SRX

Expand all | Collapse all

IPSec VPN between SRX (hub) and Cisco (spoke) aggressive mode with NAT

Jump to Best Answer
  • 1.  IPSec VPN between SRX (hub) and Cisco (spoke) aggressive mode with NAT

    Posted 11-18-2017 08:44

    Hi all,

     We need set up ipsec vpn between Juniper SRX1500 (Hub) and Cisco device (spoke) and use Aggresive mode, Cisco behind the moderm router as image attached (The result below is test with vSRX and Cisco C2600). But Phase 1 can't up, troubleshoot with show logs on 2 devices i see:

     

    SRX1500:

    root@SRX.JUNIPER.NET# run show log kmd-logs | last
    Nov 18 16:03:40 SRX.JUNIPER.NET kmd[1196]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local: 200.200.12.1/500, Remote: 200.200.12.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
    Nov 18 16:04:10 SRX.JUNIPER.NET kmd[1196]: IKE Phase-1: (Responder) Policy lookup failed [local_ip=200.200.12.1 remote_ip=200.200.12.2]
    Nov 18 16:04:10 SRX.JUNIPER.NET kmd[1196]: KMD_VPN_PV_PHASE1: IKE Phase-1 Failure: No proposal chosen [spi=(null), src_ip=200.200.12.1, dst_ip=200.200.12.2]
    Nov 18 16:04:10 SRX.JUNIPER.NET kmd[1196]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local: 200.200.12.1/500, Remote: 200.200.12.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
    Nov 18 16:05:41 SRX.JUNIPER.NET kmd[1196]: IKE Phase-1: (Responder) Policy lookup failed [local_ip=200.200.12.1 remote_ip=200.200.12.2]
    Nov 18 16:05:41 SRX.JUNIPER.NET kmd[1196]: KMD_VPN_PV_PHASE1: IKE Phase-1 Failure: No proposal chosen [spi=(null), src_ip=200.200.12.1, dst_ip=200.200.12.2]
    Nov 18 16:05:41 SRX.JUNIPER.NET kmd[1196]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local: 200.200.12.1/500, Remote: 200.200.12.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
    Nov 18 16:06:11 SRX.JUNIPER.NET kmd[1196]: IKE Phase-1: (Responder) Policy lookup failed [local_ip=200.200.12.1 remote_ip=200.200.12.2]
    Nov 18 16:06:11 SRX.JUNIPER.NET kmd[1196]: KMD_VPN_PV_PHASE1: IKE Phase-1 Failure: No proposal chosen [spi=(null), src_ip=200.200.12.1, dst_ip=200.200.12.2]
    Nov 18 16:06:11 SRX.JUNIPER.NET kmd[1196]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local: 200.200.12.1/500, Remote: 200.200.12.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0

    Cisco:

    IOS.CISCO.COM#debug crypto isakmp
    *Mar 1 04:06:00.849: ISAKMP: received ke message (1/1)
    *Mar 1 04:06:00.849: ISAKMP:(0:0:N/A:0): SA request profile is JUNIPER_IKE_PROF
    *Mar 1 04:06:00.849: ISAKMP: Created a peer struct for 200.200.12.1, peer port 500
    *Mar 1 04:06:00.849: ISAKMP: New peer created peer = 0x82E211FC peer_handle = 0x80000081
    *Mar 1 04:06:00.853: ISAKMP: Locking peer struct 0x82E211FC, IKE refcount 1 for isakmp_initiator
    *Mar 1 04:06:00.853: ISAKMP: local port 500, remote port 500
    *Mar 1 04:06:00.853: ISAKMP: set new node 0 to QM_IDLE
    *Mar 1 04:06:00.853: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 88417D18
    *Mar 1 04:06:00.857: ISAKMP:(0:0:N/A:0):Found HOST key in keyring default
    *Mar 1 04:06:00.857: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
    *Mar 1 04:06:00.857: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
    *Mar 1 04:06:00.861: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
    *Mar 1 04:06:00.885: ISAKMP:(0:118:SW:1):SA is doing pre-shared key authentication using id type ID_FQDN
    *Mar 1 04:06:00.885: ISAKMP (0:134217846): ID payload
    next-payload : 13
    type : 2
    FQDN name : IOS.CISCO.COM
    protocol : 17
    port : 0
    length : 21
    *Mar 1 04:06:00.889: ISAKMP:(0:118:SW:1):Total payload length: 21
    *Mar 1 04:06:00.889: ISAKMP:(0:118:SW:1):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
    *Mar 1 04:06:00.889: ISAKMP:(0:118:SW:1):Old State = IKE_READY New State = IKE_I_AM1

