Trying to establish a VPN between a Cisco router and a Juniper SRX and I feel like Im teetering on the edge of success here.
Topology:
[Juniper SRX]----{Big bad internets}----[NAT router 1]----[NAT router 2]----[Cisco 1841]
(Yes, double NAT - long story, dont ask.)The 1841 sits behind my broadband router at home, so is doing agressive mode to the Juniper which is on a (for all intents and purposes) static IP.
Phase 1 seems to be ok, on the Cisco side Im getting to QM_IDLE which is usually a good sign.
Phase 2 is a bit dubious though as I dont seem to be getting any errors on the Cisco side when debugging. The Juniper side is much more difficult to debug.
So, on the Cisco I see this:
eal-vpn1#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
86.181.x.y 172.25.144.20 QM_IDLE 1003 ACTIVE
IPv6 Crypto ISAKMP SA
eal-vpn1#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 172.25.144.20
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 86.181.x.y port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.25.144.20, remote crypto endpt.: 86.181.x.y
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
eal-vpn1#show crypto map
Crypto Map IPv4 "Tunnel0-head-0" 65536 ipsec-isakmp
Profile name: c2j-1
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
ESP_AES256: { esp-256-aes esp-sha256-hmac } ,
}
Crypto Map IPv4 "Tunnel0-head-0" 65537 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 86.181.x.y
Extended IP access list
access-list permit ip any any
Current peer: 86.181.x.y
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
ESP_AES256: { esp-256-aes esp-sha256-hmac } ,
}
Always create SAs
Interfaces using crypto map Tunnel0-head-0:
Tunnel0
On the Juniper side I see this:
tom@srx110> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
7233097 UP 3b7e0b0ef0634d6b 9a65123b249930e6 Aggressive 82.28.a.b
7233094 UP 756bd8a820ca55e4 2c45efabc95aeb55 Aggressive 82.28.a.b
tom@srx110> show security ipsec security-associations
Total active tunnels: 0
tom@srx110> show security ipsec inactive-tunnels
Total inactive tunnels: 2
Total inactive tunnels with establish immediately: 1
ID Port Nego# Fail# Flag Gateway Tunnel Down Reason
131074 500 0 0 604a29 SA not initiated
131073 500 0 0 604a29 SA not initiated
tom@srx110> show security ipsec inactive-tunnels detail
ID: 131074 Virtual-system: root, VPN Name: ipsec-vpn-c2j-1
Local Gateway: 86.181.x.y
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Version: IKEv1
DF-bit: clear
Bind-interface: st0.1
Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x604a29
Last Tunnel Down Reason: SA not initiated
ID: 131073 Virtual-system: root, VPN Name: ipsec-vpn-j2j-1
Local Gateway: 86.181.x.y
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Version: IKEv1
DF-bit: clear
Bind-interface: st0.0
Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x604a29
Last Tunnel Down Reason: SA not initiated
And when debugging on the Cisco this is about all I see for "debug crypto ipsec":
*Nov 20 23:20:40.203 UTC: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 172.25.144.20:0, remote= 86.181.x.y:0,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*Nov 20 23:20:40.203 UTC: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 172.25.144.20:500, remote= 86.181.x.y:500,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-aes 256 esp-sha256-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Just those messages over and over.
The end result is that the tunnel interfaces that make up this VPN are not coming up.
Configs attached. Let me know if you need any more debug output, Im about to run to bed but thought I might see if anyone can spot anything obvious that Im doing wrong! Ive scoured the depths of the Internet and everything Im doing seems to match, others are reporting sucess with the same config, but mine doesnt seem to work? :-(
Thanks
juniper-vpn-···nfig.txt
8365 bytes