Site-to-site VPN between Cisco ASA and Juniper SRX
I'm trying to create route-based VPN connection between Cisco ASA and Juniper SRX, but I have a problem with ACL and Proxy IDs. Cisco ASA log states that
[IKEv1]Group = A.A.A.A, IP = A.A.A.A, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy B.B.B.B/255.255.255.0/6/0 local proxy Z.Z.Z.Z/255.255.255.255/6/22 on interface comcastpublicI don't know how to make B.B.B.B/255.255.255.0/6/22 and where the problem is. The aim is to pass only SSH traffic through this VPN.
Notation:
A.A.A.A - Juniper public IP
B.B.B.B - Juniper private IP
Y.Y.Y.Y - Cisco public IP
Z.Z.Z.Z - Cisco private IP
Juniper SRX config:
interfaces { fe-0/0/0 { unit 0 { family inet { address A.A.A.A/26; } } } fe-0/0/7 { unit 0 { family inet { address B.B.B.1/24; } } } st0 { unit 0 { multipoint; family inet { next-hop-tunnel 10.10.10.1 ipsec-vpn ipsec-vpn-1-cfgr; next-hop-tunnel 10.10.10.3 ipsec-vpn ipsec-vpn-2-cfgr; address 10.10.10.2/24; } } unit 1 { point-to-point; family inet { next-hop-tunnel 10.10.10.4 ipsec-vpn ipsec-vpn-remote-cfgr; } } } } routing-options { static { route 0.0.0.0/0 next-hop A.A.A.1; route B.B.1.0/24 next-hop 10.10.10.1; route B.B.3.0/24 next-hop 10.10.10.3; route Z.Z.Z.Z/32 next-hop st0.1; } } security { ike { traceoptions { file size 1m; flag ike; flag next-hop-tunnels; flag all; } proposal ike-proposal-cfgr { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm 3des-cbc; lifetime-seconds 3600; } policy ike-policy-remote-cfgr { mode main; proposals ike-proposal-cfgr; pre-shared-key ascii-text "********"; } gateway ike-gate-remote-cfgr { ike-policy ike-policy-remote-cfgr; address Y.Y.Y.Y; external-interface fe-0/0/0.0; } } ipsec { traceoptions { flag all; } proposal ipsec-proposal-remote-cfgr { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; lifetime-seconds 86400; lifetime-kilobytes 28800; } policy ipsec-policy-remote-cfgr { proposals ipsec-proposal-remote-cfgr; } vpn ipsec-vpn-remote-cfgr { bind-interface st0.1; vpn-monitor { optimized; } ike { gateway ike-gate-remote-cfgr; proxy-identity { local B.B.B.B/24; remote Z.Z.Z.Z/32; service junos-ssh; } ipsec-policy ipsec-policy-remote-cfgr; } establish-tunnels immediately; } } alg { traceoptions { file alg.log size 100000 files 2; } dns disable; msrpc disable; rsh disable; sql disable; } flow { tcp-mss { all-tcp { mss 1400; } ipsec-vpn { mss 1350; } } tcp-session { no-syn-check; no-syn-check-in-tunnel; no-sequence-check; } } policies { from-zone guest to-zone remote { policy local-to-spokes { match { source-address net-cfgr_B-B-B-B--24; destination-address net-cfgr_Z-Z-Z-Z--32; application junos-ssh; } then { permit; } } } from-zone remote to-zone guest { policy spokes-to-local { match { source-address net-cfgr_Z-Z-Z-Z--32; destination-address net-cfgr_B-B-B-B--24; application junos-ssh; } then { permit; } } } } zones { security-zone remote { address-book { address net-cfgr_Z-Z-Z-Z--32 Z.Z.Z.Z/32; } interfaces { st0.1; } } security-zone guest { address-book { address net-cfgr_B-B-B-B--24 B.B.B.B/24; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { fe-0/0/7.0; } } } }Cisco ASA config:
ASA Version 9.0(2) ! interface GigabitEthernet0/0 nameif comcastpublic ip address Y.Y.Y.Y ! object network VPNPC host Z.Z.Z.Z description VPN PC S2S object network REMOTE subnet B.B.B.B 255.255.255.0 access-list comcastpublic_access_in extended permit object SSH object VPNPC object REMOTE access-list comcastpublic_cryptomap_3 extended permit tcp object VPNPC object REMOTE eq ssh nat (private,comcastpublic) source static VPNPC VPNPC destination static REMOTE REMOTE no-proxy-arp route-lookup nat (comcastpublic,private) source static any any destination static ! nat (private,comcastpublic) after-auto source dynamic any interface dns access-group comcastpublic_access_in in interface comcastpublic crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto map comcastpublic_map 4 match address comcastpublic_cryptomap_3 crypto map comcastpublic_map 4 set peer A.A.A.A crypto map comcastpublic_map 4 set ikev1 transform-set ESP-3DES-SHA crypto map comcastpublic_map 4 set ikev2 ipsec-proposal 3DES crypto map comcastpublic_map 4 set security-association lifetime seconds 86400 crypto map comcastpublic_map 4 set security-association lifetime kilobytes 28800 crypto map comcastpublic_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map comcastpublic_map interface comcastpublic crypto ikev2 policy 2 encryption 3des integrity sha group 2 prf sha lifetime seconds 28800 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable comcastpublic crypto ikev1 enable comcastpublic crypto ikev1 policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 28800 crypto ikev1 policy 8 authentication pre-share encryption 3des hash sha group 2 lifetime 3600 crypto ikev1 policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 ! group-policy GroupPolicy_A.A.A.A internal group-policy GroupPolicy_A.A.A.A attributes vpn-tunnel-protocol ikev1 ikev2 tunnel-group A.A.A.A type ipsec-l2l tunnel-group A.A.A.A general-attributes default-group-policy GroupPolicy_A.A.A.A tunnel-group A.A.A.A ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key *****Cisco log:
