SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  SRX to Cisco ASA VPN

    Posted 10-04-2021 17:02
    Good morning/afternoon/evening all. I'm hoping someone on here might be able to helpw with some config while trying to connect a site to site VPN from an SRX220 to a Cisco ASA device.

    having run the below commands and commiting, i can run  show security ike security-associations and has a state of UP
    running  show security ipsec inactive-tunnels   shows SA not initiated. I've been trying for hours with this thing, and granted i'm not a Juniper expert by any long shot i'm hoping it's something really simple i'm missing.
    set security ike proposal PartnerCompany_ike_proposal authentication-method pre-shared-keys
    set security ike proposal PartnerCompany_ike_proposal dh-group group2
    set security ike proposal PartnerCompany_ike_proposal authentication-algorithm sha1
    set security ike proposal PartnerCompany_ike_proposal encryption-algorithm aes-256-cbc
    set security ike proposal PartnerCompany_ike_proposal lifetime-seconds 86400
    set security ike policy PartnerCompany_policy mode main
    set security ike policy PartnerCompany_policy proposals PartnerCompany_ike_proposal
    set security ike policy PartnerCompany_policy pre-shared-key ascii-text %secretkey%
    set security ike gateway PartnerCompany_gateway ike-policy PartnerCompany_policy
    set security ike gateway PartnerCompany_gateway address 1.1.1.1
    set security ike gateway PartnerCompany_gateway external-interface ge-0/0/0.0
    set security ipsec proposal PartnerCompany_ipsec_proposal protocol esp
    set security ipsec proposal PartnerCompany_ipsec_proposal authentication-algorithm hmac-sha1-96
    set security ipsec proposal PartnerCompany_ipsec_proposal encryption-algorithm aes-256-cbc
    set security ipsec proposal PartnerCompany_ipsec_proposal lifetime-seconds 28800
    set security ipsec policy PartnerCompany_ipsec_policy proposals PartnerCompany_ipsec_proposal
    set security ipsec vpn PartnerCompany_vpn ike gateway PartnerCompany_gateway
    set security ipsec vpn PartnerCompany_vpn ike ipsec-policy PartnerCompany_ipsec_policy
    set security ipsec vpn PartnerCompany_vpn establish-tunnels immediately
    set security ipsec vpn PartnerCompany_vpn bind-interface st0.76
    set interfaces st0 unit 76 family inet
    set interfaces st0 unit 76 family inet6
    set interfaces st0 unit 76 description PartnerCompany
    set routing-options static route 172.20.128.26/32 next-hop st0.76
    set security zones security-zone trust address-book address PartnerCompanyServer 172.20.128.26/32
    set security zones security-zone Internal address-book address PartnerCompanyInternal1 10.10.0.13/32
    set security zones security-zone Internal address-book address PartnerCompanyInternal2 10.10.0.10/32
    set security zones security-zone Internal address-book address PartnerCompanyInternal3 10.10.0.26/32
    set security zones security-zone Internal address-book address-set PartnerCompanyInternalServers address PartnerCompanyInternal1
    set security zones security-zone Internal address-book address-set PartnerCompanyInternalServers address PartnerCompanyInternal2
    set security zones security-zone Internal address-book address-set PartnerCompanyInternalServers address PartnerCompanyInternal3
    set security zones security-zone trust interfaces st0.76
    set security policies from-zone trust to-zone Internal policy PartnerCompany-Policy match source-address PartnerCompanyServer
    set security policies from-zone trust to-zone Internal policy PartnerCompany-Policy match destination-address PartnerCompanyInternalServers
    set security policies from-zone trust to-zone Internal policy PartnerCompany-Policy match application any
    set security policies from-zone trust to-zone Internal policy PartnerCompany-Policy then permit
    set security policies from-zone Internal to-zone trust policy PartnerCompany-Policy match destination-address PartnerCompanyServer
    set security policies from-zone Internal to-zone trust policy PartnerCompany-Policy match source-address PartnerCompanyInternalServers
    set security policies from-zone Internal to-zone trust policy PartnerCompany-Policy match application any
    set security policies from-zone Internal to-zone trust policy PartnerCompany-Policy then permit​


    Thank you to anyone reading this, and any suggestions welcome.



    ------------------------------
    JOHNATHON THOMPSON
    ------------------------------


  • 2.  RE: SRX to Cisco ASA VPN

     
    Posted 10-05-2021 05:37
    You will need to get the logging as to the reason for the phase 2 not coming up.  Then this will point to where in the configuration the two sites don't agree.  Enable logging and review the messages per this kb article.

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB10099

    Note that typically the responder side will have more helpful logging.  So if you don't see something helpful initially turn off the establish-tunnels immediately and let the ASA start the tunnel process so the SRX is the responder.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------