SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX to Cisco ASA VPN

    Posted 10-04-2021 17:02
    Good morning/afternoon/evening all. I'm hoping someone on here might be able to helpw with some config while trying to connect a site to site VPN from an SRX220 to a Cisco ASA device.

    having run the below commands and commiting, i can run  show security ike security-associations and has a state of UP
    running  show security ipsec inactive-tunnels   shows SA not initiated. I've been trying for hours with this thing, and granted i'm not a Juniper expert by any long shot i'm hoping it's something really simple i'm missing.
    set security ike proposal PartnerCompany_ike_proposal authentication-method pre-shared-keys
    set security ike proposal PartnerCompany_ike_proposal dh-group group2
    set security ike proposal PartnerCompany_ike_proposal authentication-algorithm sha1
    set security ike proposal PartnerCompany_ike_proposal encryption-algorithm aes-256-cbc
    set security ike proposal PartnerCompany_ike_proposal lifetime-seconds 86400
    set security ike policy PartnerCompany_policy mode main
    set security ike policy PartnerCompany_policy proposals PartnerCompany_ike_proposal
    set security ike policy PartnerCompany_policy pre-shared-key ascii-text %secretkey%
    set security ike gateway PartnerCompany_gateway ike-policy PartnerCompany_policy
    set security ike gateway PartnerCompany_gateway address 1.1.1.1
    set security ike gateway PartnerCompany_gateway external-interface ge-0/0/0.0
    set security ipsec proposal PartnerCompany_ipsec_proposal protocol esp
    set security ipsec proposal PartnerCompany_ipsec_proposal authentication-algorithm hmac-sha1-96
    set security ipsec proposal PartnerCompany_ipsec_proposal encryption-algorithm aes-256-cbc
    set security ipsec proposal PartnerCompany_ipsec_proposal lifetime-seconds 28800
    set security ipsec policy PartnerCompany_ipsec_policy proposals PartnerCompany_ipsec_proposal
    set security ipsec vpn PartnerCompany_vpn ike gateway PartnerCompany_gateway
    set security ipsec vpn PartnerCompany_vpn ike ipsec-policy PartnerCompany_ipsec_policy
    set security ipsec vpn PartnerCompany_vpn establish-tunnels immediately
    set security ipsec vpn PartnerCompany_vpn bind-interface st0.76
    set interfaces st0 unit 76 family inet
    set interfaces st0 unit 76 family inet6
    set interfaces st0 unit 76 description PartnerCompany
    set routing-options static route 172.20.128.26/32 next-hop st0.76
    set security zones security-zone trust address-book address PartnerCompanyServer 172.20.128.26/32
    set security zones security-zone Internal address-book address PartnerCompanyInternal1 10.10.0.13/32
    set security zones security-zone Internal address-book address PartnerCompanyInternal2 10.10.0.10/32
    set security zones security-zone Internal address-book address PartnerCompanyInternal3 10.10.0.26/32
    set security zones security-zone Internal address-book address-set PartnerCompanyInternalServers address PartnerCompanyInternal1
    set security zones security-zone Internal address-book address-set PartnerCompanyInternalServers address PartnerCompanyInternal2
    set security zones security-zone Internal address-book address-set PartnerCompanyInternalServers address PartnerCompanyInternal3
    set security zones security-zone trust interfaces st0.76
    set security policies from-zone trust to-zone Internal policy PartnerCompany-Policy match source-address PartnerCompanyServer
    set security policies from-zone trust to-zone Internal policy PartnerCompany-Policy match destination-address PartnerCompanyInternalServers
    set security policies from-zone trust to-zone Internal policy PartnerCompany-Policy match application any
    set security policies from-zone trust to-zone Internal policy PartnerCompany-Policy then permit
    set security policies from-zone Internal to-zone trust policy PartnerCompany-Policy match destination-address PartnerCompanyServer
    set security policies from-zone Internal to-zone trust policy PartnerCompany-Policy match source-address PartnerCompanyInternalServers
    set security policies from-zone Internal to-zone trust policy PartnerCompany-Policy match application any
    set security policies from-zone Internal to-zone trust policy PartnerCompany-Policy then permit​


    Thank you to anyone reading this, and any suggestions welcome.



    ------------------------------
    JOHNATHON THOMPSON
    ------------------------------


  • 2.  RE: SRX to Cisco ASA VPN

    Posted 10-05-2021 05:37
    You will need to get the logging as to the reason for the phase 2 not coming up.  Then this will point to where in the configuration the two sites don't agree.  Enable logging and review the messages per this kb article.

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB10099

    Note that typically the responder side will have more helpful logging.  So if you don't see something helpful initially turn off the establish-tunnels immediately and let the ASA start the tunnel process so the SRX is the responder.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------