[SASAG] VPN Between ASA 5505 and Juniper SSG 320m

Abinadi Rendon azuretek at gmail.com
Tue Nov 3 10:28:11 PST 2009


Yea I've setup probably a hundred VPN tunnels between Cisco equipment  
(ASA, PIX, and Routers)

My VPN configuration on the ASA is as follows.

access-list outside_cryptomap_6 extended permit ip 10.0.10.1  
255.255.255.0 10.248.1.0 255.255.255.0

crypto map outside_map 8 match address outside_cryptomap_6
crypto map outside_map 8 set peer 2.2.2.2
crypto map outside_map 8 set transform-set ESP-AES-128-SHA ESP-AES-128- 
MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5  
ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
  pre-shared-key *

And I'm pretty sure this is correct as I've configured it this way in  
the past between cisco devices, even on this ASA.

On the Juniper side I have...

set ike gateway "1.1.1.1" address 1.1.1.1 Main outgoing-interface  
"ethernet0/0" preshare "" proposal "pre-g2-3des-sha"
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60

set vpn "1.1.1.1" gateway "1.1.1.1" replay tunnel idletime 0 proposal  
"g2-esp-3des-sha"

set policy id 2 name "TestCiscoJuniperPolicy" from "Untrust" to  
"Trust"  "10.0.10.0/24" "10.248.1.0/24" "ANY" tunnel vpn "1.1.1.1" id  
0x9 pair-policy 1
set policy id 2
exit
set policy id 1 name "TestCiscoJuniperPolicy" from "Trust" to  
"Untrust"  "10.248.1.0/24" "10.0.10.0/24" "ANY" tunnel vpn "1.1.1.1"  
id 0x9 pair-policy 2
set policy id 1
exit


There is also a method that involves creating a "tunnel" interface on  
the Juniper and just adding routes as opposed to the policy method but  
that doesn't seem to make a difference, in fact I'm pretty sure that  
it doesn't even get that far so right now I'm stumped because it's not  
making a difference no matter what the settings are.

thanks,


Abirendon.com
Abi Rendon
Systems Administrator and Web Developer

Mobile: +1 (206) 801-0490
Email 1: abi at abirendon.com | Email 2: azuretek at gmail.com | Web: www.abirendon.com

On Nov 2, 2009, at 5:53 PM, Don R. Crawley wrote:

> From the error message, it looks like the tunnel-group info may be  
> incorrect.  I don’t work with Juniper devices, but in the phase one  
> negotiations on the Cisco ASA 5505, the tunnel-group identifies the  
> peer’s (the other firewall’s) outside address.
>
> Here are two examples:
> asa(config-isakmp-policy)#tunnel-group 12.1.2.3 type ipsec-l2l
> !(Where 12.1.2.3 represents your neighbor’s outside interface  
> address.  On the neighbor, you would use this firewall’s outside  
> address.  Also note:  That’s the lower case letter “l”, not the  
> number “1”.)
> asa(config)#tunnel-group 12.1.2.3 ipsec-attributes
> !(Where 12.1.2.3 represents your neighbor’s outside interface  
> address.)
>
> Good luck.
>
> Don
>
> Don R. Crawley, Linux+, CCNA-certified
> soundtraining.net
> Accelerated training for IT professionals
> "When you need the knowledge, but don't have the time"
> Web:  www.soundtraining.net
> E:  don at soundtraining.net
> V:  206.988.5858
> "Make a commitment to kindness."
>
> From: members-bounces at lists.sasag.org [mailto:members- 
> bounces at lists.sasag.org] On Behalf Of Abinadi Rendon
> Sent: Monday, November 02, 2009 4:09 PM
> To: members at lists.sasag.org
> Subject: [SASAG] VPN Between ASA 5505 and Juniper SSG 320m
>
> I'm having trouble configuring a VPN between a Cisco ASA 5505 and a  
> Juniper SSG 320m and I've tried everything I can think of to make it  
> work. I've found a little bit of information online but I can't seem  
> to solve my issue.
>
> It's a simple configuration, from my local site at 1.1.1.1 to a  
> remote location at 2.2.2.2. The internal addresses are 10.0.10.1 at  
> 1.1.1.1 and 10.248.1.0 at 2.2.2.2. Are there any examples or  
> instructions on how to get this to work? According to Juniper and  
> other people it's not supported, but I also have read online that it  
> does actually work but I'm not sure what I'm doing wrong with the  
> configuration.
>
> The error I keep getting when I apply the changes I find online is...
>
> Rejected an IKE packet on ethernet0/1 from 1.1.1.1:500 to  
> 2.2.2.2:500 with cookies 4363698c047f8779 and 0000000000000000  
> because an initial Phase 1 packet arrived from an unrecognized peer  
> gateway.
>
> I've verified that my pre-shared key is the same between the two  
> devices  and that they both have the same access list rules for the  
> correct networks. I'm stuck right now just trying different settings  
> and nothing seems to work.
>
> thanks,
>
> Abirendon.com
> Abi Rendon
> Systems Administrator and Web Developer
>
> Mobile: +1 (206) 801-0490
> Email 1: abi at abirendon.com | Email 2: azuretek at gmail.com | Web: www.abirendon.com
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sasag.org/pipermail/members/attachments/20091103/f17b0f5b/attachment.html>


More information about the Members mailing list