[SASAG] VPN Between ASA 5505 and Juniper SSG 320m
Don R. Crawley
don at soundtraining.net
Mon Nov 2 17:53:11 PST 2009
>From the error message, it looks like the tunnel-group info may be incorrect. I don't work with Juniper devices, but in the phase one negotiations on the Cisco ASA 5505, the tunnel-group identifies the peer's (the other firewall's) outside address.
Here are two examples:
asa(config-isakmp-policy)#tunnel-group 184.108.40.206 type ipsec-l2l
!(Where 220.127.116.11 represents your neighbor's outside interface address. On the neighbor, you would use this firewall's outside address. Also note: That's the lower case letter "l", not the number "1".)
asa(config)#tunnel-group 18.104.22.168 ipsec-attributes
!(Where 22.214.171.124 represents your neighbor's outside interface address.)
Don R. Crawley, Linux+, CCNA-certified
Accelerated training for IT professionals
"When you need the knowledge, but don't have the time"
E: don at soundtraining.net<mailto:don at soundtraining.net>
"Make a commitment to kindness."
From: members-bounces at lists.sasag.org [mailto:members-bounces at lists.sasag.org] On Behalf Of Abinadi Rendon
Sent: Monday, November 02, 2009 4:09 PM
To: members at lists.sasag.org
Subject: [SASAG] VPN Between ASA 5505 and Juniper SSG 320m
I'm having trouble configuring a VPN between a Cisco ASA 5505 and a Juniper SSG 320m and I've tried everything I can think of to make it work. I've found a little bit of information online but I can't seem to solve my issue.
It's a simple configuration, from my local site at 126.96.36.199 to a remote location at 188.8.131.52. The internal addresses are 10.0.10.1 at 184.108.40.206 and 10.248.1.0 at 220.127.116.11. Are there any examples or instructions on how to get this to work? According to Juniper and other people it's not supported, but I also have read online that it does actually work but I'm not sure what I'm doing wrong with the configuration.
The error I keep getting when I apply the changes I find online is...
Rejected an IKE packet on ethernet0/1 from 18.104.22.168:500 to 22.214.171.124:500 with cookies 4363698c047f8779 and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway.
I've verified that my pre-shared key is the same between the two devices and that they both have the same access list rules for the correct networks. I'm stuck right now just trying different settings and nothing seems to work.
Systems Administrator and Web Developer
Mobile: +1 (206) 801-0490
Email 1: abi at abirendon.com<mailto:abi at abirendon.com> | Email 2: azuretek at gmail.com<mailto:azuretek at gmail.com> | Web: www.abirendon.com<http://www.abirendon.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Members