Site-to-site VPN between Cisco ASA and Juniper SRX

  • I'm trying to create route-based VPN connection between Cisco ASA and Juniper SRX, but I have a problem with ACL and Proxy IDs. Cisco ASA log states that

    [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy B.B.B.B/255.255.255.0/6/0 local proxy Z.Z.Z.Z/255.255.255.255/6/22 on interface comcastpublic
    

    I don't know how to make B.B.B.B/255.255.255.0/6/22 and where the problem is. The aim is to pass only SSH traffic through this VPN.

    Notation:

    A.A.A.A - Juniper public IP

    B.B.B.B - Juniper private IP

    Y.Y.Y.Y - Cisco public IP

    Z.Z.Z.Z - Cisco private IP

    Juniper SRX config:

    interfaces {
        fe-0/0/0 {
            unit 0 {
                family inet {
                    address A.A.A.A/26;
                }
            }
        }
        fe-0/0/7 {
            unit 0 {
                family inet {
                    address B.B.B.1/24;
                }
            }
        }
        st0 {
            unit 0 {
                multipoint;
                family inet {
                    next-hop-tunnel 10.10.10.1 ipsec-vpn ipsec-vpn-1-cfgr;
                    next-hop-tunnel 10.10.10.3 ipsec-vpn ipsec-vpn-2-cfgr;
                    address 10.10.10.2/24;
                }
            }
            unit 1 {
                point-to-point;
                family inet {
                    next-hop-tunnel 10.10.10.4 ipsec-vpn ipsec-vpn-remote-cfgr;
                }
            }
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop A.A.A.1;
            route B.B.1.0/24 next-hop 10.10.10.1;
            route B.B.3.0/24 next-hop 10.10.10.3;
            route Z.Z.Z.Z/32 next-hop st0.1;
        }
    }
    security {
        ike {
            traceoptions {
                file size 1m;
                flag ike;
                flag next-hop-tunnels;
                flag all;
            }
            proposal ike-proposal-cfgr {
                authentication-method pre-shared-keys;
                dh-group group2;
                authentication-algorithm sha1;
                encryption-algorithm 3des-cbc;
                lifetime-seconds 3600;
            }
            policy ike-policy-remote-cfgr {
                mode main;
                proposals ike-proposal-cfgr;
                pre-shared-key ascii-text "********";
            }
            gateway ike-gate-remote-cfgr {
                ike-policy ike-policy-remote-cfgr;
                address Y.Y.Y.Y;
                external-interface fe-0/0/0.0;
            }
        }
        ipsec {
            traceoptions {
                flag all;
            }
            proposal ipsec-proposal-remote-cfgr {
                protocol esp;
                authentication-algorithm hmac-sha1-96;
                encryption-algorithm 3des-cbc;
                lifetime-seconds 86400;
                lifetime-kilobytes 28800;
            }
            policy ipsec-policy-remote-cfgr {
                proposals ipsec-proposal-remote-cfgr;
            }
            vpn ipsec-vpn-remote-cfgr {
                bind-interface st0.1;
                vpn-monitor {
                    optimized;
                }
                ike {
                    gateway ike-gate-remote-cfgr;
                    proxy-identity {
                        local B.B.B.B/24;
                        remote Z.Z.Z.Z/32;
                        service junos-ssh;
                    }
                    ipsec-policy ipsec-policy-remote-cfgr;
                }
                establish-tunnels immediately;
            }
        }
        alg {
            traceoptions {
                file alg.log size 100000 files 2;
            }
            dns disable;
            msrpc disable;
            rsh disable;
            sql disable;
        }
        flow {
            tcp-mss {
                all-tcp {
                    mss 1400;
                }
                ipsec-vpn {
                    mss 1350;
                }
            }
            tcp-session {
                no-syn-check;
                no-syn-check-in-tunnel;
                no-sequence-check;
            }
        }   
        policies {
            from-zone guest to-zone remote {
                policy local-to-spokes {
                    match {
                        source-address net-cfgr_B-B-B-B--24;
                        destination-address net-cfgr_Z-Z-Z-Z--32;
                        application junos-ssh;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone remote to-zone guest {
                policy spokes-to-local {
                    match {
                        source-address net-cfgr_Z-Z-Z-Z--32;
                        destination-address net-cfgr_B-B-B-B--24;
                        application junos-ssh;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone remote {
                address-book {
                    address net-cfgr_Z-Z-Z-Z--32 Z.Z.Z.Z/32;
                }
                interfaces {
                    st0.1;
                }
            }
            security-zone guest {
                address-book {
                    address net-cfgr_B-B-B-B--24 B.B.B.B/24;
                }
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    fe-0/0/7.0;
                }
            }
        }
    }
    

    Cisco ASA config:

    ASA Version 9.0(2) 
    !
    interface GigabitEthernet0/0
     nameif comcastpublic
      ip address Y.Y.Y.Y 
    !
    object network VPNPC
     host Z.Z.Z.Z
     description VPN PC S2S
    object network REMOTE
     subnet B.B.B.B 255.255.255.0
    
    access-list comcastpublic_access_in extended permit object SSH object VPNPC object REMOTE 
    
    access-list comcastpublic_cryptomap_3 extended permit tcp object VPNPC object REMOTE eq ssh 
    
    nat (private,comcastpublic) source static VPNPC VPNPC destination static REMOTE REMOTE no-proxy-arp route-lookup
    nat (comcastpublic,private) source static any any destination static 
    !
    nat (private,comcastpublic) after-auto source dynamic any interface dns
    access-group comcastpublic_access_in in interface comcastpublic
    
