Hi
I am aware that in policy based vpn we don't need to set up proxy IDs but I wanted to play around with it to see how it works if you do.
So I manually set up proxy id as local 1.1.1.1/32 and remote 2.2.2.2/32 on SRX
The other end is ASA
[edit security ike]
sadm@SRX240# show
traceoptions {
flag ike;
}
proposal Phase1-Proposal {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
}
policy IKE_Policy {
proposals Phase1-Proposal;
pre-shared-key ascii-text "$9$MuuLXNUDkQz6.P1hSyKvoJZj.Pz36pO1"; ## SECRET-DATA
}
gateway bharat-gw {
ike-policy IKE_Policy;
address 10.102.101.164;
external-interface ge-0/0/15.0;
}
[edit security ipsec vpn IPSEC-Tunnel-To-Bharat ike]
sadm@SRX240# show
gateway bharat-gw;
inactive: proxy-identity {
local 1.1.1.1/32;
remote 2.2.2.2/32;
}
Now as per my understaing it should be sending 1.1.1.1 and 2.2.2.2 as proxy IDs to the ASA.
But instead it's sending 0.0.0.0 to the ASA
Mar 01 2013 11:20:52: %ASA-7-714011: Group = 10.102.100.115, IP = 10.102.100.115, ID_IPV4_ADDR_SUBNET ID received--0.0.0.0--0.0.0.0
Mar 01 2013 11:20:52: %ASA-7-713035: Group = 10.102.100.115, IP = 10.102.100.115, Received remote IP Proxy Subnet data in ID Payload: Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0
Mar 01 2013 11:20:52: %ASA-7-715047: Group = 10.102.100.115, IP = 10.102.100.115, processing ID payload
Mar 01 2013 11:20:52: %ASA-7-714011: Group = 10.102.100.115, IP = 10.102.100.115, ID_IPV4_ADDR_SUBNET ID received--0.0.0.0--0.0.0.0
Mar 01 2013 11:20:52: %ASA-3-713061: Group = 10.102.100.115, IP = 10.102.100.115, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
[edit security policies]
sadm@SRX240# show
from-zone trust to-zone untrust {
policy outbound {
match {
source-address internal_host;
destination-address Bharat-internal-host;
application any;
}
then {
permit {
tunnel {
ipsec-vpn IPSEC-Tunnel-To-Bharat;
}
}
log {
session-init;
session-close;
}
}
from-zone untrust to-zone trust {
policy inbound-top {
match {
source-address Bharat-internal-host;
destination-address internal_host;
application any;
}
then {
permit {
tunnel {
ipsec-vpn IPSEC-Tunnel-To-Bharat;
}
}
log {
session-init;
session-close;
}
}
}
If I remove proxy ids VPN comes up fine and passes to traffic. But I wanted to see and confirm that 1.1.1.1 and 2.2.2.2 will be sent as proxy IDs and I should be able to see that on ASA logs but I see 0.0.0.0 being received by ASA
And I wish to understand why?
Any ideas?
Thanks!
#IPSec#vpn#SRX#policy