    *Mar 1 04:06:00.893: ISAKMP:(0:118:SW:1): beginning Aggressive Mode exchange
    *Mar 1 04:06:00.893: ISAKMP:(0:118:SW:1): sending packet to 200.200.12.1 my_port 500 peer_port 500 (I) AG_INIT_EXCH
    *Mar 1 04:06:00.893: ISAKMP:(0:117:SW:1):purging SA., sa=88417604, delme=88417604
    *Mar 1 04:06:01.037: ISAKMP (0:134217846): received packet from 200.200.12.1 dport 500 sport 500 Global (I) AG_INIT_EXCH
    *Mar 1 04:06:01.037: ISAKMP:(0:118:SW:1):Couldn't find node: message_id -1546417211
    *Mar 1 04:06:01.037: ISAKMP (0:134217846): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_AM1

    *Mar 1 04:06:01.041: ISAKMP:(0:118:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
    *Mar 1 04:06:01.041: ISAKMP:(0:118:SW:1):Old State = IKE_I_AM1 New State = IKE_I_AM1

    *Mar 1 04:06:01.041: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 200.200.12.1
    IOS.CISCO.COM#debug crypto isakmp
    IOS.CISCO.COM#debug crypto isakmp
    *Mar 1 04:06:10.893: ISAKMP:(0:118:SW:1): retransmitting phase 1 AG_INIT_EXCH...
    *Mar 1 04:06:10.893: ISAKMP (0:134217846): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
    *Mar 1 04:06:10.893: ISAKMP:(0:118:SW:1): retransmitting phase 1 AG_INIT_EXCH
    *Mar 1 04:06:10.893: ISAKMP:(0:118:SW:1): sending packet to 200.200.12.1 my_port 500 peer_port 500 (I) AG_INIT_EXCH
    *Mar 1 04:06:11.142: ISAKMP (0:134217846): received packet from 200.200.12.1 dport 500 sport 500 Global (I) AG_INIT_EXCH
    *Mar 1 04:06:11.146: ISAKMP:(0:118:SW:1): phase 1 packet is a duplicte of a previous packet.

     

    With wireshark tool,  Cisco device send the messages 1 to section initial and SRX send messages 2 to back but Cisco didn't send memessages 3 to complete the Phase 1. Attached config 2 sites and wireshark image and topo image. Pls help me troubleshoot this case. I tried and will try more times. 

     

    Thanks Kudo team,

     


    #IPSec
    #NAT
    #cisco
    #SRX
    #Aggressivemode

    Attachment(s)

    txt
    R2.txt   340 B 1 version
    txt
    R1.txt   1 K 1 version
    txt
    juniper.txt   2 K 1 version


  • 2.  RE: IPSec VPN between SRX (hub) and Cisco (spoke) aggressive mode with NAT

     
    Posted 11-19-2017 04:46

    Nov 18 16:03:40 SRX.JUNIPER.NET kmd[1196]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local: 200.200.12.1/500, Remote: 200.200.12.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0

     

    This message indicates the IKE proposals are not matching between the SRX and ASA.  Since this is an aggressive VPN I suspect your local and remote id on both sides are not matching.  What configuration do you have for local-identity and remote-identity on the SRX?

     

     

     

     



  • 3.  RE: IPSec VPN between SRX (hub) and Cisco (spoke) aggressive mode with NAT
    Best Answer

    Posted 11-19-2017 08:41

    Thanks spuluka for your feedback,

    On SRX, i defined id as below:

    set security ike gateway CISCO_IKE_GW ike-policy CISCO_IKE_POLICY
    set security ike gateway CISCO_IKE_GW dynamic hostname IOS.CISCO.COM

    On Cisco device:

    hostname IOS.CISCO.COM
    ip host SRX.JUNIPER.NET 200.200.12.1
    ip host IOS.CISCO.COM 192.168.23.3

    crypto isakmp profile JUNIPER_IKE_PROF
    keyring default
    self-identity fqdn
    match identity host SRX.JUNIPER.NET
    initiate mode aggressive

     

     I have solved the problem with this link: http://rtodto.net/jncie-sec-traceoptions-ipsec-troubleshooting/ with WARNING.

    Error 2: “IKEv1 Error : No proposal chosen”
    You will get the following error if one of the followings mismatches in your IKE config;

    • dh-group
    • authentication algorithm
    • encryption algorithm

    WARNING!!!: In addition to these mismatches, you will get the same error under the following conditions

    • if you forget to set “bind-interface st0.0” under your vpn configuration,
    • if st0.0 interface isn’t created with family inet and/or assigned to a security zone
    • if you are using routing instances, also make sure st0.0 interface is assigned to the right routing instance

    I forgot bind interface st0.0 in ipsec vpn. 🙂