[SASAG] VPN Between ASA 5505 and Juniper SSG 320m

Don R. Crawley don at soundtraining.net
Mon Nov 2 17:53:11 PST 2009


>From the error message, it looks like the tunnel-group info may be incorrect.  I don't work with Juniper devices, but in the phase one negotiations on the Cisco ASA 5505, the tunnel-group identifies the peer's (the other firewall's) outside address.

Here are two examples:
asa(config-isakmp-policy)#tunnel-group 12.1.2.3 type ipsec-l2l
!(Where 12.1.2.3 represents your neighbor's outside interface address.  On the neighbor, you would use this firewall's outside address.  Also note:  That's the lower case letter "l", not the number "1".)
asa(config)#tunnel-group 12.1.2.3 ipsec-attributes
!(Where 12.1.2.3 represents your neighbor's outside interface address.)

Good luck.

Don

Don R. Crawley, Linux+, CCNA-certified
soundtraining.net
Accelerated training for IT professionals
"When you need the knowledge, but don't have the time"
Web:  www.soundtraining.net<http://www.soundtraining.net/>
E:  don at soundtraining.net<mailto:don at soundtraining.net>
V:  206.988.5858
"Make a commitment to kindness."

From: members-bounces at lists.sasag.org [mailto:members-bounces at lists.sasag.org] On Behalf Of Abinadi Rendon
Sent: Monday, November 02, 2009 4:09 PM
To: members at lists.sasag.org
Subject: [SASAG] VPN Between ASA 5505 and Juniper SSG 320m

I'm having trouble configuring a VPN between a Cisco ASA 5505 and a Juniper SSG 320m and I've tried everything I can think of to make it work. I've found a little bit of information online but I can't seem to solve my issue.

It's a simple configuration, from my local site at 1.1.1.1 to a remote location at 2.2.2.2. The internal addresses are 10.0.10.1 at 1.1.1.1 and 10.248.1.0 at 2.2.2.2. Are there any examples or instructions on how to get this to work? According to Juniper and other people it's not supported, but I also have read online that it does actually work but I'm not sure what I'm doing wrong with the configuration.

The error I keep getting when I apply the changes I find online is...

Rejected an IKE packet on ethernet0/1 from 1.1.1.1:500 to 2.2.2.2:500 with cookies 4363698c047f8779 and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway.

I've verified that my pre-shared key is the same between the two devices  and that they both have the same access list rules for the correct networks. I'm stuck right now just trying different settings and nothing seems to work.

thanks,

Abirendon.com<http://Abirendon.com>
Abi Rendon
Systems Administrator and Web Developer

Mobile: +1 (206) 801-0490
Email 1: abi at abirendon.com<mailto:abi at abirendon.com> | Email 2: azuretek at gmail.com<mailto:azuretek at gmail.com> | Web: www.abirendon.com<http://www.abirendon.com/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sasag.org/pipermail/members/attachments/20091102/5da36b2f/attachment.html>


More information about the Members mailing list