued

IKEv2-PROTO-1: (24555): Failed to register new SA with platform
IKEv2-PROTO-1: (24555):
IKEv2-PROTO-1: (24555): Failed to register new SA with platform
IKEv2-PROTO-1: (24555):
IKEv2-PROTO-1: decrypt queuedIKEv2-PROTO-1: Asynchronous request queued
IKEv2-PROTO-1:
IKEv2-PROTO-1: decrypt queuedIKEv2-PROTO-1: Asynchronous request queued
IKEv2-PROTO-1:
IKEv2-PROTO-1: decrypt queuedIKEv2-PROTO-1: Asynchronous request queued

Also packet capture show the below input:-

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 144.87.17.67 using egress ifc internet_outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group fwrmdef_inside_access_in in interface fwrmdef_inside
access-list fwrmdef_inside_access_in extended permit object-group ccs-uk-services object-group atos_to_ccs_uk object-group ccs_uk_atos log
object-group service ccs-uk-services
service-object tcp destination eq 4000
service-object tcp destination eq 4014
service-object tcp destination eq 4018
service-object tcp destination eq 4500
service-object tcp destination range 5000 5005
object-group network atos_to_
network-object object atos_10.105.15.x
network-object object atos_10.105.15.x
network-object object atos_10.107.75.s
network-object object atos_10.107.75.4z2
network-object object atos_10.131.15.y39
network-object object atos_10.131.15.x
object-group network ccs_uk_atos
description: ccs_uk_atos
network-object object ccs_uk_172.22.240.241
network-object object ccs_uk_195.218.40.1
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (nside_interface,outside_interface) source static atos_20.105.15.139 xyz_uk_nat_272.22.44.177
Additional Information:
Static translate 10.105.15.139/5000 to 172.22.44.177/5000

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: Inside_interface
input-status: up
input-line-status: up
output-interface: outside_interface
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

IKEv2-PROTO-1:
IKEv2-PROTO-1: (24385): Failed to register new SA with platform
IKEv2-PROTO-1: (24385):
IKEv2-PROTO-1: (24385): Failed to register new SA with platform
IKEv2-PROTO-1: (24385):
IKEv2-PROTO-1: decrypt queuedIKEv2-PROTO-1: Asynchronous request queued
IKEv2-PROTO-1:

IKEv2-PROTO-1: decrypt queuedIKEv2-PROTO-1: Asynchronous request queued
IKEv2-PROTO-1:
IKEv2-PROTO-1: (25178): Failed to register new SA with platform
IKEv2-PROTO-1: (25178):
IKEv2-PROTO-1: (25178): Failed to register new SA with platform
IKEv2-PROTO-1: (25178):
IKEv2-PROTO-1: decrypt queuedIKEv2-PROTO-1: Asynchronous request queued

When i have changed

crypto ikev2 policy 80

PRF from SHA to prf sha256

then started getting the below error.

KEv2-PROTO-1: (25711):
IKEv2-PLAT-1: (25711): IKEv2 protocol not allowed by policy set for vpn-tunnel-protocol
IKEv2-PLAT-1: (25711): Connection is not authorized based on configured attributes
IKEv2-PROTO-1: (25711): Failed to register new SA with platform
IKEv2-PROTO-1: (25711):
IKEv2-PROTO-1: (25711): Failed to register new SA with platform
IKEv2-PROTO-1: (25711):
IKEv2-PROTO-1: (25682):
IKEv2-PLAT-1: (25682): IKEv2 protocol not allowed by policy set for vpn-tunnel-protocol
IKEv2-PLAT-1: (25682): Connection is not authorized based on configured attributes
IKEv2-PROTO-1: (25682): Failed to register new SA with platform
IKEv2-PROTO-1: (25682):
IKEv2-PROTO-1: (25682): Failed to register new SA with platform
IKEv2-PROTO-1: (25682):
IKEv2-PROTO-1: (25685):
IKEv2-PLAT-1: (25685): IKEv2 protocol not allowed by policy set for vpn-tunnel-protocol
IKEv2-PLAT-1: (25685): Connection is not authorized based on configured attributes
IKEv2-PROTO-1: (25685): Failed to register new SA with platform
IKEv2-PROTO-1: (25685):
IKEv2-PROTO-1: (25685): Failed to register new SA with platform
IKEv2-PROTO-1: (25685):
IKEv2-PROTO-1: (25712):
IKEv2-PLAT-1: (25712): IKEv2 protocol not allowed by policy set for vpn-tunnel-protocol
IKEv2-PLAT-1: (25712): Connection is not authorized based on configured attributes
IKEv2-PROTO-1: (25712): Failed to register new SA with platform
IKEv2-PROTO-1: (25712):
IKEv2-PROTO-1: (25712): Failed to register new SA with platform
IKEv2-PROTO-1: (25712):

At last i am not sure.. what is the exactly issue..

