SRX

Expand all | Collapse all

Route-based ipsec SRX4100-ASA traffic selectors 1 subnet to many behind ASA

Jump to Best Answer
  • 1.  Route-based ipsec SRX4100-ASA traffic selectors 1 subnet to many behind ASA

    Posted 11-05-2019 08:52

    The IPsec configured is failing at phase 2 with the error "[Nov 5 11:02:00][165.X.X.X <-> 74.X.X.X] Authenticated Phase-2 notification `No proposal chosen’ (14) data size 4 from 74.X.X.X for protocol ESP with invalid spi[0...16]=ac 37 1d 45 16 59 9f a9 f2 c9 a0 54 37 5f 51 75 causes"

    on the SRX I have the following:
    traffic-selector PROD2SL_1 {
    local-ip 10.120.72.0/24;
    remote-ip 10.1.0.0/23;
    }
    traffic-selector PROD2SL_2 {
    local-ip 10.120.72.0/24;
    remote-ip 10.4.200.0/24;

    on the ASA I have the following:
    object-group network VLT_NETS_TO_SAV
    network-object 10.1.0.0 255.255.254.0
    network-object 10.4.200.0 255.255.255.0
    object-group network SAV_NET_TO_VLT
    network-object 10.120.72.0 255.255.255.0

    access-list VLT-FW_TO_SAV_FW permit ip object-group VLT_NETS_TO_SAV object-group SAV_NET_TO_VLT

    I assume this should work, but it doesn't fit quit into one of these: https://kb.juniper.net/InfoCenter/index?page=content&id=KB28861&actp=METADATA

    I'm a bit stumped here. I have done this before, but its been a while and I don't recall.


    detailed srx config:

    SRX-01b> show configuration security ike proposal IKE_P1_PROPOSAL_1
    authentication-method pre-shared-keys;
    dh-group group5;
    authentication-algorithm sha1;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 86400;

    SRX-01b> show configuration security ike policy VLTFW_CORE_IKE_POLICY
    mode main;
    proposals IKE_P1_PROPOSAL_1;
    pre-shared-key ascii-text "$9$WfE8NbaJDH.5x7P5Fn7dY2"; ## SECRET-DATA

    SRX-01b> show configuration security ike gateway VLTFW_CORE
    ike-policy VLTFW_CORE_IKE_POLICY;
    address 74.X.X.X;
    external-interface reth3;

    SRX-01b> show configuration security ipsec proposal IPSEC_P2_PROPOSAL_1
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 3600;

    SRX-01b> show configuration security ipsec policy VLTFW_CORE_POLICY
    perfect-forward-secrecy {
    keys group5;
    }
    proposals IPSEC_P2_PROPOSAL_1;

    SRX-01b> show configuration security ipsec vpn VLTFW_CORE_VPN
    bind-interface st0.13;
    ike {
    gateway VLTFW_CORE;
    ipsec-policy VLTFW_CORE_POLICY;
    }
    traffic-selector PROD2SL_1 {
    local-ip 10.120.72.0/24;
    remote-ip 10.1.0.0/23;
    }
    traffic-selector PROD2SL_2 {
    local-ip 10.120.72.0/24;
    remote-ip 10.4.200.0/24;
    }
    establish-tunnels immediately;


    details ASA config:

    crypto ikev1 policy 40
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 86400


    tunnel-group 165.X.X.X type ipsec-l2l
    tunnel-group 165.X.X.X ipsec-attributes
    ikev1 pre-shared-key ABCDEFG

    object-group network VLT_NETS_TO_SAV
    network-object 10.1.0.0 255.255.254.0
    network-object 10.4.200.0 255.255.255.0
    object-group network SAV_NET_TO_VLT
    network-object 10.120.72.0 255.255.255.0

    access-list VLT-FW_TO_SAV_FW permit ip object-group VLT_NETS_TO_SAV object-group SAV_NET_TO_VLT

    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

    crypto map outside_vpn 60 match address VLT-FW_TO_SAV_FW
    crypto map outside_vpn 60 set pfs group5
    crypto map outside_vpn 60 set peer 165.X.X.X
    crypto map outside_vpn 60 set ikev1 transform-set ESP-AES-256-SHA-TRANS
    crypto map outside_vpn 60 set security-association lifetime seconds 86400

     


    #ASA
    #IPSec
    #traffic-selectors
    #SRX


  • 2.  RE: Route-based ipsec SRX4100-ASA traffic selectors 1 subnet to many behind ASA

    Posted 11-05-2019 09:43

    In Cisco config, mode should be "main" and the Phase2 lifetime should be 3600. Please modify and let know the result.

     

     



  • 3.  RE: Route-based ipsec SRX4100-ASA traffic selectors 1 subnet to many behind ASA

    Posted 11-05-2019 10:08

    Added:

    crypto map outside_vpn 60 match address VLT-FW_TO_SAV_FW
    crypto map outside_vpn 60 set pfs group5
    crypto map outside_vpn 60 set peer 165.X.X.X
    crypto map outside_vpn 60 set ikev1 transform-set ESP-AES-256-SHA-TRANS
    crypto map outside_vpn 60 set security-association lifetime seconds 3600 <<----

    ran command:

    crypto map outside_vpn 60 set ikev1 phase1-mode main

    >doesn't show in configuration.

     

    still see:

    Nov 5 13:02:00]Authenticated Phase-2 notification `No proposal chosen' (14) data size 4 from 74.X.X.X for protocol ESP with invalid spi[0...16]=81 12 58 a3 b4 e0 b9 99 c8 45 d3 8b b5 f7 6a 4c causes IKE SA deletion and QM abort

     

    and now:

    st0.13 up down inet

     

     

     



  • 4.  RE: Route-based ipsec SRX4100-ASA traffic selectors 1 subnet to many behind ASA
    Best Answer

    Posted 11-05-2019 10:24
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport <----
    Change mode to tunnel (not sure about this option) or remove this mode config


  • 5.  RE: Route-based ipsec SRX4100-ASA traffic selectors 1 subnet to many behind ASA

    Posted 11-05-2019 10:30

    That was it...I was attempting to "squeeze" in "tunnel mode" somewhere and couldn't..just removing transport mode was it.! Thanks