From the blog.

Managing Digital Racket
The more I tune out, the less I miss it. But that has presented me with some complex choices for a nuanced approach to curb
Complexity – My Friend, My Enemy
Over my years of network engineering, I've learned that the fewer features you can implement while still achieving a business goal, the better. Why? Fewer

ASA 8.2(1) to SRX 11.4R7.5 Site-to-Site IPSEC VPN Configuration

2,060 Words. Plan about 13 minute(s) to read this.

This is a summary of bringing up an IPSEC site to site VPN tunnel between a Cisco ASA firewall we’ll call EAST running ASA 8.2(1) and an Juniper SRX 650 firewall we’ll call WEST running Junos 11.4R7.5. Not the most elegant blog post in the world, but rather a summary along with config files that worked in my case and have been stable for about a week now.

Notes

Juniper offers route-based IPSEC VPNs and policy-based IPSEC VPNs. After lots of reading, route-based offers a lot more flexibility, but can only be counted on to work with other Junos devices. Policy-based is similar to other firewall IPSEC configurations, and maximizes compatibility with non-Junos platforms. Policy-based configurations tend to be much longer because of a source-destination IP matching paragraphs.

Juniper loves you very much, and wants your VPN configurations to be easy. Therefore, they’ve provided this handy CLI code configuration generator tool.

https://www.juniper.net/customers/support/configtools/vpnconfig.html

The policy-based VPN the Juniper page configures will not include…

  • Static routes that point the remote VPN subnets to the outside interface. If the default route covers it, that’s fine, but adding a static route to the outside might be necessary. If you’re not sure, add the statics.
  • NAT exemption statements, which are required if the zone you are going from (some internal zone most likely) and to (probably the “untrust” Internet-facing interface) has a NAT policy that overloads to a pool or interface IP. You don’t want to NAT the VPN tunnel traffic.
  • TCP MSS adjustment. MSS is the “maximum segment size”, and it’s a value that’s advertised to the other side of a TCP conversation during the 3-way handshake process that nails up a socket. By default, MSS is 1460, but this is too large to accommodate the ultimate size of the packet once encapsulated inside of IPSEC. Juniper recommends 1350 MSS for IPSEC VPN traffic to avoid fragmentation. While fragmentation isn’t the end of the world, it can impact performance.
  • Any unusual requirements, like host identity modification I had to make in the steps below.

Getting this tunnel up the first time was painful, as evidenced by the mental scars I expect to be seeing a specialist about for a very long time. While the configuration on both the ASA and SRX was straightforward enough, the tunnel would not come up – not even past IKE (phase 1).

When the tunnel attempted to come up, errors on the SRX were logged like the following:

WEST kmd[1221]: IKE Phase-1 Failure: Invalid cookie recvd [spi=^L,=M- M-^@»¨M-^X, src_ip=<none>, dst_ip=206.207.208.209]

On the ASA, errors like the following were logged:

Oct 11 13:46:59 [IKEv1]: Group = 66.67.68.69, IP = 66.67.68.69, Removing peer from correlator table failed, no match!

Oct 11 13:47:09 [IKEv1]: Group = 66.67.68.69, IP = 66.67.68.69, QM FSM error (P2 struct &0x7406aeb0, mess id 0x5dd97e6b)!

After trying lots of things that didn’t help even a little bit (have I mentioned the mental scars?), the issue was tied to the EAST ASA identifying itself in the IKE exchange by hostname instead of IP. This is not default behavior on modern ASAs, although it was the default behavior on ancient PIX firewalls which you can still find in museums. When configured to send the hostname, the FQDN generated by the ASA is based on the hostname and domain name configured.

hostname FirewallName
domain-name CompanyDomain.com
crypto isakmp identity hostname

To accommodate this behavior, I updated the SRX to expect the FQDN as the IKE identity instead of the IP address.

set security ike gateway ike-gate-EASTWEST remote-identity hostname FirewallName.CompanyDomain.com

Configs

These configs cover EAST networks 10.111.111.0/24, 10.112.112.0/24 and 10.200.200.0/24 talking to WEST networks 10.248.248.0/16 & 10.249.249.0/16. The EAST firewall is 206.207.208.209, and the WEST firewall is 66.67.68.69.