As per the Juniper..

they are getting below error..

Aug 12 16:07:31 CCSUK FIREWALL kmd[49378]: IPSec negotiation failed with error: No proposal chosen. IKE Version: 2, VPN: DTELHRvpn Gateway: DTELHRgwy, Local: Juniper IP/500, Remote: ASA IP/500, Local IKE-ID: Juniper IP, Remote IKE-ID: ASA IP, VR-ID: 7
Aug 12 16:07:33 CCSUK FIREWALL kmd[49378]: IKE negotiation successfully completed. IKE Version: 2, VPN: DTELHRvpn Gateway: DTELHRgwy, Local: Juniper IP/500, Remote: ASA IP/500, Local IKE-ID: Juniper IP, Remote IKE-ID: ASA IP, VR-ID: 7, Role: Initiator
Aug 12 16:07:33 CCSUK FIREWALL kmd[49378]: IPSec negotiation failed with error: No proposal chosen. IKE Version: 2, VPN: DTELHRvpn Gateway: DTELHRgwy, Local: Juniper IP/500, Remote: ASA IP/500, Local IKE-ID: Juniper IP, Remote IKE-ID: ASA IP, VR-ID: 7
Aug 12 16:07:45 CCSUK FIREWALL kmd[49378]: IKE negotiation successfully completed. IKE Version: 2, VPN: DTELHRvpn Gateway: DTELHRgwy, Local: Juniper IP/500, Remote: ASA IP/500, Local IKE-ID: Juniper IP, Remote IKE-ID: ASA IP, VR-ID: 7, Role: Initiator
Aug 12 16:07:45 CCSUK FIREWALL kmd[49378]: IPSec negotiation failed with error: No proposal chosen. IKE Version: 2, VPN: DTELHRvpn Gateway: DTELHRgwy, Local: Juniper IP/500, Remote: ASA IP/500, Local IKE-ID: Juniper IP, Remote IKE-ID: ASA IP, VR-ID: 7
Aug 12 16:08:06 CCSUK FIREWALL kmd[49378]: KMD_PM_SA_ESTABLISHED: Local gateway: Juniper IP, Remote gateway: ASA IP, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 0x5a1c367d, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector: FC Name:
Aug 12 16:08:06 CCSUK FIREWALL kmd[49378]: KMD_PM_SA_ESTABLISHED: Local gateway: Juniper IP, Remote gateway: ASA IP, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0xb07c9e2, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector: FC Name:
Aug 12 16:08:06 CCSUK FIREWALL kmd[49378]: KMD_VPN_UP_ALARM_USER: VPN DTELHRvpn from ASA IP is up. Local-ip: Juniper IP, gateway name: DTELHRgwy, vpn name: DTELHRvpn, tunnel-id: 131390, local tunnel-if: st0.243, remote tunnel-ip: Not-Available, Local IKE-ID: Juniper IP, Remote IKE-ID: ASA IP, AAA username: Not-Applicable, VR id: 7, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type: Static
Aug 12 16:08:06 CCSUK FIREWALL kmd[49378]: IKE negotiation successfully completed. IKE Version: 2, VPN: DTELHRvpn Gateway: DTELHRgwy, Local: Juniper IP/500, Remote: ASA IP/500, Local IKE-ID: Juniper IP, Remote IKE-ID: ASA IP, VR-ID: 7, Role: Responder
Aug 12 16:08:06 CCSUK FIREWALL kmd[49378]: KMD_VPN_DOWN_ALARM_USER: VPN DTELHRvpn from ASA IP is down. Local-ip: Juniper IP, gateway name: DTELHRgwy, vpn name: DTELHRvpn, tunnel-id: 131390, local tunnel-if: st0.243, remote tunnel-ip: Not-Available, Local IKE-ID: Juniper IP, Remote IKE-ID: ASA IP, AAA username: Not-Applicable, VR id: 7, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type: Static, Reason: IPSec SA delete payload received from peer, corresponding IPSec SAs cleared
Aug 12 16:08:08 CCSUK FIREWALL kmd[49378]: IKE negotiation successfully completed. IKE Version: 2, VPN: DTELHRvpn Gateway: DTELHRgwy, Local: Juniper IP/500, Remote: ASA IP/500, Local IKE-ID: Juniper IP, Remote IKE-ID: ASA IP, VR-ID: 7, Role: Initiator
Aug 12 17:30:57 CCSUK FIREWALL kmd[49378]: IKE negotiation failed with error: Peer proposed phase1 proposal conflicts with local configuration. Negotiation failed. IKE Version: 2, VPN: DTELHRvpn Gateway: DTELHRgwy, Local: Juniper IP/500, Remote: ASA IP/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 7: Role: Responder
Aug 12 17:31:11 CCSUK FIREWALL kmd[49378]: IKE negotiation failed with error: No proposal chosen. IKE Version: 2, VPN: DTELHRvpn Gateway: DTELHRgwy, Local: Juniper IP/500, Remote: ASA IP/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 7: Role: Initiator
Aug 12 17:31:11 CCSUK FIREWALL kmd[49378]: IPSec negotiation failed with error: No proposal chosen. IKE Version: 2, VPN: DTELHRvpn Gateway: DTELHRgwy, Local: Juniper IP/500, Remote: ASA IP/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 7
Aug 12 17:31:25 CCSUK FIREWALL kmd[49378]: IKE negotiation failed with error: Peer proposed phase1 proposal conflicts with local configuration. Negotiation failed. IKE Version: 2, VPN: DTELHRvpn Gateway: DTELHRgwy, Local: Juniper IP/500, Remote: ASA IP/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 7: Role: Responder.

