SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Route-based ipsec SRX4100-ASA traffic selectors 1 subnet to many behind ASA

    Posted 11-05-2019 08:52

    The IPsec configured is failing at phase 2 with the error "[Nov 5 11:02:00][165.X.X.X <-> 74.X.X.X] Authenticated Phase-2 notification `No proposal chosen’ (14) data size 4 from 74.X.X.X for protocol ESP with invalid spi[0...16]=ac 37 1d 45 16 59 9f a9 f2 c9 a0 54 37 5f 51 75 causes"

    on the SRX I have the following:
    traffic-selector PROD2SL_1 {
    local-ip 10.120.72.0/24;
    remote-ip 10.1.0.0/23;
    }
    traffic-selector PROD2SL_2 {
    local-ip 10.120.72.0/24;
    remote-ip 10.4.200.0/24;

    on the ASA I have the following:
    object-group network VLT_NETS_TO_SAV
    network-object 10.1.0.0 255.255.254.0
    network-object 10.4.200.0 255.255.255.0
    object-group network SAV_NET_TO_VLT
    network-object 10.120.72.0 255.255.255.0

    access-list VLT-FW_TO_SAV_FW permit ip object-group VLT_NETS_TO_SAV object-group SAV_NET_TO_VLT

    I assume this should work, but it doesn't fit quit into one of these: https://kb.juniper.net/InfoCenter/index?page=content&id=KB28861&actp=METADATA

    I'm a bit stumped here. I have done this before, but its been a while and I don't recall.


    detailed srx config:

    SRX-01b> show configuration security ike proposal IKE_P1_PROPOSAL_1
    authentication-method pre-shared-keys;
    dh-group group5;
    authentication-algorithm sha1;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 86400;

    SRX-01b> show configuration security ike policy VLTFW_CORE_IKE_POLICY
    mode main;
    proposals IKE_P1_PROPOSAL_1;
    pre-shared-key ascii-text "$9$WfE8NbaJDH.5x7P5Fn7dY2"; ## SECRET-DATA

    SRX-01b> show configuration security ike gateway VLTFW_CORE
    ike-policy VLTFW_CORE_IKE_POLICY;
    address 74.X.X.X;
    external-interface reth3;

    SRX-01b> show configuration security ipsec proposal IPSEC_P2_PROPOSAL_1
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 3600;

    SRX-01b> show configuration security ipsec policy VLTFW_CORE_POLICY
    perfect-forward-secrecy {
    keys group5;
    }
    proposals IPSEC_P2_PROPOSAL_1;

    SRX-01b> show configuration security ipsec vpn VLTFW_CORE_VPN
    bind-interface st0.13;
    ike {
    gateway VLTFW_CORE;
    ipsec-policy VLTFW_CORE_POLICY;
    }
    traffic-selector PROD2SL_1 {
    local-ip 10.120.72.0/24;
    remote-ip 10.1.0.0/23;
    }
    traffic-selector PROD2SL_2 {
    local-ip 10.120.72.0/24;
    remote-ip 10.4.200.0/24;
    }
    establish-tunnels immediately;


    details ASA config:

    crypto ikev1 policy 40
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 86400


    tunnel-group 165.X.X.X type ipsec-l2l
    tunnel-group 165.X.X.X ipsec-attributes
    ikev1 pre-shared-key ABCDEFG

    object-group network VLT_NETS_TO_SAV
    network-object 10.1.0.0 255.255.254.0
    network-object 10.4.200.0 255.255.255.0
    object-group network SAV_NET_TO_VLT
    network-object 10.120.72.0 255.255.255.0

    access-list VLT-FW_TO_SAV_FW permit ip object-group VLT_NETS_TO_SAV object-group SAV_NET_TO_VLT

    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

    crypto map outside_vpn 60 match address VLT-FW_TO_SAV_FW
    crypto map outside_vpn 60 set pfs group5
    crypto map outside_vpn 60 set peer 165.X.X.X
    crypto map outside_vpn 60 set ikev1 transform-set ESP-AES-256-SHA-TRANS
    crypto map outside_vpn 60 set security-association lifetime seconds 86400

     


    #ASA
    #IPSec
    #traffic-selectors
    #SRX


  • 2.  RE: Route-based ipsec SRX4100-ASA traffic selectors 1 subnet to many behind ASA

    Posted 11-05-2019 09:43

    In Cisco config, mode should be "main" and the Phase2 lifetime should be 3600. Please modify and let know the result.

     

     



  • 3.  RE: Route-based ipsec SRX4100-ASA traffic selectors 1 subnet to many behind ASA

    Posted 11-05-2019 10:08

    Added:

    crypto map outside_vpn 60 match address VLT-FW_TO_SAV_FW
    crypto map outside_vpn 60 set pfs group5
    crypto map outside_vpn 60 set peer 165.X.X.X
    crypto map outside_vpn 60 set ikev1 transform-set ESP-AES-256-SHA-TRANS
    crypto map outside_vpn 60 set security-association lifetime seconds 3600 <<----

    ran command:

    crypto map outside_vpn 60 set ikev1 phase1-mode main

    >doesn't show in configuration.

     

    still see:

    Nov 5 13:02:00]Authenticated Phase-2 notification `No proposal chosen' (14) data size 4 from 74.X.X.X for protocol ESP with invalid spi[0...16]=81 12 58 a3 b4 e0 b9 99 c8 45 d3 8b b5 f7 6a 4c causes IKE SA deletion and QM abort

     

    and now:

    st0.13 up down inet

     

     

     



  • 4.  RE: Route-based ipsec SRX4100-ASA traffic selectors 1 subnet to many behind ASA
    Best Answer

    Posted 11-05-2019 10:24
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport <----
    Change mode to tunnel (not sure about this option) or remove this mode config


  • 5.  RE: Route-based ipsec SRX4100-ASA traffic selectors 1 subnet to many behind ASA

    Posted 11-05-2019 10:30

    That was it...I was attempting to "squeeze" in "tunnel mode" somewhere and couldn't..just removing transport mode was it.! Thanks