Solved

VPN between Cisco PIX 525 and Juniper SRX 100 Not Working

Posted on 2015-02-10
3
122 Views
Last Modified: 2015-02-17
Due to a recent merger, we're faced with setting up a site-to-site tunnel between a Cisco device and Juniper device.  We get the tunnel up but it doesn't stay up reliably.  It drops without apparent reason and it's been impossible thus far to determine the cause.  The Cisco logs merely show a timeout and thus far, I've been unable to locate anything in the Juniper logs (still new to it so I haven't gotten far there yet).  Thus I have little to go on.  But while I'm searching (and pulling my hair out), I thought I'd run it by the experts to see if anyone had a similar problem just in case.....  Attached are the config files for review.  

Thank you and perhaps you can save what's left of my hair.
ExpertsExchangePosting.txt
0
Comment
Question by:ejefferson213
  • 2
3 Comments
 
LVL 3

Expert Comment

by:Matthew Borrusso
ID: 40602350
Check the time out values for phase1 and phase2.
If you are not rekeying properly, it will cause you this type of grief. There is a value in the Juniper you can set which will allow a soft-rekey, basically allows the expired key to work for a short "float" period. This is where I would start.

it is odd on the pix side that you set the sa timeout to the same value as the ike. I did not see values specified in the juniper. I may have missed it. Junos may be different, but the defaults in screenos are 28800 and 3600 seconds respectively.

One last item, your transform sets are encrypting at the levels you want them.
In junos I believe that the predefined are: (I had to pull the old book out for this one).
The predefined Phase 1 proposals that JUNOS Software provides are as follows:
■ Standard—pre-g2-aes128-sha and pre-g2-3des-sha
■ Compatible—pre-g2-3des-sha, pre-g2-3des-md5, pre-g2-des-sha, and
pre-g2-des-md5
■ Basic—pre-g1-des-sha and pre-g1-des-md5
The predefined Phase 2 proposals that JUNOS Software provides are as follows:
■ Standard—g2-esp-3des-sha and g2-esp-aes128-sha
■ Compatible—nopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha, and
nopfs-esp-des-md5
Phase 2 Proposals for IPsec VPNs ■ 363
Chapter 16: Internet Protocol Security
■ Basic—nopfs-esp-des-sha and nopfs-esp-des-md5

Last but not least, back to the timeouts, you also have a data limit defined for rekey (which is fine) but both sides should match.
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

Good luck, but I believe this will put you in the right area!
Matt
0
 
LVL 3

Accepted Solution

by:
Matthew Borrusso earned 500 total points
ID: 40602352
Let me re-phrase my first statement. I would start with looking at the timeout values.. I would not worry about the softkey unless there is some odd timing issue going on past that (NTP usually clears that right up).
0
 

Author Closing Comment

by:ejefferson213
ID: 40614192
I made the changes you requested but unfortunately, the tunnel is still unreliable.  I'm presently working with the Juniper folks and a consultant in an attempt to fix this problem.  Thank you for taking the time to offer advice and I'll just keep at it........
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Understanding FTPS File transfer is a common requirement in most Enterprises. While there are numerous ways to get a file from Point A to Point B over a network, perhaps the most common method still in use is FTP – File Transfer Protocol. FTP is …
SSL is a very common protocol used these days when browsing the web.  The purpose is to provide security to communication, but how does it do it?  There are several pieces at work that have to be setup before SSL will even work and it requires both …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now