11-06-2014 06:52 AM - edited 02-21-2020 07:55 PM
Hello, for several days I have been trying to establish a site-to-site VPN from a Juniper SSG5 (ScreenOS 6.3.0r12.0) to a Cisco 2921 router (with ISM crypto engine running IOS 15.4(2)T1 w/ securityk9 license). I am now reaching out to the forum hoping that someone will be able to pinpoint why my VPN won't establish.
Setup
SSG5 LAN side: interface bgroup0 in zone Trust, subnet 172.27.35.0/29.
SSG5 internet side: interface eth0/0 in zone Untrust, DHCP assigned public IP address (shown as 2.2.2.2 in attached logs).
SSG5 VPN is configured as route-based (bound to interface tunnel.1) with explicitly configured proxy ids.
Two Cisco 2921 routers running stateful switchover (SSO), which supports only crypto map based VPNs:
Cisco internet side: interface gig0/2.99 in global vrf with HSRP address 1.1.1.1.
Cisco LAN side: interface gig0/0.15 in vrf AUX-SITES with subnet 172.27.32.80/29.
Initially it will be sufficient to establish VPN communication between the 172.27.35.0/29 and 172.27.32.80/29 subnets.
Cisco router pair is in use for other static IP site-to-site VPNs (with Cisco ASA as remote gateways) - this problem is specifically about VPN to Juniper SSG5.
Results
There is full connectivity between the SSG5 and Cisco routers' internet facing interfaces.
When passing traffic from 172.27.35.0/29 to 172.27.32.80/29, IKE phase 1 completes successfully but phase 2 fails.
After hours of troubleshooting, I am fairly sure the proxy IDs/ACLs and transform sets are identically configured on both sides.
Cisco configuration
crypto keyring AUX-SITES
description Juniper SSG5 remote sites
pre-shared-key address 0.0.0.0 0.0.0.0 key <scrubbed>
crypto isakmp profile AUX-SITES
vrf AUX-SITES
keyring AUX-SITES
match identity address 0.0.0.0
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
mode tunnel
ip access-list extended AUX-REMOTE-A
permit ip 172.27.32.80 0.0.0.7 172.27.35.0 0.0.0.7 log
crypto dynamic-map AUX-REMOTES 10
set security-association lifetime kilobytes disable
set security-association lifetime seconds 28800
set transform-set ESP-AES256-SHA
set pfs group2
match address AUX-REMOTE-A
reverse-route
crypto map VPN 65000 ipsec-isakmp dynamic AUX-REMOTES
interface GigabitEthernet0/0.15
description INTERNAL NETWORK
encapsulation dot1Q 15
ip vrf forwarding AUX-SITES
ip address 172.27.32.85 255.255.255.248
standby 15 ip 172.27.32.84
interface GigabitEthernet0/2.99
description INTERNET
encapsulation dot1Q 3900
ip address 1.1.1.2 255.255.255.240
standby 99 ip 1.1.1.1
standby 99 name HA-INTERNET
standby 99 track 2 decrement 10
crypto map VPN redundancy HA-INTERNET stateful
Juniper SSG5 configuration
set interface "ethernet0/0" zone "Untrust"
set interface ethernet0/0 route
set interface ethernet0/0 dhcp client enable <-- ext i/f currently holds public IP address ("2.2.2.2")
set interface "tunnel.1" zone "Untrust"
set interface tunnel.1 ip unnumbered interface ethernet0/0
set interface "bgroup0" zone "Trust"
set interface bgroup0 ip 172.27.35.1/29
set interface bgroup0 route
set ike p1-proposal "PRE-G2-AES256-SHA" preshare group2 esp aes256 sha-1 minute 1440
set ike p2-proposal "PFS2-ESP-AES256-SHA-28800" group2 esp aes256 sha-1 second 28800
set ike gateway "GW" address 194.14.80.10 Main outgoing-interface "ethernet0/0" preshare "<scrubbed>" proposal "PRE-G2-AES256-SHA"
set vpn "VPN" gateway "GW" no-replay tunnel idletime 0 proposal "PFS2-ESP-AES256-SHA-28800"
set vpn "VPN" id 0x3 bind interface tunnel.1
set vpn "VPN" proxy-id check
set vpn "VPN" proxy-id local-ip 172.27.35.0/29 remote-ip 172.27.32.80/29 "ANY"
set policy id 1 from "Trust" to "Untrust" "net-172.27.35.0/29" "net-172.27.32.80/29" "ANY" permit log
set policy id 1
exit
set route 172.27.32.80/29 interface tunnel.1 permanent
Cisco router status after unsuccessful attempt to send traffic from SSG5 LAN to Cisco LAN
Cisco2921#sh crypto isakmp sa detail
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
20131 1.1.1.1 2.2.2.2 AUX-SI ACTIVE aes sha psk 2 23:51:39
Engine-id:Conn-id = ISM VPN:131
Cisco2921#show crypto ipsec sa peer 2.2.2.2
Cisco2921#sh crypto session
Interface: GigabitEthernet0/2.99
Profile: AUX-SITES
Session status: UP-IDLE
Peer: 2.2.2.2 port 500
Session ID: 0
IKEv1 SA: local 1.1.1.1/500 remote 2.2.2.2/500 Active
Debug outputs
As attachments.
Any help with this would be greatly appreciated!
Cheers,
Anders Aberg
11-07-2014 12:39 PM
Hi,
Thanks for contacting the Cisco Support Community! I analysed the debug provided and I was able to find the following:
Nov 6 11:39:50.506: Cannot find crypto swsb : in ipsec_process_proposal (), 1590 Nov 6 11:39:50.506: IPSEC(ipsec_process_proposal): proxy identities not supported Nov 6 11:39:50.506: ISAKMP:(20131): IPSec policy invalidated proposal with error 32 Nov 6 11:39:50.506: ISAKMP:(20131): phase 2 SA policy not acceptable! (local 1.1.1.1 remote 2.2.2.2)
This messages appear when there is a mismatch in the ACLs configured in both devices, I went further and check how a Juniper Firewall should be configured for a route-based VPN and it seems that they match
I have seen case that after re-entering the ACL in the Juniper device the VPN is created and starts sending traffic.
So, could you please try to re-enter the ACL in the Juniper and test again the connection?
Also this problem could be related that one of the devices is behind a NAT device, so if this is true, you need to point to the real-IP Address and not the Public IP Address.
Please let me know if this works for you,
Have a great day!
Best regards,
Osvaldo Garcia
11-14-2014 01:47 PM
Hi Osvaldo,
Many thanks for your feedback. I have followed your advice to remove the VPN ACL on the Juniper box and re-create it, however the result is still the same and logs look identical on both sides. The Juniper box was also rebooted in the process.
None of the endpoints is behind a NAT device. Ultimately I would want this setup to work with the Juniper SSG5 located behind a NAT/PAT router, but this is not the case today. The Juniper SSG5 is currently getting a public routable IP address via DHCP.
One line in the Cisco log comes across as strange - should I really be seeing transform=NONE in the proposal from the SSG5:
Nov 6 11:39:50.506: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 1.1.1.1:0, remote= 2.2.2.2:0,
local_proxy= 172.27.32.80/255.255.255.248/256/0,
remote_proxy= 172.27.35.0/255.255.255.248/256/0,
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Cheers,
Anders Aberg
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide