VPN between ASA and Juniper SSG-140

Jewgeni Uschegow · ‎12-22-2017

Hi,

I try to configure VPN between ASA and Juniper (initiator). The Parameters are the follow:

Phase1:

- AES-256

- SHA1

- DH Gr. 2

- Lifetime7800

Phase2:

- ESP-AES-256-SHA

- Group 2

- Lifetime 3600

In log I can see, that ASA sends MM2, but doesn't receive MM3 from Juniper.

And ASA has MM_WAIT_MSG3 state.

Can somebody say what ist the problem.

Best regards

GioGonza · ‎12-22-2017

Hello @Jewgeni Uschegow,

The state MM_WAIT_MSG3 means you receive the first packet, respond with the second one but you don´t receive anything back from the initiator. This means the second packet is lost/blocked somewhere in the path, I would suggest to initiate a capture on Juniper side in order to see if your response gets into that FW.

Another thing you should do is to involve your ISP and verify if the traffic is being allowed, one more thing... if you have a device in front of the ASA verify if it's not dropping the packets.

HTH

Gio

Mohammed al Baqari · ‎12-22-2017

If you are reaching MM3, check the proposals and preshared keys are
matched. Most likely it will be preshared key mismatch. Try to change it to
simple one and see if it works for testing.

Shankar Murali · ‎12-26-2017

Hello Mohammed,
Here i have a quick query. As per APNIC doc (Page27) below , the third and fourth packet in ike Phase 1 is DH exchange, and 5th and 6 th is Peer Identity. Is this information true. You said preshared key mismach which comes at peer identity so i doubt.

https://training.apnic.net/wp-content/uploads/sites/2/2016/11/eSEC03_IPSec_Basics.pdf

-Shankar