We help IT Professionals succeed at work.

Setup VPN cisco Juniper Netscreen

hurdit
hurdit asked
on
10,891 Views
Last Modified: 2012-05-05
Hello,
I am using a Juniper-Netscreen20 to connect to a CISCO asa with a VPN tunnel.
I am using a routed mode VPN on my Netscreen and I am trying to connect to the cofiguration below
My Tunnel interface is setup as 10.2.300.224 255.255.255.224. When I try to connect to the remote cisco gateway
I pass pahse 1 and right after phase 2 I get the following message
<*.*.*.*>Received notification message for DOI <1><18> <INVALID -ID-NOTIFICATION>, that message makes me think
that my proxy ID values are not matching. as you know I only have one place to enter the remote network address on the Juniper
 
How could I match the remote Proxy ID information with the infor below?

I see 192.168.3.XX and 172.16.2.XX


Acls for interesting traffic;
access-list client-vpn-2-us permit tcp host 192.168.3.54 10.2.300.224 255.255.255.224 eq 1433
access-list client-vpn-2-us permit tcp host 192.168.3.56 10.2.300.224 255.255.255.224 eq 1433
access-list client-vpn-2-us permit tcp host 192.168.3.93 10.2.300.224 255.255.255.224 eq 1433
access-list client-vpn-2-us permit tcp host 192.168.3.175 10.2.300.224 255.255.255.224 eq 1433
access-list client-vpn-2-us permit tcp host 172.16.2.165 10.2.300.224 255.255.255.224 eq 1433
access-list client-vpn-2-us permit tcp host 192.168.3.56 10.2.300.224 255.255.255.224 eq 137
access-list client-vpn-2-us permit tcp host 192.168.3.56 10.2.300.224 255.255.255.224 eq 139
access-list client-vpn-2-us permit tcp host 192.168.3.56 10.2.300.224 255.255.255.224 eq 445
access-list client-vpn-2-us permit udp host 192.168.3.56 10.2.300.224 255.255.255.224 eq 137
access-list client-vpn-2-us permit udp host 192.168.3.56 10.2.300.224 255.255.255.224 eq 138
access-list client-vpn-2-us permit tcp host 192.168.3.57 10.2.300.224 255.255.255.224 eq 137
access-list client-vpn-2-us permit tcp host 192.168.3.57 10.2.300.224 255.255.255.224 eq 139
access-list client-vpn-2-us permit tcp host 192.168.3.57 10.2.300.224 255.255.255.224 eq 445
access-list client-vpn-2-us permit udp host 192.168.3.57 10.2.300.224 255.255.255.224 eq 137
access-list client-vpn-2-us permit udp host 192.168.3.57 10.2.300.224 255.255.255.224 eq 138
access-list client-vpn-2-us permit tcp host 192.168.3.93 10.2.300.224 255.255.255.224 eq 137
access-list client-vpn-2-us permit tcp host 192.168.3.93 10.2.300.224 255.255.255.224 eq 139
access-list client-vpn-2-us permit tcp host 192.168.3.93 10.2.300.224 255.255.255.224 eq 445
access-list client-vpn-2-us permit udp host 192.168.3.93 10.2.300.224 255.255.255.224 eq 137
access-list client-vpn-2-us permit udp host 192.168.3.93 10.2.300.224 255.255.255.224 eq 138
access-list client-vpn-2-us permit tcp host 192.168.3.175 10.2.300.224 255.255.255.224 eq 137
access-list client-vpn-2-us permit tcp host 192.168.3.175 10.2.300.224 255.255.255.224 eq 139
access-list client-vpn-2-us permit tcp host 192.168.3.175 10.2.300.224 255.255.255.224 eq 445
access-list client-vpn-2-us permit udp host 192.168.3.175 10.2.300.224 255.255.255.224 eq 137
access-list client-vpn-2-us permit udp host 192.168.3.175 10.2.300.224 255.255.255.224 eq 138
access-list client-vpn-2-us permit tcp host 172.16.2.165 10.2.300.224 255.255.255.224 eq 137
access-list client-vpn-2-us permit tcp host 172.16.2.165 10.2.300.224 255.255.255.224 eq 139
access-list client-vpn-2-us permit tcp host 172.16.2.165 10.2.300.224 255.255.255.224 eq 445
access-list client-vpn-2-us permit udp host 172.16.2.165 10.2.300.224 255.255.255.224 eq 137
access-list client-vpn-2-us permit udp host 172.16.2.165 10.2.300.224 255.255.255.224 eq 138
Crypto map etc
crypto ipsec transform-set client-strong esp-3des esp-sha-hmac
crypto map client-vpn 5 match address Client-vpn-2-US
crypto map client-vpn 5 set peer 28.9.111.129
crypto map client-vpn 5 set transform-set Client-strong
crypto map client-vpn interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800

