Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

VPN between Cisco PIX 525 and Juniper SRX 100 Not Working

Posted on 2015-02-10
3
124 Views
Last Modified: 2015-02-17
Due to a recent merger, we're faced with setting up a site-to-site tunnel between a Cisco device and Juniper device.  We get the tunnel up but it doesn't stay up reliably.  It drops without apparent reason and it's been impossible thus far to determine the cause.  The Cisco logs merely show a timeout and thus far, I've been unable to locate anything in the Juniper logs (still new to it so I haven't gotten far there yet).  Thus I have little to go on.  But while I'm searching (and pulling my hair out), I thought I'd run it by the experts to see if anyone had a similar problem just in case.....  Attached are the config files for review.  

Thank you and perhaps you can save what's left of my hair.
ExpertsExchangePosting.txt
0
Comment
Question by:ejefferson213
  • 2
3 Comments
 
LVL 3

Expert Comment

by:Matthew Borrusso
ID: 40602350
Check the time out values for phase1 and phase2.
If you are not rekeying properly, it will cause you this type of grief. There is a value in the Juniper you can set which will allow a soft-rekey, basically allows the expired key to work for a short "float" period. This is where I would start.

it is odd on the pix side that you set the sa timeout to the same value as the ike. I did not see values specified in the juniper. I may have missed it. Junos may be different, but the defaults in screenos are 28800 and 3600 seconds respectively.

One last item, your transform sets are encrypting at the levels you want them.
In junos I believe that the predefined are: (I had to pull the old book out for this one).
The predefined Phase 1 proposals that JUNOS Software provides are as follows:
■ Standard—pre-g2-aes128-sha and pre-g2-3des-sha
■ Compatible—pre-g2-3des-sha, pre-g2-3des-md5, pre-g2-des-sha, and
pre-g2-des-md5
■ Basic—pre-g1-des-sha and pre-g1-des-md5
The predefined Phase 2 proposals that JUNOS Software provides are as follows:
■ Standard—g2-esp-3des-sha and g2-esp-aes128-sha
■ Compatible—nopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha, and
nopfs-esp-des-md5
Phase 2 Proposals for IPsec VPNs ■ 363
Chapter 16: Internet Protocol Security
■ Basic—nopfs-esp-des-sha and nopfs-esp-des-md5

Last but not least, back to the timeouts, you also have a data limit defined for rekey (which is fine) but both sides should match.
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

Good luck, but I believe this will put you in the right area!
Matt
0
 
LVL 3

Accepted Solution

by:
Matthew Borrusso earned 500 total points
ID: 40602352
Let me re-phrase my first statement. I would start with looking at the timeout values.. I would not worry about the softkey unless there is some odd timing issue going on past that (NTP usually clears that right up).
0
 

Author Closing Comment

by:ejefferson213
ID: 40614192
I made the changes you requested but unfortunately, the tunnel is still unreliable.  I'm presently working with the Juniper folks and a consultant in an attempt to fix this problem.  Thank you for taking the time to offer advice and I'll just keep at it........
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
BGP cluster ID 1 67
Setting nameservers after res_init fails doing res_query 2 109
Macbook Sierra OS OpenVPN issue 13 110
OSPF Design NSSA 5 68
SSL is a very common protocol used these days when browsing the web.  The purpose is to provide security to communication, but how does it do it?  There are several pieces at work that have to be setup before SSL will even work and it requires both …
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question