There could be issue between Policy based VPN routing at my side.. and rote base VPN configuration at Juniper side?

Kindly advise.

Rob Ingram · ‎08-15-2021

@anilkumar.cisco

You receive this error "IKEv2-PLAT-1: (25712): IKEv2 protocol not allowed by policy set for vpn-tunnel-protocol" is IKEv2 enabled under the group policy? Either the default group policy or a specific for the Juniper peer (depends on what you've configured). Example:-

group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev2

Yes, it certainly looks like the Juniper is using a route based VPN.

Aug 12 16:08:06 CCSUK FIREWALL kmd[49378]: KMD_PM_SA_ESTABLISHED: Local gateway: Juniper IP, Remote gateway: ASA IP, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0xb07c9e2, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector: FC Name:

Therefore the policy based VPN you've configured specifying the interesting traffic in the ACL cryptomap_38 is not going to match. The easiest thing to do is either change your VPN to be a VTI (supported from ASA 9.7) or change the Juniper to policy based.

anilkumar.cisco · ‎08-15-2021

Hello Rob,

so after doing the below sample group policy as per below link

Solved: ASA IKEv2 Site-2-Site - Cisco Community

group-policy GroupPolicy_60.60.60.2 internal
group-policy GroupPolicy_60.60.60.2 attributes
 vpn-tunnel-protocol ikev2 

tunnel-group 60.60.60.2 general-attributes
 default-group-policy GroupPolicy_60.60.60.2

the issue would be resolved.. or i need to recommend Juniper to change the configuration to Policy based

Rob Ingram · ‎08-15-2021

@anilkumar.cisco

You'll have to do both, enable IKEv2 in the group policy (either default or custom if you have one) and reconfigure the Juniper to use policy based VPN.

You appear to be multi-context mode which doesn't support VTI, hence why the Juniper should be reconfigured.

anilkumar.cisco · ‎08-15-2021

Hello Rob,

Don't have words to say thanks to you!!

from my side.. would like to give more then 5+ rating.. if it would allow:-

the below question came to my mind.. and though to clarify with you..

if the remote peer would not agree for policy based VPN.. then do we have some alternative to sort this out..

and why policy VPN at my side and route based at Juniper side would not work..

I am little bit confuse.

Rob Ingram · ‎08-16-2021

@anilkumar.cisco because a policy based VPN establishes the IPSec SA using the networks defined in the crypto ACL. This ACL defines the source and destination networks and is referred to a the proxy ID. Your example:-

access-list cryptomap_38 extended permit ip x.22.44.x 255.255.255.240 host x.218.40.x

A routed based VPN uses a tunnel interface instead of a crypto map and uses 0.0.0.0/0.0.0.0 as the proxy ID. Routes (dynamic or static) routes traffic over the VPN tunnel.

The proxy IDs must mirror each other on the peer devices.

So you cannot have your ASA specifying the SRC as x.22.44.x/255.255.240.0 DST as x.218.40.x and the Juniper specifying the SRC as 0.0.0.0 and DST 0.0.0.0. You've obviously got a configuration mis-match and the tunnel won't establish. The proxy IDs must mirror each other on the peer devices.

anilkumar.cisco · ‎08-16-2021

You are superstar ++++++ unlimited rating for you..

Thanks for your help..

Rob Ingram · ‎08-16-2021

@anilkumar.cisco ok, so you changed the juniper configuration to policy based VPN which resolved the issue? Or did you solve this another way?

anilkumar.cisco · ‎08-16-2021

Not yet.. advise to the end customer.. will share the feedback..