Cisco – Site-to-site VPN between Cisco ASA and Juniper SRX

ciscojunipervpn

I'm trying to create route-based VPN connection between Cisco ASA and Juniper SRX, but I have a problem with ACL and Proxy IDs. Cisco ASA log states that

[IKEv1]Group = A.A.A.A, IP = A.A.A.A, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy B.B.B.B/255.255.255.0/6/0 local proxy Z.Z.Z.Z/255.255.255.255/6/22 on interface comcastpublic

I don't know how to make B.B.B.B/255.255.255.0/6/22 and where the problem is. The aim is to pass only SSH traffic through this VPN.

Notation:

A.A.A.A – Juniper public IP

B.B.B.B – Juniper private IP

Y.Y.Y.Y – Cisco public IP

Z.Z.Z.Z – Cisco private IP

Juniper SRX config:

interfaces {
    fe-0/0/0 {
        unit 0 {
            family inet {
                address A.A.A.A/26;
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family inet {
                address B.B.B.1/24;
            }
        }
    }
    st0 {
        unit 0 {
            multipoint;
            family inet {
                next-hop-tunnel 10.10.10.1 ipsec-vpn ipsec-vpn-1-cfgr;
                next-hop-tunnel 10.10.10.3 ipsec-vpn ipsec-vpn-2-cfgr;
                address 10.10.10.2/24;
            }
        }
        unit 1 {
            point-to-point;
            family inet {
                next-hop-tunnel 10.10.10.4 ipsec-vpn ipsec-vpn-remote-cfgr;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop A.A.A.1;
        route B.B.1.0/24 next-hop 10.10.10.1;
        route B.B.3.0/24 next-hop 10.10.10.3;
        route Z.Z.Z.Z/32 next-hop st0.1;
    }
}
security {
    ike {
        traceoptions {
            file size 1m;
            flag ike;
            flag next-hop-tunnels;
            flag all;
        }
        proposal ike-proposal-cfgr {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 3600;
        }
        policy ike-policy-remote-cfgr {
            mode main;
            proposals ike-proposal-cfgr;
            pre-shared-key ascii-text "********";
        }
        gateway ike-gate-remote-cfgr {
            ike-policy ike-policy-remote-cfgr;
            address Y.Y.Y.Y;
            external-interface fe-0/0/0.0;
        }
    }
    ipsec {
        traceoptions {
            flag all;
        }
        proposal ipsec-proposal-remote-cfgr {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 86400;
            lifetime-kilobytes 28800;
        }
        policy ipsec-policy-remote-cfgr {
            proposals ipsec-proposal-remote-cfgr;
        }
        vpn ipsec-vpn-remote-cfgr {
            bind-interface st0.1;
            vpn-monitor {
                optimized;
            }
            ike {
                gateway ike-gate-remote-cfgr;
                proxy-identity {
                    local B.B.B.B/24;
                    remote Z.Z.Z.Z/32;
                    service junos-ssh;
                }
                ipsec-policy ipsec-policy-remote-cfgr;
            }
            establish-tunnels immediately;
        }
    }
    alg {
        traceoptions {
            file alg.log size 100000 files 2;
        }
        dns disable;
        msrpc disable;
        rsh disable;
        sql disable;
    }
    flow {
        tcp-mss {
            all-tcp {
                mss 1400;
            }
            ipsec-vpn {
                mss 1350;
            }
        }
        tcp-session {
            no-syn-check;
            no-syn-check-in-tunnel;
            no-sequence-check;
        }
    }   
    policies {
        from-zone guest to-zone remote {
            policy local-to-spokes {
                match {
                    source-address net-cfgr_B-B-B-B--24;
                    destination-address net-cfgr_Z-Z-Z-Z--32;
                    application junos-ssh;
                }
                then {
                    permit;
                }
            }
        }
        from-zone remote to-zone guest {
            policy spokes-to-local {
                match {
                    source-address net-cfgr_Z-Z-Z-Z--32;
                    destination-address net-cfgr_B-B-B-B--24;
                    application junos-ssh;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone remote {
            address-book {
                address net-cfgr_Z-Z-Z-Z--32 Z.Z.Z.Z/32;
            }
            interfaces {
                st0.1;
            }
        }
        security-zone guest {
            address-book {
                address net-cfgr_B-B-B-B--24 B.B.B.B/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                fe-0/0/7.0;
            }
        }
    }
}

