SRX

Expand all | Collapse all

Site to site VPN tunnel SRX1500 (static public IP) and Cisco ASA (dynamic public IP)

  • 1.  Site to site VPN tunnel SRX1500 (static public IP) and Cisco ASA (dynamic public IP)

    Posted 12-07-2020 07:35
    Hi all,

    I hope you are well. Is there any guide or configuration example for a VPN tunnel between a SRX using a static public IP and a Cisco ASA with a dynamic IP? I'm using IKEv1 but I don't mind using v2.

    I have found the SRX example config, this is needed specifically:
    set security ike gateway IKE-GW dynamic hostname test.ipsec.com

    Then configured the ASA:
    crypto isakmp identity key-id test.ipsec.com

    The tunnel fails to get established:
    Dec 7 01:50:58 SRX kmd[14523]: IKE negotiation failed with error: IKE gateway configuration lookup failed during negotiation. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local: 1.1.1.1/500, Remote: 2.2.2.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder

    Thank you!

    Best regards


  • 2.  RE: Site to site VPN tunnel SRX1500 (static public IP) and Cisco ASA (dynamic public IP)

    Posted 12-07-2020 15:50
    I don't have a guide for you, but I could suggest that you make sure you're using either routed or policy mode on both ends.

    Also, it looks like NAT-T is not enabled (looking at the local and remote fields of your log, it's using port 500, not 4500). Are you using NAT in your environment?

    If it helps, I have a guide on troubleshooting the ASA side of the VPN:
    https://networkdirection.net/asa-vpn-troubleshooting/

    Unfortunately, I don't have anything for troubleshooting the Juniper side yet, but it looks like you've already got that covered.


  • 3.  RE: Site to site VPN tunnel SRX1500 (static public IP) and Cisco ASA (dynamic public IP)

    Posted 12-10-2020 19:07
    Thanks for the reply, Luke.
    The route-based configuration didn't work so I tried with a policy-based one and success!

    About NAT-T, the Cisco ASA is behind the ISP router.