dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1267

TomS_
Git-r-done
MVM
join:2002-07-19
London, UK

TomS_

MVM

IPSec VPN between Cisco and Juniper

Trying to establish a VPN between a Cisco router and a Juniper SRX and I feel like Im teetering on the edge of success here.

Topology:

[Juniper SRX]----{Big bad internets}----[NAT router 1]----[NAT router 2]----[Cisco 1841]

(Yes, double NAT - long story, dont ask.)

The 1841 sits behind my broadband router at home, so is doing agressive mode to the Juniper which is on a (for all intents and purposes) static IP.

Phase 1 seems to be ok, on the Cisco side Im getting to QM_IDLE which is usually a good sign.

Phase 2 is a bit dubious though as I dont seem to be getting any errors on the Cisco side when debugging. The Juniper side is much more difficult to debug.

So, on the Cisco I see this:

eal-vpn1#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
86.181.x.y      172.25.144.20   QM_IDLE           1003 ACTIVE
 
IPv6 Crypto ISAKMP SA
 
eal-vpn1#show crypto ipsec sa
 
interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 172.25.144.20
 
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 86.181.x.y port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
 
     local crypto endpt.: 172.25.144.20, remote crypto endpt.: 86.181.x.y
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none
 
     inbound esp sas:
 
     inbound ah sas:
 
     inbound pcp sas:
 
     outbound esp sas:
 
     outbound ah sas:
 
     outbound pcp sas:
eal-vpn1#show crypto map     
Crypto Map IPv4 "Tunnel0-head-0" 65536 ipsec-isakmp
Profile name: c2j-1
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={ 
ESP_AES256:  { esp-256-aes esp-sha256-hmac  } , 
}
 
Crypto Map IPv4 "Tunnel0-head-0" 65537 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 86.181.x.y
Extended IP access list 
    access-list  permit ip any any
Current peer: 86.181.x.y
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={ 
ESP_AES256:  { esp-256-aes esp-sha256-hmac  } , 
}
Always create SAs
Interfaces using crypto map Tunnel0-head-0:
Tunnel0
 

On the Juniper side I see this:

tom@srx110> show security ike security-associations 
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
7233097 UP     3b7e0b0ef0634d6b  9a65123b249930e6  Aggressive     82.28.a.b   
7233094 UP     756bd8a820ca55e4  2c45efabc95aeb55  Aggressive     82.28.a.b   
 
tom@srx110> show security ipsec security-associations  
  Total active tunnels: 0
 
tom@srx110> show security ipsec inactive-tunnels        
  Total inactive tunnels: 2
  Total inactive tunnels with establish immediately: 1
  ID     Port  Nego#  Fail#  Flag      Gateway          Tunnel Down Reason
  131074 500   0      0      604a29                     SA not initiated
  131073 500   0      0      604a29                     SA not initiated
 
tom@srx110> show security ipsec inactive-tunnels detail 
  ID: 131074 Virtual-system: root, VPN Name: ipsec-vpn-c2j-1
  Local Gateway: 86.181.x.y
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv1
    DF-bit: clear
    Bind-interface: st0.1
 
  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x604a29 
  Last Tunnel Down Reason: SA not initiated
  ID: 131073 Virtual-system: root, VPN Name: ipsec-vpn-j2j-1
  Local Gateway: 86.181.x.y
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv1
    DF-bit: clear
    Bind-interface: st0.0
 
  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x604a29 
  Last Tunnel Down Reason: SA not initiated
 

And when debugging on the Cisco this is about all I see for "debug crypto ipsec":

*Nov 20 23:20:40.203 UTC: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 172.25.144.20:0, remote= 86.181.x.y:0, 
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), 
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*Nov 20 23:20:40.203 UTC: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 172.25.144.20:500, remote= 86.181.x.y:500, 
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), 
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes 256 esp-sha256-hmac  (Tunnel), 
    lifedur= 3600s and 4608000kb, 
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
 

Just those messages over and over.

The end result is that the tunnel interfaces that make up this VPN are not coming up.

Configs attached. Let me know if you need any more debug output, Im about to run to bed but thought I might see if anyone can spot anything obvious that Im doing wrong! Ive scoured the depths of the Internet and everything Im doing seems to match, others are reporting sucess with the same config, but mine doesnt seem to work? :-(

Thanks

juniper-vpn-···nfig.txt
8365 bytes
cisco-vpn-config.txt
1907 bytes
TomS_

1 edit

TomS_

MVM

I knew it was something noobie.

On the Juniper I had:

security {
    ipsec {
        policy ipsec-policy-c2j-1 {
            perfect-forward-secrecy {
                keys group5;
            }
            proposals ipsec-proposal-c2j-1;
        }
    }
}
 

After removing a part of it to leave:

security {
    ipsec {
        policy ipsec-policy-c2j-1 {
            proposals ipsec-proposal-c2j-1;
        }
    }
}
 

Now all working fine. :D

Now to get IPv6 working over this if I can.
tired_runner
Premium Member
join:2000-08-25
CT

tired_runner

Premium Member

Yeah... PFS means your 1841 needed no-xauth at the end of your crypto isakmp key statement.

I was dealt the same gotcha when I did this between an 1841 and a SonicWALL Tzw Soho10.