Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2880
Views
0
Helpful
0
Replies

Dynamic vpn with Juniper SRX and cisco router

Muhammed AKYUZ
Level 1
Level 1

‎03-18-2013 10:31 AM

Hi

We want to establish site-to-site dynmaic vpn with Juniper SRX and cisco router. at center: there is Juniper SRX FW at branch: cisco IOS router. branch IOS router's IP address is dynamic.

configs and debug outputs.

Please help..

JUNIPER SRX CONFIG:

set security ike proposal Teldat_pro1 authentication-method pre-shared-keys

set security ike proposal Teldat_pro1 dh-group group2

set security ike proposal Teldat_pro1 authentication-algorithm sha1

set security ike proposal Teldat_pro1 encryption-algorithm 3des-cbc

set security ike proposal Teldat_pro1 lifetime-seconds 3600

set security ike policy Teldat_ike mode aggressive

set security ike policy Teldat_ike proposals Teldat_pro1

set security ike policy Teldat_ike pre-shared-key ascii-text "$9$q.QntpBhSe5QF/9AIR"

set security ike gateway Teldat_gw ike-policy Teldat_ike

set security ike gateway Teldat_gw dynamic hostname router.router

set security ike gateway Teldat_gw external-interface reth2.0

set security ipsec proposal Teldat_pro2 protocol esp

set security ipsec proposal Teldat_pro2 authentication-algorithm hmac-sha1-96

set security ipsec proposal Teldat_pro2 encryption-algorithm 3des-cbc

set security ipsec proposal Teldat_pro2 lifetime-seconds 3600

set security ipsec policy Teldat_pol perfect-forward-secrecy keys group2

set security ipsec policy Teldat_pol proposals Teldat_pro2

set security ipsec vpn Teldat_vpn ike gateway Teldat_gw

set security ipsec vpn Teldat_vpn ike proxy-identity local 10.100.0.0/16

set security ipsec vpn Teldat_vpn ike proxy-identity remote 10.253.240.248/29

set security ipsec vpn Teldat_vpn ike ipsec-policy Teldat_pol

set security policies from-zone untrust to-zone trust policy Teldat_To_GM match source-address Teldat_Test_Atm

set security policies from-zone untrust to-zone trust policy Teldat_To_GM match destination-address Net_10_100

set security policies from-zone untrust to-zone trust policy Teldat_To_GM match application any

set security policies from-zone untrust to-zone trust policy Teldat_To_GM then permit tunnel ipsec-vpn Teldat_vpn

set security policies from-zone trust to-zone untrust policy GM_To_Teldat match source-address Net_10_100

set security policies from-zone trust to-zone untrust policy GM_To_Teldat match destination-address Teldat_Test_Atm

set security policies from-zone trust to-zone untrust policy GM_To_Teldat match application any

set security policies from-zone trust to-zone untrust policy GM_To_Teldat then permit tunnel ipsec-vpn Teldat_vpn

set security zones security-zone untrust address-book address Teldat_Test_Atm 10.253.240.248/29

CISCO ROUTER CONFIG:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp key teldat address 0.0.0.0       

crypto isakmp profile AGGRESSIVE

   keyring default

   self-identity fqdn

   match identity host .router

   initiate mode aggressive

!

!

crypto ipsec transform-set TS esp-3des esp-sha-hmac

mode tunnel

!

!

!

crypto map VPN isakmp-profile AGGRESSIVE

crypto map VPN 10 ipsec-isakmp

set peer A.B.C.D

set transform-set TS

set pfs group2

match address VPN-TRAFFIC

!

interface Dialer1

crypto map VPN

CISCO ROUTER DEBUG OUTPUTS:

*Mar 18 15:33:58.863: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 78.189.33.87:500, remote= A.B.C.D:500,

    local_proxy= 10.253.240.248/255.255.255.248/256/0,

    remote_proxy= 10.100.0.0/255.255.0.0/256/0,

    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

*Mar 18 15:33:58.867: ISAKMP:(0): SA request profile is AGGRESSIVE

*Mar 18 15:33:58.867: ISAKMP: Created a peer struct for A.B.C.D, peer port 500

*Mar 18 15:33:58.867: ISAKMP: New peer created peer = 0x87623F48 peer_handle = 0x80000006

*Mar 18 15:33:58.867: ISAKMP: Locking peer struct 0x87623F48, refcount 1 for isakmp_initiator

*Mar 18 15:33:58.867: ISAKMP: local port 500, remote port 500

*Mar 18 15:33:58.867: ISAKMP: set new node 0 to QM_IDLE     

*Mar 18 15:33:58.867: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 88E98E48

*Mar 18 15:33:58.867: ISAKMP:(0):Found ADDRESS key in keyring default

*Mar 18 15:33:58.867: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Mar 18 15:33:58.867: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Mar 18 15:33:58.867: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Mar 18 15:33:58.867: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Mar 18 15:33:58.867: ISAKMP:(0):SA is doing pre-shared key authentication using id type ID_FQDN

*Mar 18 15:33:58.867: ISAKMP (0): ID payload

        next-payload : 13

        type         : 2

        FQDN name    : router.router

        protocol     : 17

        port         : 0

        length       : 21

*Mar 18 15:33:58.867: ISAKMP:(0):Total payload length: 21

*Mar 18 15:33:58.867: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM

*Mar 18 15:33:58.867: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_AM1

*Mar 18 15:33:58.867: ISAKMP:(0): beginning Aggressive Mode exchange

*Mar 18 15:33:58.867: ISAKMP:(0): sending packet to A.B.C.D my_port 500 peer_port 500 (I) AG_INIT_EXCH

*Mar 18 15:33:58.867: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar 18 15:33:58.891: ISAKMP (0): received packet from A.B.C.D dport 500 sport 500 Global (I) AG_INIT_EXCH

*Mar 18 15:33:58.891: ISAKMP:(0):Couldn't find node: message_id 2462786240

*Mar 18 15:33:58.891: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_AM1

*Mar 18 15:33:58.891: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Mar 18 15:33:58.891: ISAKMP:(0):Old State = IKE_I_AM1  New State = IKE_I_AM1

*Mar 18 15:34:08.867: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...

*Mar 18 15:34:08.867: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Mar 18 15:34:08.867: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH

*Mar 18 15:34:08.867: ISAKMP:(0): sending packet to A.B.C.D my_port 500 peer_port 500 (I) AG_INIT_EXCH

*Mar 18 15:34:08.867: ISAKMP:(0):Sending an IKE IPv4 Packet.

router#

*Mar 18 15:34:18.867: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...

*Mar 18 15:34:18.867: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Mar 18 15:34:18.867: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH

*Mar 18 15:34:18.867: ISAKMP:(0): sending packet to A.B.C.D my_port 500 peer_port 500 (I) AG_INIT_EXCH

*Mar 18 15:34:18.867: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar 18 15:34:18.879: ISAKMP (0): received packet from A.B.C.D dport 500 sport 500 Global (I) AG_INIT_EXCH

*Mar 18 15:34:18.883: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents