There was a VPN issue to troubleshoot recently. It was between Juniper SRX and Cisco Router. It seems straightforward but it took quite a long time to troubleshoot because of communication. All steps listed here for my future reference.

Some other related posts:

Diagram

1. Enabled Debugging on Cisco IOS Router


vpn-R1#debug crypto ipsec
Crypto IPSEC debugging is on

vpn-R1#debug crypto isakmp
Crypto ISAKMP debugging is on

vpn-R1#debug crypto engine
Crypto Engine debugging is on

vpn-R1#terminal monitor



2. Debugging results
It shows invalidated proposal and ISAKMP deleted node with reason “QM rejected”


003345: Sep  5 10:49:31.279 EDT: ISAKMP (1060): received packet from 20.20.34.50 dport 500 sport 500 Global (R) QM_IDLE      
003346: Sep  5 10:49:31.279 EDT: ISAKMP: set new node 1450843075 to QM_IDLE      
003347: Sep  5 10:49:31.279 EDT: ISAKMP:(1060): processing HASH payload. message ID = 1450843075
003348: Sep  5 10:49:31.279 EDT: ISAKMP:(1060): processing SA payload. message ID = 1450843075
003349: Sep  5 10:49:31.279 EDT: ISAKMP:(1060):Checking IPSec proposal 1
003350: Sep  5 10:49:31.279 EDT: ISAKMP: transform 0, ESP_3DES
003351: Sep  5 10:49:31.279 EDT: ISAKMP:   attributes in transform:
003352: Sep  5 10:49:31.279 EDT: ISAKMP:      authenticator is HMAC-SHA
003353: Sep  5 10:49:31.279 EDT: ISAKMP:      group is 2
003354: Sep  5 10:49:31.279 EDT: ISAKMP:      SA life type in seconds
003355: Sep  5 10:49:31.279 EDT: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xE 0x10 
003356: Sep  5 10:49:31.279 EDT: ISAKMP:      encaps is 1 (Tunnel)
003357: Sep  5 10:49:31.279 EDT: ISAKMP:(1060):atts are acceptable.
003358: Sep  5 10:49:31.279 EDT: IPSEC(validate_proposal_request): proposal part #1
003359: Sep  5 10:49:31.279 EDT: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 200.153.121.58:0, remote= 20.20.34.50:0,
    local_proxy= 10.9.106.18/255.255.255.255/256/0,
    remote_proxy= 10.21.51.128/255.255.255.255/256/0,
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel), 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0


003361: Sep  5 10:49:31.279 EDT: Crypto mapdb : proxy_match
 src addr     : 10.9.106.18
 dst addr     : 10.21.51.128
 protocol     : 0
 src port     : 0
 dst port     : 0
.......
003369: Sep  5 10:49:31.283 EDT: map_db_find_best did not find matching map
003370: Sep  5 10:49:31.283 EDT: IPSEC(ipsec_process_proposal): proxy identities not supported
003371: Sep  5 10:49:31.283 EDT: ISAKMP:(1060): IPSec policy invalidated proposal with error 32
003372: Sep  5 10:49:31.283 EDT: ISAKMP:(1060): phase 2 SA policy not acceptable! (local 20.15.121.58 remote 20.20.34.50)
003373: Sep  5 10:49:31.283 EDT: ISAKMP: set new node -2087949406 to QM_IDLE      
003374: Sep  5 10:49:31.283 EDT: ISAKMP:(1060):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
 spi 739556696, message ID = 2207017890
003375: Sep  5 10:49:31.283 EDT: ISAKMP:(1060): sending packet to 20.20.34.50 my_port 500 peer_port 500 (R) QM_IDLE      
003376: Sep  5 10:49:31.283 EDT: ISAKMP:(1060):Sending an IKE IPv4 Packet.
003377: Sep  5 10:49:31.283 EDT: ISAKMP:(1060):purging node -2087949406
003378: Sep  5 10:49:31.283 EDT: ISAKMP:(1060):deleting node 1450843075 error TRUE reason "QM rejected"
003379: Sep  5 10:49:31.283 EDT: ISAKMP:(1060):Node 1450843075, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
vpn-router#
003380: Sep  5 10:49:31.283 EDT: ISAKMP:(1060):Old State = IKE_QM_READY  New State = IKE_QM_READY
003382: Sep  5 10:50:21.284 EDT: ISAKMP:(1060):purging node 1450843075