Cisco ASA config:

ASA Version 9.0(2) 
!
interface GigabitEthernet0/0
 nameif comcastpublic
  ip address Y.Y.Y.Y 
!
object network VPNPC
 host Z.Z.Z.Z
 description VPN PC S2S
object network REMOTE
 subnet B.B.B.B 255.255.255.0

access-list comcastpublic_access_in extended permit object SSH object VPNPC object REMOTE 

access-list comcastpublic_cryptomap_3 extended permit tcp object VPNPC object REMOTE eq ssh 

nat (private,comcastpublic) source static VPNPC VPNPC destination static REMOTE REMOTE no-proxy-arp route-lookup
nat (comcastpublic,private) source static any any destination static 
!
nat (private,comcastpublic) after-auto source dynamic any interface dns
access-group comcastpublic_access_in in interface comcastpublic

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 

crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto map comcastpublic_map 4 match address comcastpublic_cryptomap_3
crypto map comcastpublic_map 4 set peer A.A.A.A 
crypto map comcastpublic_map 4 set ikev1 transform-set ESP-3DES-SHA
crypto map comcastpublic_map 4 set ikev2 ipsec-proposal 3DES
crypto map comcastpublic_map 4 set security-association lifetime seconds 86400
crypto map comcastpublic_map 4 set security-association lifetime kilobytes 28800
crypto map comcastpublic_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map comcastpublic_map interface comcastpublic

crypto ikev2 policy 2
 encryption 3des
 integrity sha
 group 2
 prf sha
 lifetime seconds 28800
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400

crypto ikev2 enable comcastpublic
crypto ikev1 enable comcastpublic

crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
crypto ikev1 policy 8
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 3600
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

!
group-policy GroupPolicy_A.A.A.A internal
group-policy GroupPolicy_A.A.A.A attributes
 vpn-tunnel-protocol ikev1 ikev2 


tunnel-group A.A.A.A type ipsec-l2l
tunnel-group A.A.A.A general-attributes
 default-group-policy GroupPolicy_A.A.A.A
tunnel-group A.A.A.A ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

Cisco log:

Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Received local Proxy Host data in ID Payload:  Address Z.Z.Z.Z, Protocol 6, Port 22
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, QM IsRekeyed old sa not found by addr
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map = comcastpublic_map, seq = 1...
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, map = comcastpublic_map, seq = 1, ACL does not match proxy IDs src:B.B.B.B dst:Z.Z.Z.Z
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map = comcastpublic_map, seq = 2...
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, map = comcastpublic_map, seq = 2, ACL does not match proxy IDs src:B.B.B.B dst:Z.Z.Z.Z
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map = comcastpublic_map, seq = 3...
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, map = comcastpublic_map, seq = 3, ACL does not match proxy IDs src:B.B.B.B dst:Z.Z.Z.Z
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map = comcastpublic_map, seq = 4...
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, map = comcastpublic_map, seq = 4, ACL does not match proxy IDs src:B.B.B.B dst:Z.Z.Z.Z
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map = comcastpublic_map, seq = 5...
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, map = comcastpublic_map, seq = 5, ACL does not match proxy IDs src:B.B.B.B dst:Z.Z.Z.Z
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Skipping dynamic map SYSTEM_DEFAULT_CRYPTO_MAP sequence 65535: cannot match peerless map when peer found in previous map entry.
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy B.B.B.B/255.255.255.0/6/0 local proxy Z.Z.Z.Z/255.255.255.255/6/22 on interface comcastpublic
Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, sending notify message
Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, constructing blank hash payload
Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, constructing qm hash payload
Aug 05 05:19:23 [IKEv1]IP = A.A.A.A, IKE_DECODE SENDING Message (msgid=d07c313e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 216
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, QM FSM error (P2 struct &0x00007fffa28c2920, mess id 0x5ef38480)!
Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, IKE QM Responder FSM error history (struct &0x00007fffa28c2920)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, sending delete/delete with reason message
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Removing peer from correlator table failed, no match!
Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, IKE SA MM:f4ec0f2f rcv'd Terminate: state MM_ACTIVE  flags 0x00010042, refcnt 1, tuncnt 0
Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, IKE SA MM:f4ec0f2f terminating:  flags 0x01010002, refcnt 0, tuncnt 0
Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, sending delete/delete with reason message

Could anybody help with this problem?

