Solved

trouble shooting VPN between Juniper and Cisco ASA

Posted on 2014-04-22
21
2,393 Views
Last Modified: 2014-05-27
hello expert
i am trying to build up VPN via Juniper firewall and Cisco ASA, but i am facing problem on it, could you help trouble shooting it? i will paste the configure to below.

thanks
0
Comment
Question by:beardog1113
21 Comments
 

Author Comment

by:beardog1113
ID: 40014696
Juniper configuration:

set interface "tunnel.2" zone "Untrust"

set interface tunnel.2 ip unnumbered interface ethernet0/2

set address "Trust" "10.68.146.0/24" 10.68.146.0 255.255.255.0
set address "Trust" "10.68.176.0/21" 10.68.176.0 255.255.248.0
set address "Trust" "10.68.185.0/24" 10.68.185.0 255.255.255.0
set address "Untrust" "10.137.254.0/24" 10.137.254.0 255.255.255.0

set group address "Trust" "SHIDC3_Internal"
set group address "Trust" "SHIDC3_Internal" add "10.68.146.0/24"
set group address "Trust" "SHIDC3_Internal" add "10.68.176.0/21"
set group address "Trust" "SHIDC3_Internal" add "10.68.185.0/24"

set ike gateway "Digital Beijing Colo" address 119.90.35.2 Main outgoing-interface "ethernet0/2" preshare "Zs/TXRlvNOhj0EspatCuflRgBSn60LWDsQ==" sec-level compatible
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log

set vpn "Digital Beijing" gateway "Digital Beijing Colo" no-replay tunnel idletime 0 sec-level compatible
set vpn "Digital Beijing" monitor optimized
set vpn "Digital Beijing" id 0x2 bind interface tunnel.2

set vpn "Digital Beijing" proxy-id local-ip 0.0.0.0/0 remote-ip 0.0.0.0/0 "ANY"


set policy id 31 from "Trust" to "Untrust"  "SHIDC3_Internal" "Digital_Beijing_Internal" "ANY" permit
set policy id 31
exit
set policy id 32 from "Untrust" to "Trust"  "Digital_Beijing_Internal" "SHIDC3_Internal" "ANY" permit
set policy id 32
exit

set route 10.137.254.0/24 interface tunnel.1 gateway 203.148.32.65
0
 

Author Comment

by:beardog1113
ID: 40014699
ASA configuration:

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 119.90.35.2 255.255.255.224
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.137.254.3 255.255.255.0
!

object network obj-10.137.254.0
 subnet 10.137.254.0 255.255.255.0

object-group network SHIDC3_Internal
 network-object 10.68.176.0 255.255.248.0
 network-object 10.68.185.0 255.255.255.0
 network-object 10.68.146.0 255.255.255.0

access-list outside-acl extended permit icmp any any

access-list map11 extended permit ip object obj-10.137.254.0 object-group SHIDC3_Internal

nat (inside,any) source static obj-10.137.254.0 obj-10.137.254.0 destination static SHIDC3_Internal SHIDC3_Internal no-proxy-arp
!

access-group outside-acl in interface outside
route outside 0.0.0.0 0.0.0.0 119.90.35.1 1
route inside 10.0.0.0 255.0.0.0 10.137.254.1 1
route outside 10.68.146.0 255.255.255.0 119.90.35.1 1
route outside 10.68.176.0 255.255.248.0 119.90.35.1 1
route outside 10.68.185.0 255.255.255.0 119.90.35.1 1
route inside 172.16.0.0 255.240.0.0 10.137.254.1 1
route inside 192.168.0.0 255.255.0.0 10.137.254.1 1

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set CHINA1 esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec df-bit clear-df outside
crypto ipsec df-bit clear-df inside

crypto map outside-map 11 match address map11
crypto map outside-map 11 set pfs
crypto map outside-map 11 set peer 203.148.32.66
crypto map outside-map 11 set ikev1 transform-set CHINA1
crypto map outside-map 11 set security-association lifetime seconds 3600
crypto map outside-map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside-map interface outside
crypto isakmp nat-traversal 32
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800

tunnel-group 203.148.32.66 type ipsec-l2l
tunnel-group 203.148.32.66 ipsec-attributes
 ikev1 pre-shared-key *****
 peer-id-validate nocheck
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40014776
Is phase 1 establishing, can you see any debugs?

Troubleshooting Phase 1 Cisco Site to Site (L2L) VPN Tunnels

If that's up, check Phase 2

Troubleshooting Phase 2 Cisco Site to Site (L2L) VPN Tunnels

I've put the main Juniper to ASA VPN gotcha's here, (see step 3)
Cisco ASA to Juniper SRX Site to Site VPN



pl
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40014807
When I build VPN to non-juniper device, I use custom security level so that my phase 1 proposals and phase 2 proposals match what ever is setup on the ASA side. This is the first thing you should fix.

The next step is setting up a policy based VPN. Since ASA is using access lists. A policy based VPN allows you to effectively set the proxy IDs (as the source and destination IPs in the policy)

I have had minimal success with route based VPN to non juniper devices.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 40014994
Pete,
that Juniper runs ScreenOS, not JunOS like SRX, so the corresponding instructions are not that useful.

sanamc,
Route-based VPNs are more flexible, and in particular in regard of setting up Proxy IDs - you can set up more than one that way, which is not feasible with policy-based VPN. However, pbVPN is easier to set up and to manage.

beardog1113,
sangamc is correct about the security levels respective proposals. Always use the explicit noted proposal(s) fitting to the setting on the other site in both phases. One of many reasons is that those predefined security levels provide only low level of security (3DES, DES, allow MD5, ...), and you definitely should use AES and SHA-1 (better SHA-256).

Do you get any error info (like No Proposal Chosen), and did you try to initiate traffic from both sites? If I read your config correctly, you have set up PFS on Cisco for P2, but nothing on Juniper (DH Group ...), and the proxy ID of "0/0 0/0 any" will not work as it doesn't match the map11 networks.
0
 

Author Comment

by:beardog1113
ID: 40015100
hello  Qlemo
if i initial a connection from Cisco side, on the ASA i got the following info, but the destination is not reachable.

IKEv1 SAs:



  IKE Peer: 203.148.32.66
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

if i initial a connection from Juniper side, on the ASA is not any P1 association, and on the juniper side it look like this below:

FW-> get sa
total configured sa: 1
HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys
00000002<     119.90.35.2  500 esp:3des/sha1 00000000 expir unlim I/I    -1 0
00000002>     119.90.35.2  500 esp:3des/sha1 00000000 expir unlim I/I    -1 0

for the PFS you mentioned what is your suggestion? and how to configure group2 on Juniper or remove it from the ASA?

thanks
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 40015144
To get the details of failure, you need to enable debugging on either side (whichever you are more comfortable with should be chosen first).

I cannot see any setting for specifying what PFS will use on ASA. but I have almost no knowledge about that platform (or Cisco devices in general). I assume P2 PFS will just take over the setting of P1, and since there is nothing set, PFS won't get used.

The ASA's IKEv1 SA is for P1, and is matched with get ike cookies on Juniper. get sa displays P2 SAs.

If you can't perform debugging (ATM), try on Juniper with a proxy ID matching one of the map11 networks on ASA.
0
 

Author Comment

by:beardog1113
ID: 40015235
hello
i have replace the following configure:
set vpn "Digital Beijing" proxy-id local-ip 10.68.185.0/24 remote-ip 10.137.254.0/24 "ANY"

then the P1 and P2 looks normal on Juniper firewall, but i still can't reach from Cisco site to Juniper side, or revert, is there any thing i miss?

thank you
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 40015289
First we need to know whether the tunnel is up, and then can see if routing is working. Next step is debugging.
0
 

Author Comment

by:beardog1113
ID: 40015387
hello
now i can reach 10.68.185.x from 10.137.254.x
since i have another subnet on Juniper site, 10.68.146.0/24, how i can make it reachable then?

thanks
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 68

Expert Comment

by:Qlemo
ID: 40015478
Just re-issue the set vpn ... proxy-id for the other networks, which should result in (at least) three entries to see with get vpn "Digital Beijing" proxy-id:
set vpn "Digital Beijing" proxy-id local-ip 10.68.176.0/24 remote-ip 10.137.254.0/24 "ANY"
set vpn "Digital Beijing" proxy-id local-ip 10.68.146.0/24 remote-ip 10.137.254.0/24 "ANY"

Open in new window

0
 

Author Comment

by:beardog1113
ID: 40016548
hello QIemo
i am using SSG140 not sure something different or not, the VPN entry for same name could only have one "proxy-id", the last input will overwrite the previous one.
maybe we should define another VPN ?

thanks
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 40017109
You are using ScreenOS 6.3 hopefully? Can't remember exactly, but think that you could provide multiple proxy IDs with 6.2 or 6.3 only.

You can try if using address groups in the proxy IDs helps:
set vpn "Digital Beijing" proxy-id local-addr SHIDC3_Internal remote-addr Digital_Beijing_Internal any

Open in new window

If that doesn't work (e.g. because address groups are not yet allowed), you will have to create one IPSec setting per network:
unset vpn "Digital Beijing"

set vpn "Digital Beijing 176" gateway "Digital Beijing Colo" no-replay tunnel idletime 0 sec-level compatible
set vpn "Digital Beijing 176" monitor optimized
set vpn "Digital Beijing 176" bind interface tunnel.2
set vpn "Digital Beijing 176" proxy-ID local-ip 10.68.176.0/21 remote-ip 0.137.254.0/24 any

set vpn "Digital Beijing 185" gateway "Digital Beijing Colo" no-replay tunnel idletime 0 sec-level compatible
set vpn "Digital Beijing 185" monitor optimized
set vpn "Digital Beijing 185" bind interface tunnel.2
set vpn "Digital Beijing 185" proxy-ID local-ip 10.68.185.0/24 remote-ip 0.137.254.0/24 any

set vpn "Digital Beijing 146" gateway "Digital Beijing Colo" no-replay tunnel idletime 0 sec-level compatible
set vpn "Digital Beijing 146" monitor optimized
set vpn "Digital Beijing 146" bind interface tunnel.2
set vpn "Digital Beijing 146" proxy-ID local-ip 10.68.146.0/24 remote-ip 0.137.254.0/24 any

Open in new window

0
 

Author Closing Comment

by:beardog1113
ID: 40017363
thanks, perfect
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 40017616
Which way did you take to get it working? And which ScreenOS version? That will help other members searching for the solution.
0
 

Author Comment

by:beardog1113
ID: 40019130
hi Qlemo
create multiple VPN is, follow your the last comment.

thanks
0
 

Author Comment

by:beardog1113
ID: 40090526
hello Qlemo
today i found an issue, if we using multiple VPN on Juniper, internal IP behind could access any IP which behind Juniper, but reverse is not available.
not sure what happen, could you continue kindly have a look?

thank you
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 40091441
Go into the corresponding policies, and tick the "Modify matching bidirectional VPN policy" checkbox. That should create the reverse traffic policies to allow to initiate communication the other way round. You'll have to make sure those policies are positioned at the top (by moving each such newly created policy).
0
 

Author Comment

by:beardog1113
ID: 40092013
hello Qlemo
if i have only one VPN binding to this tunnel, everything works well.
if i create another VPN binding to the same tunnel, all Juniper site host can't ping to ASA site host, but ASA site host can ping to Juniper site host.
for the policy i already make the related with VPN at the top, both trust to untrust and untrust to trust, for  "Modify matching bidirectional VPN policy" can't being checked, if i select a VPN the error message is "The action PERMIT cannot be associated with a VPN Tunnel"
so any other ideas?

thank you
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 40093649
You have set up different policies for egress and ingress traffic, obviously.

But hold on, you are using route-based VPN with tunnel interfaces, and you won't be able to associate policies with VPN settings. All you can do is to permit or deny/reject traffic, and you did that already (according to http:#a40014699) with two policies. That's fine that way.

Again, you would have to start debugging on ASA and/or Juniper to see what is going on if traffic origins from the Juniper side.
On Juniper, this requires a telnet or serial connection. Are you ready to do that? The debugging commands in the CLI are:
clear dbuf
set ffilter src-ip «source IP of Juniper network you use for test»
set ffilter dst-ip «source IP of Juniper network you use for test»
debug flow basic
« ping from above source IP to a remote internal IP »
undebug flow
get dbuf stream

Open in new window

That should tell you all about routing and policies involved, including the tunnel interface chosen if any.
clear dbuf
set sa-f «remote gateway IP»
debug ike basic
« ping remote internal IP »
undebug ike
get dbuf

Open in new window

will tell you everything about the VPN negotiation taking place.
0
 

Author Comment

by:beardog1113
ID: 40094581
thank you, i will try to debug it.
nice day
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now