VPN site to site Juniper-Cisco with 8 encryption domain

Hello,

I’m trying to configure a site to site VPN between a Juniper SRX 550 (my side) and a Cisco ASA 5555 (partner side). They imposed the configuration and I try to match it. I have no detail of the configuration on their side.

The phase 1 is ok. The phase 2 isn’t not: Phase 2 Mismatch
That’s clear but I don’t know which parameter isn’t.

== Parameters ==

IKE/IPSEC Parameters

Support Key Exchanged for Subnets     : ON

IKE Encryption Method                          : AES256 SHA

IKE Diffie-Hellman Groups for Phase 1   : Group 2 (1024 bit)

IKE (Phase-1) Timeout                           : 1440 Min        

IPSEC Encryption Method                     : AES256 SHA

IPSEC (Phase-2) Timeout                       : 3600 sec

PFS (Perfect Forward Secrecy)              : Disabled

Keepalive                                              : Disabled
VPN Gateway                            : X.X.X.X                 

Here is what I don’t know how to configure.

1. encryption domain

We agreed that the domain encryption (on my side?) is my public IP (y.y.y.y/32). They will accept in the tunnel only packet with the source IP my public IP. So, I need to NAT inside the tunnel.

Questions 1: How do I configure that?

2. They are using on the ASA 8 encryption domain

And on their side, they give me that:

VPN Encryption Domain 1         : 1.x.x.x/x

VPN Encryption Domain 2         : 2.x.x.x/x

VPN Encryption Domain 3         : 3.x.x.x/x

VPN Encryption Domain 4         : 4.x.x.x/x

VPN Encryption Domain 5         : 5.x.x.x/x

VPN Encryption Domain 6         : 6.x.x.x/x

VPN Encryption Domain 7         : 7.x.x.x/x

VPN Encryption Domain 8         : 8.x.x.x/x

Questions 2: how do I match that ?

proxy-identity local and a proxy-identity remote in the same IP sec vpn configuration?

or with a

ipsec vpn vpn-partnaire traffic-selector domaine1 local-ip

ipsec vpn vpn-partnaire traffic-selector domaine1 remote-ip

And I need to declare multiple IP sec vpn configuration and many st0.X ?

Here is my configuration:

 #Conf interface + Zone

set interfaces st0 unit 6 family inet

set security zones security-zone Internet1 interfaces st0.6

set routing-instances PRODUCTION protocols ospf area 0.0.0.0 interface st0.6

#Conf Routing-instance + route

set routing-instances PRODUCTION interface st0.6

#Conf Phase 1

set security ike proposal Proposal-Ph1-partenaire1 authentication-method pre-shared-keys

set security ike proposal Proposal-Ph1-partenaire1 dh-group group2

set security ike proposal Proposal-Ph1-partenaire1 authentication-algorithm sha1

set security ike proposal Proposal-Ph1-partenaire1 encryption-algorithm aes-256-cbc

set security ike proposal Proposal-Ph1-partenaire1 lifetime-seconds 86400

set security ike policy IKE-Pha1-Policy-partenaire1 mode main

set security ike policy IKE-Pha1-Policy-partenaire1 proposals Proposal-Ph1-partenaire1

set security ike policy IKE-Pha1-Policy-partenaire1 pre-shared-key ascii-text "XXXXXXXXXXXXXXXXXXXXX"

set security ike gateway gw-partenaire1 ike-policy IKE-Pha1-Policy-partenaire1

set security ike gateway gw-partenaire1 address X.X.X.X

set security ike gateway gw-partenaire1 external-interface reth0.200

#Conf Phase 2

set security ipsec proposal Proposal-Ph2-partenaire1 protocol esp

set security ipsec proposal Proposal-Ph2-partenaire1 authentication-algorithm hmac-sha-256-128

set security ipsec proposal Proposal-Ph2-partenaire1 encryption-algorithm aes-256-cbc

set security ipsec proposal Proposal-Ph2-partenaire1 lifetime-seconds 3600

set security ipsec policy IPSEC-Pha2-policy-partenaire1 proposals Proposal-Ph2-partenaire1

set security ipsec vpn vpn-partenaire1-primaire bind-interface st0.6

set security ipsec vpn vpn-partenaire1-primaire ike gateway gw-partenaire1

set security ipsec vpn vpn-partenaire1-primaire ike ipsec-policy IPSEC-Pha2-policy-partenaire1

set security ipsec vpn vpn-partenaire1-primaire establish-tunnels on-traffic

#Rules

set security policies from-zone Trust to-zone Internet1 policy rule-3to1-666-partenaire1-test match source-address my-net

set security policies from-zone Trust to-zone Internet1 policy rule-3to1-666-partenaire1-test match destination-address partenaire1-net

set security policies from-zone Trust to-zone Internet1 policy rule-3to1-666-partenaire1-test match application any

set security policies from-zone Trust to-zone Internet1 policy rule-3to1-666-partenaire1-test then permit

When it will work I will filter.

##### NAT Options #####

set security nat source pool src-nat-partenaire1 address mypublicIP

set security nat source rule-set trust-to-Internet1 from zone Trust

set security nat source rule-set trust-to-Internet1 to zone Internet1

set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match source-address 0.0.0.0/0

set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 1.x.x.x/x

set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 2.x.x.x/x

set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 3.x.x.x/x

set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 4.x.x.x/x

set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 5.x.x.x/x

set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 6.x.x.x/x

set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 7.x.x.x/x

set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 8.x.x.x/x

set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 then source-nat pool src-nat-partenaire1

Thanks a lot.

Mickael.