Best Answer

ASA crypto map ACLs do not support protocol traffic matching (yeah, I know). The crypto map ACL should match on network, and then either use the global no sysopt connection permit-vpn to apply the interface ACL to tunneled traffic (not recommended) or use a vpn-filter in your tunnel group policy to restrict traffic by protocol.

Even if the ASA did allow the protocol-based crypto ACL, your ACL as written does not match the packets being received. Your ACL matches the remote proxy on port 22, and the logs indicate the local proxy is port 22.

Related Solutions

Cisco – Problem with remote access, fixed L2L and dynamic L2L IPSEC working together on ASA 5540 8.2

I would suggest to create a 2nd Remote-Access tunnel group for all your remote-access users. Start migrating them, one by one and when you are done you can delete the existing Default L2L Group, or you can change the PSK.

If you encounter some users that don't want to change, you can enforce a specific VPN Client version and inform them you are doing a major security update.

VPN – How to Set Up Backup IP for Site-to-Site VPN on Juniper SRX?

Junos does have DPD and you can use it in conjunction with multiple endpoint IP addresses in a single IKE tunnel.

There is a bit of info about it here (which I've copied below)

http://kb.juniper.net/InfoCenter/index?page=content&id=KB29211&actp=RSS

SUMMARY: This article explains how redundancy in site-to-site VPN can be achieved using multiple address in gateway and dead-peer-detection.

PROBLEM OR GOAL: How to use different modes of dead-peer-detection for VPN failover .

CAUSE:

SOLUTION: The gateway for VPN redundancy can be configured with the following commands :

set interfaces fe-0/0/0 unit 0 family inet address 1.1.1.2/24
set interfaces st0 unit 0 family inet
set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1
set security ike policy p1 mode main
set security ike policy p1 proposal-set standard
set security ike policy p1 pre-shared-key ascii-text "$9$21oZjmfzCtOHqtO1RlegoJ"
set security ike gateway g1 ike-policy p1
set security ike gateway g1 address 2.2.2.1
set security ike gateway g1 address 3.3.3.1
set security ike gateway g1 dead-peer-detection interval 10
set security ike gateway g1 dead-peer-detection threshold 3
set security ike gateway g1 external-interface fe-0/0/0
set security ipsec policy p1 proposal-set standard
set security ipsec vpn v1 bind-interface st0.0
set security ipsec vpn v1 ike gateway g1
set security ipsec vpn v1 ike ipsec-policy p1
set security ipsec vpn v1 establish-tunnels immediately

The first address in the order of configuration is the one chosen to negotiate the tunnel:

gateway g1 {
            ike-policy p1;
            address [ 2.2.2.1 3.3.3.1 ];
            dead-peer-detection {
                                 interval 10;
                                 threshold 3;
                                 }
            external-interface fe-0/0/0;
            }

The above configuration is in dead-peer-detection optimal mode. It sends probes if packets were sent out (encrypted packets), but no packets were received (decrypted) for the configured interval. Three probe-packets are sent at 10 second intervals.

root@srx# run show security ike sa 
Index State Initiator cookie Responder cookie Mode Remote Address 
6770125 UP d570a30c806721ea ccc1572d2f763981 Main 2.2.2.1 


root@srx# run show security ipsec sa 
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway 
<131073 ESP:3des/sha1 1debda06 3397/ unlim - root 500 2.2.2.1 
>131073 ESP:3des/sha1 7a7dff24 3397/ unlim - root 500 2.2.2.1

As soon as the tunnel drops, dead-peer-detection comes into play. If a response is not received from the peer in 30 seconds, the failover takes place and the tunnel is negotiated with 3.3.3.1 and vice-versa.

root@srx# run show security ike sa
Index State Initiator cookie Responder cookie Mode Remote Address 
6770151 UP 36a2e145e0fd2c10 b3abc0b135cf33fe Main 3.3.3.1

root@srx# run show security ipsec sa 
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway 
<131073 ESP:3des/sha1 2420b2bd 3598/ unlim - root 500 3.3.3.1 
>131073 ESP:3des/sha1 5c8bb9da 3598/ unlim - root 500 3.3.3.1

Always-Send mode for dead-peer-detection:

In order to instruct the device to send dead-peer-detection requests, regardless of whether or not there is outgoing IPSec traffic to the peer, the following command is also needed:

set security ike gateway g1 dead-peer-detection always-send

UPDATE

I have configured this in a test lab and confirm that it works well. I have 3 devices, S3, S4 and S5.

