The IPsec configured is failing at phase 2 with the error "[Nov 5 11:02:00][165.X.X.X <-> 74.X.X.X] Authenticated Phase-2 notification `No proposal chosen’ (14) data size 4 from 74.X.X.X for protocol ESP with invalid spi[0...16]=ac 37 1d 45 16 59 9f a9 f2 c9 a0 54 37 5f 51 75 causes"
on the SRX I have the following:
traffic-selector PROD2SL_1 {
local-ip 10.120.72.0/24;
remote-ip 10.1.0.0/23;
}
traffic-selector PROD2SL_2 {
local-ip 10.120.72.0/24;
remote-ip 10.4.200.0/24;
on the ASA I have the following:
object-group network VLT_NETS_TO_SAV
network-object 10.1.0.0 255.255.254.0
network-object 10.4.200.0 255.255.255.0
object-group network SAV_NET_TO_VLT
network-object 10.120.72.0 255.255.255.0
access-list VLT-FW_TO_SAV_FW permit ip object-group VLT_NETS_TO_SAV object-group SAV_NET_TO_VLT
I assume this should work, but it doesn't fit quit into one of these: https://kb.juniper.net/InfoCenter/index?page=content&id=KB28861&actp=METADATA
I'm a bit stumped here. I have done this before, but its been a while and I don't recall.
detailed srx config:
SRX-01b> show configuration security ike proposal IKE_P1_PROPOSAL_1
authentication-method pre-shared-keys;
dh-group group5;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 86400;
SRX-01b> show configuration security ike policy VLTFW_CORE_IKE_POLICY
mode main;
proposals IKE_P1_PROPOSAL_1;
pre-shared-key ascii-text "$9$WfE8NbaJDH.5x7P5Fn7dY2"; ## SECRET-DATA
SRX-01b> show configuration security ike gateway VLTFW_CORE
ike-policy VLTFW_CORE_IKE_POLICY;
address 74.X.X.X;
external-interface reth3;
SRX-01b> show configuration security ipsec proposal IPSEC_P2_PROPOSAL_1
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
SRX-01b> show configuration security ipsec policy VLTFW_CORE_POLICY
perfect-forward-secrecy {
keys group5;
}
proposals IPSEC_P2_PROPOSAL_1;
SRX-01b> show configuration security ipsec vpn VLTFW_CORE_VPN
bind-interface st0.13;
ike {
gateway VLTFW_CORE;
ipsec-policy VLTFW_CORE_POLICY;
}
traffic-selector PROD2SL_1 {
local-ip 10.120.72.0/24;
remote-ip 10.1.0.0/23;
}
traffic-selector PROD2SL_2 {
local-ip 10.120.72.0/24;
remote-ip 10.4.200.0/24;
}
establish-tunnels immediately;
details ASA config:
crypto ikev1 policy 40
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
tunnel-group 165.X.X.X type ipsec-l2l
tunnel-group 165.X.X.X ipsec-attributes
ikev1 pre-shared-key ABCDEFG
object-group network VLT_NETS_TO_SAV
network-object 10.1.0.0 255.255.254.0
network-object 10.4.200.0 255.255.255.0
object-group network SAV_NET_TO_VLT
network-object 10.120.72.0 255.255.255.0
access-list VLT-FW_TO_SAV_FW permit ip object-group VLT_NETS_TO_SAV object-group SAV_NET_TO_VLT
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto map outside_vpn 60 match address VLT-FW_TO_SAV_FW
crypto map outside_vpn 60 set pfs group5
crypto map outside_vpn 60 set peer 165.X.X.X
crypto map outside_vpn 60 set ikev1 transform-set ESP-AES-256-SHA-TRANS
crypto map outside_vpn 60 set security-association lifetime seconds 86400
#ASA#IPSec#traffic-selectors#SRX