EAST ASA

! Add static routes if needed. EAST firewall default route covered it in this case.

!

object-group network Encrypt_COMP-WEST

description Networks to COMP’s WEST facility

network-object COMP-WEST_10.248.248.0-16 255.255.0.0

network-object COMP-WEST_10.249.249.0-16 255.255.0.0

!

object-group network Encrypt_EAST

description EAST networks

network-object 10.111.111.0 255.255.255.0

network-object 10.112.112.0 255.255.255.0

network-object 10.200.200.0 255.255.255.0

!

access-list outside_3_cryptomap extended permit ip object-group Encrypt_EAST object-group Encrypt_COMP-WEST

!

access-list inside_nat0_outbound extended permit ip object-group Encrypt_EAST object-group Encrypt_COMP-WEST

!

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto map imap 3 match address outside_3_cryptomap

crypto map imap 3 set peer 66.67.68.69

crypto map imap 3 set transform-set ESP-AES-128-SHA

!

tunnel-group 66.67.68.69 type ipsec-l2l

tunnel-group 66.67.68.69 ipsec-attributes

pre-shared-key MySecretKey

 

WEST SRX (Oh yeah, it’s way longer…)

set routing-options static route 10.111.111.0/24 next-hop 66.67.68.70

set routing-options static route 10.112.112.0/24 next-hop 66.67.68.70

set routing-options static route 10.200.200.0/24 next-hop 66.67.68.70

#

set security ike proposal ike-proposal-EASTWEST authentication-method pre-shared-keys

set security ike proposal ike-proposal-EASTWEST dh-group group2

set security ike proposal ike-proposal-EASTWEST authentication-algorithm sha1

set security ike proposal ike-proposal-EASTWEST encryption-algorithm aes-128-cbc

#

set security ike policy ike-policy-EASTWEST mode main

set security ike policy ike-policy-EASTWEST proposals ike-proposal-EASTWEST

set security ike policy ike-policy-EASTWEST pre-shared-key ascii-text MySecretKey

#

set security ike gateway ike-gate-EASTWEST ike-policy ike-policy-EASTWEST

set security ike gateway ike-gate-EASTWEST address 206.207.208.209

set security ike gateway ike-gate-EASTWEST remote-identity hostname FirewallName.CompanyDomain.com

set security ike gateway ike-gate-EASTWEST external-interface ge-0/0/0.0

#

set security ipsec proposal ipsec-proposal-EASTWEST protocol esp

set security ipsec proposal ipsec-proposal-EASTWEST authentication-algorithm hmac-sha1-96

set security ipsec proposal ipsec-proposal-EASTWEST encryption-algorithm aes-128-cbc

#

set security ipsec policy ipsec-policy-EASTWEST proposals ipsec-proposal-EASTWEST

#

set security ipsec vpn ipsec-vpn-EASTWEST ike gateway ike-gate-EASTWEST

set security ipsec vpn ipsec-vpn-EASTWEST ike ipsec-policy ipsec-policy-EASTWEST

#

set security nat source rule-set TRUST-to-untrust from zone TRUST

set security nat source rule-set TRUST-to-untrust to zone untrust

set security nat source rule-set TRUST-to-untrust rule NONAT match source-address 10.248.248.0/16

set security nat source rule-set TRUST-to-untrust rule NONAT match source-address 10.249.249.0/16

set security nat source rule-set TRUST-to-untrust rule NONAT match destination-address 10.111.111.0/24

set security nat source rule-set TRUST-to-untrust rule NONAT match destination-address 10.112.112.0/24

set security nat source rule-set TRUST-to-untrust rule NONAT match destination-address 10.200.200.0/24

set security nat source rule-set TRUST-to-untrust rule NONAT then source-nat off

#

set security zones security-zone TRUST address-book address net-EASTWEST_10-248-248-0–16 10.248.248.0/16

set security zones security-zone TRUST address-book address net-EASTWEST_10-249-249-0–16 10.249.249.0/16

set security zones security-zone untrust address-book address net-EASTWEST_10-111-111-0–24 10.111.111.0/24

set security zones security-zone untrust address-book address net-EASTWEST_10-112-112-0–24 10.112.112.0/24

set security zones security-zone untrust address-book address net-EASTWEST_10-200-200-0–24 10.200.200.0/24

#

set security policies from-zone TRUST to-zone untrust policy vpnpolicy-TRUST-untrust-1EASTWEST match source-address net-EASTWEST_10-248-248-0–16

set security policies from-zone TRUST to-zone untrust policy vpnpolicy-TRUST-untrust-1EASTWEST match destination-address net-EASTWEST_10-111-111-0–24

set security policies from-zone TRUST to-zone untrust policy vpnpolicy-TRUST-untrust-1EASTWEST match application any

set security policies from-zone TRUST to-zone untrust policy vpnpolicy-TRUST-untrust-1EASTWEST then permit tunnel ipsec-vpn ipsec-vpn-EASTWEST

set security policies from-zone TRUST to-zone untrust policy vpnpolicy-TRUST-untrust-1EASTWEST then permit tunnel pair-policy vpnpolicy-untrust-TRUST-7EASTWEST

 

## Configure security policies for tunnel traffic in outbound direction

set security policies from-zone TRUST to-zone untrust policy vpnpolicy-TRUST-untrust-2EASTWEST match source-address net-EASTWEST_10-249-249-0–16

set security policies from-zone TRUST to-zone untrust policy vpnpolicy-TRUST-untrust-2EASTWEST match destination-address net-EASTWEST_10-111-111-0–24

set security policies from-zone TRUST to-zone untrust policy vpnpolicy-TRUST-untrust-2EASTWEST match application any

set security policies from-zone TRUST to-zone untrust policy vpnpolicy-TRUST-untrust-2EASTWEST then permit tunnel ipsec-vpn ipsec-vpn-EASTWEST

set security policies from-zone TRUST to-zone untrust policy vpnpolicy-TRUST-untrust-2EASTWEST then permit tunnel pair-policy vpnpolicy-untrust-TRUST-8EASTWEST

 

## Configure security policies for tunnel traffic in outbound direction

set security policies from-zone TRUST to-zone untrust policy vpnpolicy-TRUST-untrust-3EASTWEST match source-address net-EASTWEST_10-248-248-0–16

set security policies from-zone TRUST to-zone untrust policy vpnpolicy-TRUST-untrust-3EASTWEST match destination-address net-EASTWEST_10-112-112-0–24

set security policies from-zone TRUST to-zone untrust policy vpnpolicy-TRUST-untrust-3EASTWEST match application any

set security policies from-zone TRUST to-zone untrust policy vpnpolicy-TRUST-untrust-3EASTWEST then permit tunnel ipsec-vpn ipsec-vpn-EASTWEST

set security policies from-zone TRUST to-zone untrust policy vpnpolicy-TRUST-untrust-3EASTWEST then permit tunnel pair-policy vpnpolicy-untrust-TRUST-9EASTWEST

 

## Configure security policies for tunnel traffic in outbound direction

set security policies from-zone TRUST to-zone untrust policy vpnpolicy-TRUST-untrust-4EASTWEST match source-address net-EASTWEST_10-249-249-0–16

set security policies from-zone TRUST to-zone untrust policy vpnpolicy-TRUST-untrust-4EASTWEST match destination-address net-EASTWEST_10-112-112-0–24

set security policies from-zone TRUST to-zone untrust policy vpnpolicy-TRUST-untrust-4EASTWEST match application any

set security policies from-zone TRUST to-zone untrust policy vpnpolicy-TRUST-untrust-4EASTWEST then permit tunnel ipsec-vpn ipsec-vpn-EASTWEST

set security policies from-zone TRUST to-zone untrust policy vpnpolicy-TRUST-untrust-4EASTWEST then permit tunnel pair-policy vpnpolicy-untrust-TRUST-10EASTWEST