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Received local Proxy Host data in ID Payload: Address Z.Z.Z.Z, Protocol 6, Port 22 Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, QM IsRekeyed old sa not found by addr Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map = comcastpublic_map, seq = 1... Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, map = comcastpublic_map, seq = 1, ACL does not match proxy IDs src:B.B.B.B dst:Z.Z.Z.Z Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map = comcastpublic_map, seq = 2... Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, map = comcastpublic_map, seq = 2, ACL does not match proxy IDs src:B.B.B.B dst:Z.Z.Z.Z Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map = comcastpublic_map, seq = 3... Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, map = comcastpublic_map, seq = 3, ACL does not match proxy IDs src:B.B.B.B dst:Z.Z.Z.Z Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map = comcastpublic_map, seq = 4... Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, map = comcastpublic_map, seq = 4, ACL does not match proxy IDs src:B.B.B.B dst:Z.Z.Z.Z Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map = comcastpublic_map, seq = 5... Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, map = comcastpublic_map, seq = 5, ACL does not match proxy IDs src:B.B.B.B dst:Z.Z.Z.Z Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Skipping dynamic map SYSTEM_DEFAULT_CRYPTO_MAP sequence 65535: cannot match peerless map when peer found in previous map entry. Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy B.B.B.B/255.255.255.0/6/0 local proxy Z.Z.Z.Z/255.255.255.255/6/22 on interface comcastpublic Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, sending notify message Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, constructing blank hash payload Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, constructing qm hash payload Aug 05 05:19:23 [IKEv1]IP = A.A.A.A, IKE_DECODE SENDING Message (msgid=d07c313e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 216 Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, QM FSM error (P2 struct &0x00007fffa28c2920, mess id 0x5ef38480)! Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, IKE QM Responder FSM error history (struct &0x00007fffa28c2920) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, sending delete/delete with reason message Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Removing peer from correlator table failed, no match! Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, IKE SA MM:f4ec0f2f rcv'd Terminate: state MM_ACTIVE flags 0x00010042, refcnt 1, tuncnt 0 Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, IKE SA MM:f4ec0f2f terminating: flags 0x01010002, refcnt 0, tuncnt 0 Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, sending delete/delete with reason messageCould anybody help with this problem?
Yes, it is one of the possible solutions. But VPN is required by company management since it is more secure.
I dont see ike allowed as host inbound traffic into your zone. May be that helps
ASA crypto map ACLs do not support protocol traffic matching (yeah, I know). The crypto map ACL should match on network, and then either use the global
no sysopt connection permit-vpnto apply the interface ACL to tunneled traffic (not recommended) or use a vpn-filter in your tunnel group policy to restrict traffic by protocol.Even if the ASA did allow the protocol-based crypto ACL, your ACL as written does not match the packets being received. Your ACL matches the remote proxy on port 22, and the logs indicate the local proxy is port 22.
You're right about ACL correctness. Your solution should work. So there're 3 possible ones: 1) Yours 2) Adding ACL entry: access-list comcastpublic_cryptomap_3 extended permit tcp object VPNPC eq ssh object REMOTE. But I haven't tested it. 3) Solution proposed on Juniper Forum by aarseniev: set applications application my-ssh source-port 22 set applications application my-ssh protocol tcp delete security ipsec vpn ipsec-vpn-remote-cfgr ike proxy-identity service junos-ssh set security ipsec vpn ipsec-vpn-remote-cfgr ike proxy-identity service my-ssh
License under CC-BY-SA with attribution
Content dated before 7/24/2021 11:53 AM
user2317 8 years ago
Why not forward a port to the inside and forget about the VPN entirely? SSH is encrypted traffic so why to build a VPN just for that?