01-07-2024 03:07 PM - edited 01-07-2024 03:08 PM
Hi
Trying to build VPN between ASA and Juniper FW.
I have ASA on one end and the other end is Junipser SRX that sits behind another Juniper FW.
I am using ikev2 and phase 1 comes up but phas2 is failing.
Please can someone help and look at the ASA logs attached to identify the problem?
Thanks : )
Solved! Go to Solution.
01-07-2024 03:18 PM
'IKEv2-PROTO-1: (734): Failed to find a matching policy
IKEv2-PROTO-1: (734): Received Policies:
ESP: Proposal 1: AES-CBC-256 SHA256 Don't use ESN
IKEv2-PROTO-1: (734): Failed to find a matching policy
IKEv2-PROTO-1: (734): Expected Policies:
ESP: Proposal 0: AES-CBC-256 SHA96 Don't use ESN'
Did you change the integrity in your ipsec-proposal to match up to the sha256 value for integrity?
01-07-2024 03:18 PM
'IKEv2-PROTO-1: (734): Failed to find a matching policy
IKEv2-PROTO-1: (734): Received Policies:
ESP: Proposal 1: AES-CBC-256 SHA256 Don't use ESN
IKEv2-PROTO-1: (734): Failed to find a matching policy
IKEv2-PROTO-1: (734): Expected Policies:
ESP: Proposal 0: AES-CBC-256 SHA96 Don't use ESN'
Did you change the integrity in your ipsec-proposal to match up to the sha256 value for integrity?
01-08-2024 03:04 PM - edited 01-08-2024 03:15 PM
Hi
Thanks for the reply I have matched integrity on both ends but still, VPN has not come up
ASA kind of build the Phase 1 and Phase 2 but on SRX don't see any SA and keeps negotiation failing
root@CORE-SRX>
ID Port Gateway Pending SAs Tunnel Down Reason
131073 500 188.84.131.2 1 No response from peer. Negotiation failed (53 times)
01-08-2024 03:27 PM
On ASA I see the following error but could not understand : |
length: 256IKEv2-PROTO-1: A supplied parameter is incorrect
IKEv2-PROTO-1:
IKEv2-PROTO-1: Could not find neg context
IKEv2-PROTO-1: Couldn't find matching SA
01-08-2024 03:56 PM
31842079 188.84.131.2/4500 197.168.10.10/15001 READY RESPONDER
the remote use use unknown UDP port 15001 ??
contact them and correct the port to be 500 or 4500 (if there is NAT)
MHM
01-09-2024 02:50 PM
Hi Thanks for reply
Let me share my Topology for better understanding
Yes ASA FW is a respondent and SRX FW is the one that initiates the the VPN negotiation.
IP 197.168.10.10 is the Nated IP and FW that initiates the VPN negotiation has the original IP 172.168.12.2
Following is my NAT configuration.
set security nat source pool ASA-VPN-NAT-POOl address 197.168.10.10/32
set security nat source rule-set my-rule-set from zone TRANSIT-ZONE
set security nat source rule-set my-rule-set to zone untrust
set security nat source rule-set my-rule-set rule r-1 match source-address 172.168.12.2/32
set security nat source rule-set my-rule-set rule r-1 match destination-address 188.84.131.2/32
set security nat source rule-set my-rule-set rule r-1 then source-nat pool ASA-VPN-NAT-POOl
I have checked NAT is taking place correctly and no issue. On my internal SRX I can see the packed from ASW [188.84.131.2] on port 4500 are received but internal FW is dropping the packed even though I have allowed that flow in the policy. I have included the packet capture from FW. [SRX-NG-Dropping-UDP4500.txt]
01-09-2024 03:22 PM
I dont have a lot infor about NAT in juniper
but you need static NAT 1:1 or PAT for port 4500 and 500
I think using pool is not keep UDP port same
MHM
01-11-2024 03:04 PM
Hi All
Thanks for your help I have managed to fix the issue. My Core SRX was dropping the traffic for port 4500. I did share the log in my previous post under "SRX-NG-Droping-UDP4500".
This was due to ike protocol that was not enabled on the SRX interfaces and FW was dropping the the traffic
Actually, in my config, I did allow that traffic under the zone level but I was not aware that I needed to allow that ike protocol at the interface level of the FW .
Config that was not working
set security zones security-zone TRANSIT-ZONE host-inbound-traffic system-services ping
set security zones security-zone TRANSIT-ZONE host-inbound-traffic system-services ike
set security zones security-zone TRANSIT-ZONE interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
Once I changed the config to the following it started working
set security zones security-zone TRANSIT-ZONE host-inbound-traffic system-services ping
set security zones security-zone TRANSIT-ZONE host-inbound-traffic system-services ike
set security zones security-zone TRANSIT-ZONE interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone TRANSIT-ZONE interfaces ge-0/0/1.0 host-inbound-traffic system-services ike
----------------------------------------------------------------------------------------------------------
Thanks
01-11-2024 03:17 PM
You are so so welcome
Glad my suggestion help you
Have a nice weekend
MHM
05-29-2024 03:33 AM
We hit something similar:
IKEv2-PROTO-2: (903): Failed to find a matching policy
IKEv2-PROTO-2: (903): Received Policies:
ESP: Proposal 1: AES-CBC-256 SHA512 DH_GROUP_521_ECP/Group 21 Don't use ESN
After checking the ipsec-proposal config on the ASA everything looked good and should have matched.
This was during the usual IKE debugs:
debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127
In the end it was a simple matter that we were doing a VTI on ASA and we forgot to configure a tunnel ip address.
interface TunX
description FarSide-SiteX
nameif vtiX
ip address 10.1.1.0 255.255.255.254 <-- We were missing this
tunnel source interface external
tunnel destination 1.1.1.X
tunnel mode ipsec ipv4
tunnel protection ipsec profile PR-FARSIDE
tunnel protection ipsec policy CACL-FARSIDE
exit
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide