?
Solved

VPN between Cisco PIX 525 and Juniper SRX 100 Not Working

Posted on 2015-02-10
3
Medium Priority
?
129 Views
Last Modified: 2015-02-17
Due to a recent merger, we're faced with setting up a site-to-site tunnel between a Cisco device and Juniper device.  We get the tunnel up but it doesn't stay up reliably.  It drops without apparent reason and it's been impossible thus far to determine the cause.  The Cisco logs merely show a timeout and thus far, I've been unable to locate anything in the Juniper logs (still new to it so I haven't gotten far there yet).  Thus I have little to go on.  But while I'm searching (and pulling my hair out), I thought I'd run it by the experts to see if anyone had a similar problem just in case.....  Attached are the config files for review.  

Thank you and perhaps you can save what's left of my hair.
ExpertsExchangePosting.txt
0
Comment
Question by:ejefferson213
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 3

Expert Comment

by:Matthew Borrusso
ID: 40602350
Check the time out values for phase1 and phase2.
If you are not rekeying properly, it will cause you this type of grief. There is a value in the Juniper you can set which will allow a soft-rekey, basically allows the expired key to work for a short "float" period. This is where I would start.

it is odd on the pix side that you set the sa timeout to the same value as the ike. I did not see values specified in the juniper. I may have missed it. Junos may be different, but the defaults in screenos are 28800 and 3600 seconds respectively.

One last item, your transform sets are encrypting at the levels you want them.
In junos I believe that the predefined are: (I had to pull the old book out for this one).
The predefined Phase 1 proposals that JUNOS Software provides are as follows:
■ Standard—pre-g2-aes128-sha and pre-g2-3des-sha
■ Compatible—pre-g2-3des-sha, pre-g2-3des-md5, pre-g2-des-sha, and
pre-g2-des-md5
■ Basic—pre-g1-des-sha and pre-g1-des-md5
The predefined Phase 2 proposals that JUNOS Software provides are as follows:
■ Standard—g2-esp-3des-sha and g2-esp-aes128-sha
■ Compatible—nopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha, and
nopfs-esp-des-md5
Phase 2 Proposals for IPsec VPNs ■ 363
Chapter 16: Internet Protocol Security
■ Basic—nopfs-esp-des-sha and nopfs-esp-des-md5

Last but not least, back to the timeouts, you also have a data limit defined for rekey (which is fine) but both sides should match.
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

Good luck, but I believe this will put you in the right area!
Matt
0
 
LVL 3

Accepted Solution

by:
Matthew Borrusso earned 2000 total points
ID: 40602352
Let me re-phrase my first statement. I would start with looking at the timeout values.. I would not worry about the softkey unless there is some odd timing issue going on past that (NTP usually clears that right up).
0
 

Author Closing Comment

by:ejefferson213
ID: 40614192
I made the changes you requested but unfortunately, the tunnel is still unreliable.  I'm presently working with the Juniper folks and a consultant in an attempt to fix this problem.  Thank you for taking the time to offer advice and I'll just keep at it........
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Understanding FTPS File transfer is a common requirement in most Enterprises. While there are numerous ways to get a file from Point A to Point B over a network, perhaps the most common method still in use is FTP – File Transfer Protocol. FTP is …
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question