S4 and S5 both have a basic IPSEC tunnel configured to connect to S3 (7.7.7.22 in my example). The config is dead simple and the same on both devices

ike {
    gateway s3-gw {
        ike-policy ike-policy;
        address 7.7.7.22;
        external-interface ge-0/0/1.0;
    }
}
ipsec {
    policy standard-ipsec-policy {
        proposal-set standard;
    }
    vpn s3 {
        bind-interface st0.0;
        ike {
            gateway s3-gw;
            ipsec-policy standard-ipsec-policy;
        }
        establish-tunnels immediately;
    }
}

The device S3 has a config that is very similar to the above but has 2 gateways listed and DPD enabled.

The relevant section is in the IKE config

gateway s4-s5-gw {
    address [ 7.7.7.21 192.168.211.2 ];
    dead-peer-detection {
        always-send;
        interval 10;
        threshold 3;
    }
    external-interface ge-0/0/1.0;
}

This brings up the tunnel as such

root@TEST-srx3> show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
1404200 UP     2f4f0465dc8c4556  d2e6022d0dc213c3  Main           7.7.7.21

root@TEST-srx3> show security ipsec sa
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:3des/sha1 d4428f3  3170/ unlim   -   root 500   7.7.7.21
  >131073 ESP:3des/sha1 5cda9108 3170/ unlim   -   root 500   7.7.7.21

If I deactivate the IKE/IPSEC config sections on S4 the tunnel drops and then comes back up connected to the 2nd gateway

root@TEST-srx3> show security ike security-associations

root@TEST-srx3> show security ipsec sa
  Total active tunnels: 0

Then after about 30 seconds (10 x 3)

root@TEST-srx3> show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
1404202 UP     35e54d457be6132f  0444ae31577c71a2  Main           192.168.211.2

root@TEST-srx3> show security ipsec sa
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:3des/sha1 93043b2  3595/ unlim   -   root 500   192.168.211.2
  >131073 ESP:3des/sha1 e5c551e4 3595/ unlim   -   root 500   192.168.211.2

If you need any help post some config snippets and I'll do my best to have a look!

UPDATE 2

I have built this whole thing in a mini lab. The problem I have found is that while you can use multiple gateways in your IKE configuration you will still need to have an IPSEC tunnel per ISP on each device. This is because you have multiple source IP addresses you want to potentially make an IPSEC tunnel from.

Lab Config

To save me posting a lot of config each SRX (A and B) has two IPSEC tunnels configured as shown below. The things to note are I'm using a single tunnel interface on each device, these are set to multipoint. You could use multiple ones if you wanted.

This config will provide full redundancy if a single ISP at site A and/or site B goes down.

I tested this by dropping the linked between SRX-A and SRX-1 and then dropping SRX-B and SRX-4. Due to me using BGP and DPD it took just over a minute for the tunnel to come back up but worked well!

Hopefully this will ultimately help you sort out your config!

SRX-A IPSEC Config

ike {
    gateway SRX-B_via_ISP1 {
        ike-policy ike-policy;
        address [ 6.6.6.6 5.5.5.5 ];
        dead-peer-detection {
            always-send;
            interval 10;
            threshold 3;
        }
        external-interface lo0.10;
        local-address 7.7.7.5;
    }
    gateway SRX-B_via_ISP2 {
        ike-policy ike-policy;
        address [ 6.6.6.6 5.5.5.5 ];
        dead-peer-detection {
            always-send;
            interval 10;
            threshold 3;
        }
        external-interface lo0.10;
        local-address 8.8.8.9;
    }
}
ipsec {
    policy standard-ipsec-policy {
        proposal-set standard;
    }
    vpn SRX-B_via_ISP1 {
        bind-interface st0.0;
        ike {
            gateway SRX-B_via_ISP1;
            ipsec-policy standard-ipsec-policy;
        }
        establish-tunnels immediately;
    }
    vpn SRX-B_via_ISP2 {
        bind-interface st0.0;
        ike {
            gateway SRX-B_via_ISP2;
            ipsec-policy standard-ipsec-policy;
        }
        establish-tunnels immediately;
    }
}

Best Answer

Related Solutions

Cisco – Problem with remote access, fixed L2L and dynamic L2L IPSEC working together on ASA 5540 8.2

VPN – How to Set Up Backup IP for Site-to-Site VPN on Juniper SRX?

Related Topic