Thursday, April 30, 2020

Juniper SRX to Cisco ASA VPN - No phase 2

Hi all,

I think i'm missing something silly here, but after setting up a site-to-site VPN between an SRX and an ASA, the phase 1 IKE (v2) comes up fine, but Phase 2 never does, nor does it even seem like its ever trying.

The story here is that SRX has replaced a Draytek, so the ASA has stayed the same and im sure the config is still fine on that.

Some details:

ASA local Subnet: 192.168.1.0/24

SRX local subnet: 192.168.2.0/24

Originally I thought the issue was because the default VLAN 0 on the SRX was set to 192.168.1.0/24 and was conflicting with the remote range on the ASA but ive changed this to 192.168.100.0/24 and still no dice.

SRX Config:

## Last commit: 2020-04-30 17:32:19 UTC by root

version 12.1X44-D40.2;

system {

root-authentication {

encrypted-password "xx"; ## SECRET-DATA

}

name-server {

8.8.8.8;

8.8.4.4;

}

services {

ssh;

xnm-clear-text;

web-management {

http {

interface [ vlan.2 vlan.1 ];

}

https {

system-generated-certificate;

interface [ vlan.2 vlan.1 ];

}

}

dhcp {

name-server {

8.8.8.8;

8.8.4.4;

}

router {

192.168.1.1;

}

pool 192.168.1.0/24 {

address-range low 192.168.1.2 high 192.168.1.254;

}

propagate-settings fe-0/0/0.0;

}

}

syslog {

archive size 100k files 3;

user * {

any emergency;

}

file messages {

any critical;

authorization info;

}

file interactive-commands {

interactive-commands error;

}

file kmd-logs {

daemon info;

match KMD;

}

}

max-configurations-on-flash 5;

max-configuration-rollbacks 5;

license {

autoupdate {

url https://ae1.juniper.net/junos/key_retrieval;

}

}

}

interfaces {

fe-0/0/0 {

unit 0 {

family ethernet-switching {

port-mode access;

vlan {

members D1;

}

}

}

}

fe-0/0/1 {

unit 0 {

family ethernet-switching {

port-mode access;

vlan {

members D1;

}

}

}

}

fe-0/0/2 {

unit 0 {

family ethernet-switching {

port-mode access;

vlan {

members D1;

}

}

}

}

fe-0/0/3 {

unit 0 {

family ethernet-switching {

port-mode access;

vlan {

members Exchange;

}

}

}

}

fe-0/0/4 {

unit 0 {

family ethernet-switching {

port-mode access;

vlan {

members Exchange;

}

}

}

}

fe-0/0/5 {

unit 0 {

family ethernet-switching {

port-mode access;

vlan {

members Exchange;

}

}

}

}

fe-0/0/6 {

disable;

}

fe-0/0/7 {

unit 0 {

encapsulation ppp-over-ether;

}

}

pp0 {

unit 0 {

apply-macro BT;

ppp-options {

chap {

default-chap-secret "xx"; ## SECRET-DATA

local-name ["xx@xx.com](mailto:"xx@xx.com)";

no-rfc2486;

passive;

}

pap {

local-name ["xx@xx.com](mailto:"xx@xx.com)";

no-rfc2486;

local-password "xx"; ## SECRET-DATA

passive;

}

}

ppD1-options {

underlying-interface fe-0/0/7.0;

idle-timeout 0;

auto-reconnect 5;

client;

}

family inet {

address x.x.x.x/8;

}

}

}

st0 {

unit 0 {

enable;

family inet;

}

}

vlan {

unit 0 {

family inet {

address 192.168.100.254/24;

}

}

unit 1 {

family inet {

address 192.168.20.254/24;

}

}

unit 2 {

family inet {

address 192.168.2.254/24;

}

}

}

}

routing-options {

static {

route 0.0.0.0/0 {

qualified-next-hop 81.148.160.1 {

metric 1;

}

}

route 192.168.1.0/24 next-hop st0.0;

}

}

protocols {

stp {

disable;

}

}

security {

ike {

policy ike-policy- {

mode main;

proposal-set standard;

pre-shared-key ascii-text "xxxxxxxxx"; ## SECRET-DATA

}

gateway ike-gate- {

ike-policy ike-policy-;

address 94.229.76.114;

external-interface pp0.0;

version v2-only;

}

}

ipsec {

proposal main {

protocol esp;

authentication-algorithm hmac-sha-256-128;

encryption-algorithm aes-256-cbc;

}

policy ipsec-policy- {

perfect-forward-secrecy {

keys group2;

}

proposal-set standard;

}

vpn ipsecvpn {

bind-interface st0.0;

ike {

gateway ike-gate-;

ipsec-policy ipsec-policy-;

}

establish-tunnels immediately;