 

## Configure security policies for tunnel traffic in outbound direction

set security policies from-zone TRUST to-zone untrust policy vpnpolicy-TRUST-untrust-5EASTWEST match source-address net-EASTWEST_10-248-248-0–16

set security policies from-zone TRUST to-zone untrust policy vpnpolicy-TRUST-untrust-5EASTWEST match destination-address net-EASTWEST_10-200-200-0–24

set security policies from-zone TRUST to-zone untrust policy vpnpolicy-TRUST-untrust-5EASTWEST match application any

set security policies from-zone TRUST to-zone untrust policy vpnpolicy-TRUST-untrust-5EASTWEST then permit tunnel ipsec-vpn ipsec-vpn-EASTWEST

set security policies from-zone TRUST to-zone untrust policy vpnpolicy-TRUST-untrust-5EASTWEST then permit tunnel pair-policy vpnpolicy-untrust-TRUST-11EASTWEST

 

## Configure security policies for tunnel traffic in outbound direction

set security policies from-zone TRUST to-zone untrust policy vpnpolicy-TRUST-untrust-6EASTWEST match source-address net-EASTWEST_10-249-249-0–16

set security policies from-zone TRUST to-zone untrust policy vpnpolicy-TRUST-untrust-6EASTWEST match destination-address net-EASTWEST_10-200-200-0–24

set security policies from-zone TRUST to-zone untrust policy vpnpolicy-TRUST-untrust-6EASTWEST match application any

set security policies from-zone TRUST to-zone untrust policy vpnpolicy-TRUST-untrust-6EASTWEST then permit tunnel ipsec-vpn ipsec-vpn-EASTWEST

set security policies from-zone TRUST to-zone untrust policy vpnpolicy-TRUST-untrust-6EASTWEST then permit tunnel pair-policy vpnpolicy-untrust-TRUST-12EASTWEST

 

## Configure security policies for tunnel traffic in inbound direction

set security policies from-zone untrust to-zone TRUST policy vpnpolicy-untrust-TRUST-7EASTWEST match source-address net-EASTWEST_10-111-111-0–24

set security policies from-zone untrust to-zone TRUST policy vpnpolicy-untrust-TRUST-7EASTWEST match destination-address net-EASTWEST_10-248-248-0–16

set security policies from-zone untrust to-zone TRUST policy vpnpolicy-untrust-TRUST-7EASTWEST match application any

set security policies from-zone untrust to-zone TRUST policy vpnpolicy-untrust-TRUST-7EASTWEST then permit tunnel ipsec-vpn ipsec-vpn-EASTWEST

set security policies from-zone untrust to-zone TRUST policy vpnpolicy-untrust-TRUST-7EASTWEST then permit tunnel pair-policy vpnpolicy-TRUST-untrust-1EASTWEST

 

## Configure security policies for tunnel traffic in inbound direction

set security policies from-zone untrust to-zone TRUST policy vpnpolicy-untrust-TRUST-8EASTWEST match source-address net-EASTWEST_10-111-111-0–24

set security policies from-zone untrust to-zone TRUST policy vpnpolicy-untrust-TRUST-8EASTWEST match destination-address net-EASTWEST_10-249-249-0–16

set security policies from-zone untrust to-zone TRUST policy vpnpolicy-untrust-TRUST-8EASTWEST match application any

set security policies from-zone untrust to-zone TRUST policy vpnpolicy-untrust-TRUST-8EASTWEST then permit tunnel ipsec-vpn ipsec-vpn-EASTWEST

set security policies from-zone untrust to-zone TRUST policy vpnpolicy-untrust-TRUST-8EASTWEST then permit tunnel pair-policy vpnpolicy-TRUST-untrust-2EASTWEST