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
    
    crypto ipsec ikev2 ipsec-proposal 3DES
     protocol esp encryption 3des
     protocol esp integrity sha-1 md5
    
    crypto ipsec security-association pmtu-aging infinite
    
    crypto map comcastpublic_map 4 match address comcastpublic_cryptomap_3
    crypto map comcastpublic_map 4 set peer A.A.A.A 
    crypto map comcastpublic_map 4 set ikev1 transform-set ESP-3DES-SHA
    crypto map comcastpublic_map 4 set ikev2 ipsec-proposal 3DES
    crypto map comcastpublic_map 4 set security-association lifetime seconds 86400
    crypto map comcastpublic_map 4 set security-association lifetime kilobytes 28800
    crypto map comcastpublic_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map comcastpublic_map interface comcastpublic
    
    crypto ikev2 policy 2
     encryption 3des
     integrity sha
     group 2
     prf sha
     lifetime seconds 28800
    crypto ikev2 policy 30
     encryption 3des
     integrity sha
     group 5 2
     prf sha
     lifetime seconds 86400
    
    crypto ikev2 enable comcastpublic
    crypto ikev1 enable comcastpublic
    
    crypto ikev1 policy 1
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 28800
    crypto ikev1 policy 8
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 3600
    crypto ikev1 policy 100
     authentication crack
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 110
     authentication rsa-sig
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 120
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    
    !
    group-policy GroupPolicy_A.A.A.A internal
    group-policy GroupPolicy_A.A.A.A attributes
     vpn-tunnel-protocol ikev1 ikev2 
    
    
    tunnel-group A.A.A.A type ipsec-l2l
    tunnel-group A.A.A.A general-attributes
     default-group-policy GroupPolicy_A.A.A.A
    tunnel-group A.A.A.A ipsec-attributes
     ikev1 pre-shared-key *****
     ikev2 remote-authentication pre-shared-key *****
     ikev2 local-authentication pre-shared-key *****
    

    Cisco log:

    Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Received local Proxy Host data in ID Payload:  Address Z.Z.Z.Z, Protocol 6, Port 22
    Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, QM IsRekeyed old sa not found by addr
    Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map = comcastpublic_map, seq = 1...
    Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, map = comcastpublic_map, seq = 1, ACL does not match proxy IDs src:B.B.B.B dst:Z.Z.Z.Z
    Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map = comcastpublic_map, seq = 2...
    Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, map = comcastpublic_map, seq = 2, ACL does not match proxy IDs src:B.B.B.B dst:Z.Z.Z.Z
    Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map = comcastpublic_map, seq = 3...
    Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, map = comcastpublic_map, seq = 3, ACL does not match proxy IDs src:B.B.B.B dst:Z.Z.Z.Z
    Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map = comcastpublic_map, seq = 4...
    Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, map = comcastpublic_map, seq = 4, ACL does not match proxy IDs src:B.B.B.B dst:Z.Z.Z.Z
    Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map = comcastpublic_map, seq = 5...
    Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, map = comcastpublic_map, seq = 5, ACL does not match proxy IDs src:B.B.B.B dst:Z.Z.Z.Z
    Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Skipping dynamic map SYSTEM_DEFAULT_CRYPTO_MAP sequence 65535: cannot match peerless map when peer found in previous map entry.
    Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy B.B.B.B/255.255.255.0/6/0 local proxy Z.Z.Z.Z/255.255.255.255/6/22 on interface comcastpublic
    Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, sending notify message
    Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, constructing blank hash payload
    Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, constructing qm hash payload
    Aug 05 05:19:23 [IKEv1]IP = A.A.A.A, IKE_DECODE SENDING Message (msgid=d07c313e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 216
    Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, QM FSM error (P2 struct &0x00007fffa28c2920, mess id 0x5ef38480)!
    Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, IKE QM Responder FSM error history (struct &0x00007fffa28c2920)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
    Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, sending delete/delete with reason message
    Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Removing peer from correlator table failed, no match!
    Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, IKE SA MM:f4ec0f2f rcv'd Terminate: state MM_ACTIVE  flags 0x00010042, refcnt 1, tuncnt 0
    Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, IKE SA MM:f4ec0f2f terminating:  flags 0x01010002, refcnt 0, tuncnt 0
    Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, sending delete/delete with reason message
    

    Could anybody help with this problem?

    Why not forward a port to the inside and forget about the VPN entirely? SSH is encrypted traffic so why to build a VPN just for that?

    Yes, it is one of the possible solutions. But VPN is required by company management since it is more secure.

    I dont see ike allowed as host inbound traffic into your zone. May be that helps

  • Santino

    Santino Correct answer

    8 years ago

    ASA crypto map ACLs do not support protocol traffic matching (yeah, I know). The crypto map ACL should match on network, and then either use the global no sysopt connection permit-vpn to apply the interface ACL to tunneled traffic (not recommended) or use a vpn-filter in your tunnel group policy to restrict traffic by protocol.

    Even if the ASA did allow the protocol-based crypto ACL, your ACL as written does not match the packets being received. Your ACL matches the remote proxy on port 22, and the logs indicate the local proxy is port 22.

    You're right about ACL correctness. Your solution should work. So there're 3 possible ones: 1) Yours 2) Adding ACL entry: access-list comcastpublic_cryptomap_3 extended permit tcp object VPNPC eq ssh object REMOTE. But I haven't tested it. 3) Solution proposed on Juniper Forum by aarseniev: set applications application my-ssh source-port 22 set applications application my-ssh protocol tcp delete security ipsec vpn ipsec-vpn-remote-cfgr ike proxy-identity service junos-ssh set security ipsec vpn ipsec-vpn-remote-cfgr ike proxy-identity service my-ssh

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM

Tags used