}

}

address-book {

global {

address D1-Cisco 192.168.20.253/32;

address D1-Server 192.168.20.250/32;

address D2-WebDav1 192.168.2.13/32;

}

Exchange-Network {

address Exchange-Network {

wildcard-address 192.168.2.0/24;

}

attach {

zone trust;

}

}

Exchange-SK {

address Exchange-SK {

wildcard-address 192.168.1.0/24;

}

attach {

zone vpn;

}

}

}

screen {

ids-option untrust-screen {

icmp {

ping-death;

}

ip {

source-route-option;

tear-drop;

}

tcp {

syn-flood {

alarm-threshold 1024;

attack-threshold 200;

source-threshold 1024;

destination-threshold 2048;

timeout 20;

}

land;

}

}

}

nat {

source {

rule-set trust-to-untrust {

from zone trust;

to zone untrust;

rule source-nat-rule {

match {

source-address 0.0.0.0/0;

}

then {

source-nat {

interface;

}

}

}

}

}

static {

rule-set Nat-Rules {

from zone untrust;

rule WebDav {

match {

destination-address x.x.x.x/32;

destination-port 8443;

}

then {

static-nat {

prefix {

192.168.2.13/32;

mapped-port 8443;

}

}

}

}

rule Cisco-VPN {

match {

destination-address x.x.x.x/32;

destination-port 8080;

}

then {

static-nat {

prefix {

192.168.20.253/32;

mapped-port 8080;

}

}

}

}

rule D1-HTTP {

match {

destination-address x.x.x.x/32;

destination-port 444;

}

then {

static-nat {

prefix {

192.168.20.250/32;

mapped-port 444;

}

}

}

}

rule D1-HTTP2 {

match {

destination-address x.x.x.x/32;

destination-port 4444;

}

then {

static-nat {

prefix {

192.168.20.250/32;

mapped-port 4444;

}

}

}

}

}

}

}

policies {

from-zone trust to-zone untrust {

policy trust-to-untrust {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

}

}

from-zone untrust to-zone trust {

policy Cisco-VPN {

match {

source-address any;

destination-address D1-Cisco;

application Cisco-VPN;

}

then {

permit;

count;

}

}

policy D1-Web1 {

match {

source-address any;

destination-address D1-Server;

application [ D1-Web2 D1-Web1 ];

}

then {

permit;

}

}

policy D2-WebDav1 {

match {

source-address any;

destination-address D2-WebDav1;

application D2-WebDav;

}

then {

permit;

}

}

}

from-zone trust to-zone vpn {

policy trust-vpn- {

match {

source-address Exchange-Network;

destination-address Exchange-SK;

application any;

}

then {

permit;

}

}

}

from-zone vpn to-zone trust {

policy vpn-trust- {

match {

source-address Exchange-SK;

destination-address Exchange-Network;

application any;

}

then {

permit;

}

}

}

}

zones {

security-zone trust {

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

}

interfaces {

vlan.0;

fe-0/0/0.0;

fe-0/0/5.0;

fe-0/0/3.0;

fe-0/0/2.0;

vlan.2;

vlan.1;

fe-0/0/1.0;

fe-0/0/4.0;

}

}

security-zone untrust {

screen untrust-screen;

host-inbound-traffic {

system-services {

ike;

}

}

interfaces {

fe-0/0/7.0;

pp0.0;

}

}

security-zone vpn {

interfaces {

st0.0;

}

}

}

}

firewall {

family inet {

filter Block-Inter-Vlan {

term Block-Inter-Vlan {

from {

source-address {

192.168.20.0/24;

}

}

then {

discard;

}

}

}

}

}

applications {

application Cisco-VPN {

protocol tcp;

destination-port 8080;

}

application D1-Web1 {

protocol tcp;

destination-port 444;

}

application D1-Web2 {

protocol tcp;

destination-port 4444;

}

application D2-WebDav {

protocol tcp;

destination-port 8443;

}

}

vlans {

Exchange {

description Exchange;

vlan-id 20;

interface {

fe-0/0/4.0;

}

l3-interface vlan.2;

}

D1 {

description D1;

vlan-id 10;

l3-interface vlan.1;

}

vlan-trust {

vlan-id 3;

l3-interface vlan.0;

}

}

IKE Status:

root> show security ike security-associations

Index State Initiator cookie Responder cookie Mode Remote Address

164005 UP 0fb34fe6eef146cb 5823116028c5c6a5 IKEv2 x.x.x.x

IPSEC Status:

root> show security ipsec security-associations

Total active tunnels: 0

Stats on the web gui for phase 2 show 0 IPSEC packets sent. I've tried pinging a remote address (192.168.1.4) but no reply and no phase 2 coming up.

Any ideas? Thanks in advance!



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)