 

## Configure security policies for tunnel traffic in inbound direction

set security policies from-zone untrust to-zone TRUST policy vpnpolicy-untrust-TRUST-9EASTWEST match source-address net-EASTWEST_10-112-112-0–24

set security policies from-zone untrust to-zone TRUST policy vpnpolicy-untrust-TRUST-9EASTWEST match destination-address net-EASTWEST_10-248-248-0–16

set security policies from-zone untrust to-zone TRUST policy vpnpolicy-untrust-TRUST-9EASTWEST match application any

set security policies from-zone untrust to-zone TRUST policy vpnpolicy-untrust-TRUST-9EASTWEST then permit tunnel ipsec-vpn ipsec-vpn-EASTWEST

set security policies from-zone untrust to-zone TRUST policy vpnpolicy-untrust-TRUST-9EASTWEST then permit tunnel pair-policy vpnpolicy-TRUST-untrust-3EASTWEST

 

## Configure security policies for tunnel traffic in inbound direction

set security policies from-zone untrust to-zone TRUST policy vpnpolicy-untrust-TRUST-10EASTWEST match source-address net-EASTWEST_10-112-112-0–24

set security policies from-zone untrust to-zone TRUST policy vpnpolicy-untrust-TRUST-10EASTWEST match destination-address net-EASTWEST_10-249-249-0–16

set security policies from-zone untrust to-zone TRUST policy vpnpolicy-untrust-TRUST-10EASTWEST match application any

set security policies from-zone untrust to-zone TRUST policy vpnpolicy-untrust-TRUST-10EASTWEST then permit tunnel ipsec-vpn ipsec-vpn-EASTWEST

set security policies from-zone untrust to-zone TRUST policy vpnpolicy-untrust-TRUST-10EASTWEST then permit tunnel pair-policy vpnpolicy-TRUST-untrust-4EASTWEST

 

## Configure security policies for tunnel traffic in inbound direction

set security policies from-zone untrust to-zone TRUST policy vpnpolicy-untrust-TRUST-11EASTWEST match source-address net-EASTWEST_10-200-200-0–24

set security policies from-zone untrust to-zone TRUST policy vpnpolicy-untrust-TRUST-11EASTWEST match destination-address net-EASTWEST_10-248-248-0–16

set security policies from-zone untrust to-zone TRUST policy vpnpolicy-untrust-TRUST-11EASTWEST match application any

set security policies from-zone untrust to-zone TRUST policy vpnpolicy-untrust-TRUST-11EASTWEST then permit tunnel ipsec-vpn ipsec-vpn-EASTWEST

set security policies from-zone untrust to-zone TRUST policy vpnpolicy-untrust-TRUST-11EASTWEST then permit tunnel pair-policy vpnpolicy-TRUST-untrust-5EASTWEST

 

## Configure security policies for tunnel traffic in inbound direction

set security policies from-zone untrust to-zone TRUST policy vpnpolicy-untrust-TRUST-12EASTWEST match source-address net-EASTWEST_10-200-200-0–24

set security policies from-zone untrust to-zone TRUST policy vpnpolicy-untrust-TRUST-12EASTWEST match destination-address net-EASTWEST_10-249-249-0–16

set security policies from-zone untrust to-zone TRUST policy vpnpolicy-untrust-TRUST-12EASTWEST match application any

set security policies from-zone untrust to-zone TRUST policy vpnpolicy-untrust-TRUST-12EASTWEST then permit tunnel ipsec-vpn ipsec-vpn-EASTWEST

set security policies from-zone untrust to-zone TRUST policy vpnpolicy-untrust-TRUST-12EASTWEST then permit tunnel pair-policy vpnpolicy-TRUST-untrust-6EASTWEST