SRX

Hi All,

In attempting to bring up a site-to-site VPN between a Juniper SRX 240H2 and a Cisco ASA5505, I am receiving the following error repeatedly: IKE negotiation failed with error: IKE gateway configuration lookup failed during negotiation. 

I am having some issues finding any documentation online in regards to the error, and have quadruple checked the configuration. Can anyone provide some insight into this error?

Thanks in advance.

Hi,

Can you polease share the configuration fo the SRX and the ASA.

We can have a look and let you know whats causing the negotiation to fail.

regards,

Guru Prasad

Great thanks Guru!

See the below:

Cisco Config

name 111.111.111.111 juniper-ip
!
object-group network juniper-ip
network-object 111.111.111.184 255.255.255.254
!
access-list ACL-juniper-ip extended permit ip object-group customer-ip-222.222.222.0_24 object-group juniper-ip
!
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 5
prf sha256
lifetime 28800
!
group-policy POLICY-GROUP-IKEV2 internal
group-policy POLICY-GROUP-IKEV2 attributes
vpn-tunnel-protocol ikev2
!
crypto ipsec ikev2 ipsec-proposal customer-ip-IKE2-ESP-AES256-SHA1
protocol esp encryption aes-256
protocol esp integrity sha-1
!
tunnel-group 111.111.111.111 type ipsec-l2l
tunnel-group 111.111.111.111 general-attributes
default-group-policy POLICY-GROUP-IKEV2
tunnel-group 111.111.111.111 ipsec-attributes
ikev2 local-authentication pre-shared-key ***********
ikev2 remote-authentication pre-shared-key ***********
!
crypto map customer-ip-MAP 995 set peer juniper-ip
crypto map customer-ip-MAP 995 set ikev2 ipsec-proposal customer-ip-IKE2-ESP-AES256-SHA1
crypto map customer-ip-MAP 995 match address ACL-juniper-ip
crypto map customer-ip-MAP 995 set security-association lifetime seconds 3600
crypto map customer-ip-MAP 995 set pfs group5
!
crypto ikev2 enable outside

Juniper Config

proposal ike-proposal {
authentication-method pre-shared-keys;
dh-group group5;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;

proposal ipsec-proposal-1 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600

policy ipsec-policy-1 {
perfect-forward-secrecy {
keys group5;
}
proposals ipsec-proposal-1;
}

policy ike-pol-vpn-customer-u1 {
mode main;
proposals ike-proposal;
pre-shared-key ascii-text ## 

gateway gw-vpn-customer-u1 {
ike-policy ike-pol-vpn-customer-u1;
address 222.222.222.222;
local-identity inet 111.111.111.111;
external-interface ge-1/0/0.0;
general-ikeid;
version v2-only;

vpn vpn-customer-u1 {
bind-interface st0.9;
ike {
gateway gw-vpn-customer-u1;
proxy-identity {
local 111.111.111.184;
remote 222.222.222.0/24;
}
ipsec-policy ipsec-policy-1;
}
establish-tunnels immediately;
}

Looks like you might be configuring an ike id and not one on the cisco side.  Try removing general-ikeid

gateway gw-vpn-customer-u1 {
ike-policy ike-pol-vpn-customer-u1;
address 222.222.222.222;
local-identity inet 111.111.111.111;
external-interface ge-1/0/0.0;
general-ikeid;
version v2-only;

Hi,

From the configuration provided, I could see that on ASA the tunnel-group is using IP 111.111.111.111 and on the SRX you have configured the local-identity to use is again 111.111.111.111.

As Spuluka updated we do not require to configure the general-Ikeid as we have already mentioned the local-identity.

Also can you let us know what is the IP used on the ASA which is part of the zone outside, because you have enabled the ikev2 on the interface outside.

please remove the local-ikeid and let us know if that helped.

regards,

Guru Prasad