Comment
Watch Question

Commented:
Hi there!
your cisco set with peer id 28.9.111.129
but which one your netscreen expects?

Author

Commented:
My netscreen is IP 28.9.111.129 and my peer (cisco aga ip) is 36.101.96.103
I created a tunnel interface on the netscreen 10.2.300.224 255.255.255.224
and I am expecting traffic from the 192.168.3.0/24 and 172.16.2.0/24 network.
I have 1 place to enter the remote proxy ID, so what should I put on the remote Proxy ID value looking at our clients configuration? thanks

Commented:
Hi
I understand, your idea is very clear networks 192.168.3.0/24 and 172.16.2.0/24  are phase 2 to negotiate.
proxy id should be left blank (at least it is not necessary for successful data tunneling)
I'm not familar with netscreen, but why do you need special tunnel interface with /27 network?
on both sides peer ids should be configured as real ips of interfaces from/to tunnel is going to be created

so invalid id notification should be phase 1 failure.
do you have anything in cisco logs?
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Hello.
thanks for all the help. After looking at the recommendation we decided to simplify things by changing out coming from network to our local Lan 192.168.9.0/24. Following the blog information we set it up with and IP unnumbered interface on the Untrust Zone. I also created the route to tunnel.1 interface for traffic going to 192.168.3.0/24. Set up the proxy id to local 192.168.9.0/24 to remote 0.0.0.0/0 service any. created the policy following the blog from my local LAN to the ip 192.168.3.54 service SQL. and incoming policy too. same error. also changed the remote proxy to the IP of the server 192.168.3.54 /32 with no luck.I do not have access to the AGA but I could ask for some logs to see what they get on their side. still getting the same phase 2 error. any ideas thanks
Did you keep the proxy id as 0.0.0.0/0 or 192.168.3.54/32 ?

Try getting the vpn setting logs from the ASA side and lets see where it is failing there.

Cheers,
Rajesh

Author

Commented:
This is what I get whe I try the 2 proxy ID solutions. I am working on getting the ASA log files

IKE<36.101.96.103> Phase 2: No policy exists for the proxy ID received: local ID (<192.168.9.0>/<255.255.255.0>, <0>, <0>) remote ID (<0.0.0.0>/<0.0.0.0>, <0>, <0>).

IKE<36.101.96.103> Phase 2: No policy exists for the proxy ID received: local ID (<192.168.9.0>/<255.255.255.0>, <0>, <0>) remote ID (<192.168.3.54>/<255.255.255.255>, <0>, <0>).

Author

Commented:
I got debug error from the AGA and the crypto config
crypto ipsec transform-set asme-strong esp-3des esp-sha-hmac
crypto map asme-vpn 5 set peer 28.9.111.129
crypto map asme-vpn 5 set transform-set asme-strong
crypto map asme-vpn interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800

 

tunnel-group 28.9.111.129 type ipsec-l2l
tunnel-group 28.9.111.129 ipsec-attributes

VPN log

<163>%ASA-3-713122: IP = 28.9.111.129, Keep-alives configured on but peer does not support keep-alives (type = None)
<163>%ASA-3-713061: Group = 28.9.111.129, IP = 28.9.111.129, Rejecting IPSec tunnel: no matching crypto map entry
 for remote proxy 192.168.9.0/255.255.255.0/0/0 local proxy 192.168.3.54/255.255.255.255/0/0 on interface outside

Author

Commented:
The issue got resolved when the engineer on the remote site decided to  ip host on the access list and group all the 192.168.3.0 network addresses into 192.168.3.0/24
Perfect. Glad you got it solved.

Cheers,
Rajesh

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.