3. Checking configuration

Cisco Router’s crypto map


vpn-router#show crypto map 
 Interfaces using crypto map NiStTeSt1:

Crypto Map IPv4 "vpn" 20 ipsec-isakmp
 Description: VPN to C
 Peer = 20.20.34.50
 Extended IP access list C-VPN-List
     access-list C-VPN-List permit ip host 10.9.106.18 host 10.1.254.19
 Current peer: 20.20.34.50
 Security association lifetime: 4608000 kilobytes/3600 seconds
 Responder-Only (Y/N): N
 PFS (Y/N): Y
 DH group:  group2
 Mixed-mode : Disabled
 Transform sets={ 
  Conductor:  { esp-3des esp-sha-hmac  } , 
 }


Peer Juniper SRX 550 configuraiton:

set interfaces st0 unit 22 description Cisco-R
set security ike policy ike-policy-Cisco-R mode main
set security ike policy ike-policy-Cisco-R proposals ike-proposal-Padrao
set security ike policy ike-policy-Cisco-R pre-shared-key ascii-text "$APfTz0O"
set security ike gateway ike-gate-Cisco-R ike-policy ike-policy-Cisco-R
set security ike gateway ike-gate-Cisco-R address 20.15.121.58
set security ike gateway ike-gate-Cisco-R remote-identity inet 20.15.121.58
set security ike gateway ike-gate-Cisco-R external-interface reth0.0
set security ipsec vpn ipsec-vpn-Cisco-R bind-interface st0.22
set security ipsec vpn ipsec-vpn-Cisco-R ike gateway ike-gate-Cisco-R
set security ipsec vpn ipsec-vpn-Cisco-R ike proxy-identity local 10.21.51.128/32
set security ipsec vpn ipsec-vpn-Cisco-R ike proxy-identity remote 10.9.106.18/32
set security ipsec vpn ipsec-vpn-Cisco-R ike proxy-identity service any
set security ipsec vpn ipsec-vpn-Cisco-R ike ipsec-policy ipsec-policy-P
set security ipsec vpn ipsec-vpn-Cisco-R establish-tunnels immediately




set security ike proposal ike-proposal-P authentication-method pre-shared-keys
set security ike proposal ike-proposal-P dh-group group2
set security ike proposal ike-proposal-P authentication-algorithm sha1
set security ike proposal ike-proposal-P encryption-algorithm 3des-cbc
set security ike proposal ike-proposal-P lifetime-seconds 28800


set security ipsec policy ipsec-policy-P perfect-forward-secrecy keys group2
set security ipsec policy ipsec-policy-P proposals ipsec-proposal-Padrao
set security ipsec proposal ipsec-proposal-P protocol esp
set security ipsec proposal ipsec-proposal-P authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-proposal-P encryption-algorithm 3des-cbc
set security ipsec proposal ipsec-proposal-P lifetime-seconds 3600

Cisco IOS Router 1900 Configuration:



crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
lifetime 28800
!


crypto isakmp key 76tyYuty!2@ address 20.13.194.17
!crypto isakmp aggressive-mode disable

crypto ipsec transform-set C esp-3des esp-sha-hmac
mode tunnel


crypto map vpn 20 ipsec-isakmp
description VPN to C
set peer 20.20.34.50
set transform-set Conductor
set pfs group2
match address C-VPN-List


ip access-list extended C-VPN-List
permit ip host 10.9.106.18 host 10.1.254.19

interface GigabitEthernet0/0
ip address 20.15.121.58 255.255.255.248
duplex auto
speed auto
crypto map vpn



Solution:
It clearly shows access-list not matching on both end. Juniper SRX has a NAT from 10.1.254.19 to 10.21.51.128. Cisco router only knows their Internal IP 10.1.254.19. Once Cisco router changed access-list to match Juniper. Tunnel is up right away.

By Jon

Leave a Reply

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.

%d