I'm trying to setup a Site-to-Site VPN between a Cisco device and a Juniper SSG device. I have the Juniper setup in L3 mode with routed interfaces. For some reason it is not getting past phase 1. I can ping the public IP of the other side fine. Here is one possible reason that phase 1 isn't getting established:
**** pak processing end.
## 2014-06-25 01:58:36 : IKE<y.y.y.y> re-trans timer expired, msg retry (6) (0001/0)
## 2014-06-25 01:58:36 : IKE<y.y.y.y> Initiator sending IPv4 IP y.y.y.y/port 500
## 2014-06-25 01:58:36 : IKE<y.y.y.y> Send Phase 1 packet (len=160)
****** 22134.0: <Self/self> packet received [188]******
ipid = 58582(e4d6), @03c2ada4
flow_self_vector2: send pack with current vid =0, enc_size:0
handle raw/no_session packet.
send no session packet
flow_if_ip_send_fwd: switch vectors: packet src x.x.x.x, dst y.y.y.y
**** jump to packet:x.x.x.x->y.y.y.y
skipping pre-frag
no more encapping needed
send out through normal path.
flow_ip_send: e4d6:x.x.x.x->y.y.y.y,17 => ethernet0/9(188) flag 0x8000890, vlan 0
no l2info for packet.
no route for packet
search route to (null, 0.0.0.0->y.y.y.y) in vr trust-vr for vsd-0/flag-2000/ifp-ethernet0/9
[ Dest] 7.route y.y.y.y->x.x.x.gw, to ethernet0/9
route to x.x.x.gw
arp entry found for x.x.x.gw mac 00000c07ac00
packet send out to 00000c07ac00 through ethernet0/9
**** pak processing end.
****** 22136.0: <Self/self> packet received [44]******
ipid = 58585(e4d9), @03bb8814
flow_self_vector2: send pack with current vid =0, enc_size:0
handle raw/no_session packet.
send no session packet
flow_if_ip_send_fwd: switch vectors: packet src x.x.x.x, dst y.y.y.y
**** jump to packet:x.x.x.x->y.y.y.y
skipping pre-frag
going into tunnel 40000003.
flow_encrypt: pipeline.
enqueue to IKE: timems 22128004, Q 1, saidx 1: spi:0 too soon
packet dropped, SA inactive
x.x.x.x is the interface IP of the Juniper and y.y.y.y is the Cisco interface IP. x.x.x.gw is the gateway address that the default route on the device is pointing to.
Here is the output of the command get ike cookie:
SSG140-> get ike cookie
IKEv1 SA -- Active: 0, Dead: 0, Total 1
0001/0000, x.x.x.x:500->y.y.y.y:500, NONE/grp0/NULL/NULL, xchg(2) (vpn_gateway/grp-1/usr-1)
resent-tmr 39 lifetime 28800 lt-recv 0 nxt_rekey 28790 cert-expire 0
initiator, err cnt 2, send dir 0, cond 0x0
nat-traversal map not available
ike heartbeat : disabled
ike heartbeat last rcv time: 0
ike heartbeat last snd time: 0
XAUTH status: 0
DPD seq local 0, peer 0
p2_tasks:
task_type = 0x3
p2 sa id = 0x3 (index 0x1)
app_sa_flags = 0x5000a0
p2 spi = 0x0
IKEv2 SA -- Active: 0, Dead: 0, Total 0
The Cisco TAC rep said that their device is sending packets fine but are not receiving any from the Juniper device. From the output above, it looks like the packets from the Juniper to the Cisco are being dropped.
Here is the Cisco config:
name c.c.c.c MAP_110_SIAS_PEER
crypto isakmp policy 110
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp enable OUTSIDE
tunnel-group c.c.c.c type ipsec-l2l
tunnel-group c.c.c.c ipsec-attributes
pre-shared-key xxxxxxx
access-list MAP_110_TRU_SIAS extended permit ip 162.137.0.0 255.255.0.0 10.1.19.0 255.255.255.0
access-list MAP_110_TRU_SIAS extended permit ip 10.0.0.0 255.0.0.0 10.1.19.0 255.255.255.0
access-list MAP_110_TRU_SIAS extended permit ip 206.70.0.0 255.255.192.0 10.1.19.0 255.255.255.0
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto map MAP-OUTSIDE 110 set peer MAP_110_TRU_SIAS
crypto map MAP-OUTSIDE 110 match address MAP_110_TRU_SIAS
crypto map MAP-OUTSIDE 110 set transform-set AES-SHA
crypto map MAP-OUTSIDE 110 set security-association lifetime kilobytes 10000
crypto map MAP-OUTSIDE interface OUTSIDE
route outside 10.1.19.0 255.255.255.192 MAP_110_SIAS_PEER
route outside MAP_110_SIAS_PEER 255.255.255.255 d.d.d.d
access-list ACL-INSIDE-NONAT extended permit ip 10.0.0.0 255.0.0.0 10.1.19.0 255.255.255.0
access-list ACL-INSIDE-NONAT extended permit ip 206.70.0.0 255.255.192.0 10.1.19.0 255.255.255.0
access-list ACL-INSIDE-NONAT extended permit ip 162.137.0.0 255.255.0.0 10.1.19.0 255.255.255.0
nat (INSIDE) 0 access-list ACL-INSIDE-NONAT
Relevant Juniper config:
set ike gateway "vpn_gateway" address t.t.t.t Main outgoing-interface "ethernet0/9" preshare "xxxxxxxx" proposal "pre-g2-aes128-sha" "pre-g2-aes128-md5" "rsa-g2-aes128-sha" "dsa-g2-aes128-sha"
set vpn "vpn" gateway "vpn_gateway" no-replay tunnel idletime 0 proposal "g2-esp-aes128-sha"
set policy id 8 from "Untrust" to "Trust" "10.0.0.0/8" "10.1.19.0/24" "ANY" tunnel vpn "vpn" id 0x3 pair-policy 7
set policy id 8
exit
set policy id 7 from "Trust" to "Untrust" "10.1.19.0/24" "10.0.0.0/8" "ANY" tunnel vpn "vpn" id 0x3 pair-policy 8
set policy id 7
Can anyone help me out?
Best Answer
Have you created a tunnel interface on the SSG and set it in the Untrust zone?
eg:
IME if the P1 is not coming up: