[SASAG] VPN Between ASA 5505 and Juniper SSG 320m

Don R. Crawley don at soundtraining.net
Tue Nov 3 13:02:01 PST 2009


Good move.  The most important thing in any site-to-site VPN is making sure that the configs on each end of the tunnel mirror each other.  Obviously, you have to make sure you're implementing an appropriate level of encryption, etc., but the most common problem I see, both in our workshops and in the field, is mis-matched configs (encryption algorithms, key lengths, key lifetimes, etc).  It can get especially difficult when you mix vendors, since one vendor might do the same technology differently from another (think of HDLC or RADIUS).

Don

Don R. Crawley, Linux+, CCNA-certified
soundtraining.net
Accelerated training for IT professionals
"When you need the knowledge, but don't have the time"
Web:  www.soundtraining.net<http://www.soundtraining.net/>
E:  don at soundtraining.net<mailto:don at soundtraining.net>
V:  206.988.5858
"Make a commitment to kindness."

From: Abinadi Rendon [mailto:azuretek at gmail.com]
Sent: Tuesday, November 03, 2009 12:10 PM
To: Don R. Crawley
Cc: members at lists.sasag.org
Subject: Re: [SASAG] VPN Between ASA 5505 and Juniper SSG 320m

I think you were right with the tunnel-group information but on the Juniper side, I've posted an entry at my blog with the working configuration. Also it's possible that my transform-set was wrong. I changed it to ESP-3DES-SHA to match the Juniper so that could have also affected it, but it's hard to tell.

http://www.abirendon.com/index.php/2009/11/03/vpn-tunnel-between-cisco-asa-and-juniper-ssg-firewalls/


Abirendon.com<http://Abirendon.com>
Abi Rendon
Systems Administrator and Web Developer

Mobile: +1 (206) 801-0490
Email 1: abi at abirendon.com<mailto:abi at abirendon.com> | Email 2: azuretek at gmail.com<mailto:azuretek at gmail.com> | Web: www.abirendon.com<http://www.abirendon.com/>

On Nov 2, 2009, at 5:53 PM, Don R. Crawley wrote:


>From the error message, it looks like the tunnel-group info may be incorrect.  I don't work with Juniper devices, but in the phase one negotiations on the Cisco ASA 5505, the tunnel-group identifies the peer's (the other firewall's) outside address.

Here are two examples:
asa(config-isakmp-policy)#tunnel-group 12.1.2.3 type ipsec-l2l
!(Where 12.1.2.3 represents your neighbor's outside interface address.  On the neighbor, you would use this firewall's outside address.  Also note:  That's the lower case letter "l", not the number "1".)
asa(config)#tunnel-group 12.1.2.3 ipsec-attributes
!(Where 12.1.2.3 represents your neighbor's outside interface address.)


Good luck.

Don

Don R. Crawley, Linux+, CCNA-certified
soundtraining<http://soundtraining.net>.<http://soundtraining.net>net<http://soundtraining.net>
Accelerated training for IT professionals
"When you need the knowledge, but don't have the time"
Web:  www.soundtraining.net<http://www.soundtraining.net/>
E:  don at soundtraining.net<mailto:don at soundtraining.net>
V:  206.988.5858
"Make a commitment to kindness."

From: members-bounces at lists.sasag.org<mailto:members-bounces at lists.sasag.org> [mailto:members-bounces at lists.sasag.org] On Behalf Of Abinadi Rendon
Sent: Monday, November 02, 2009 4:09 PM
To: members at lists.sasag.org<mailto:members at lists.sasag.org>
Subject: [SASAG] VPN Between ASA 5505 and Juniper SSG 320m

I'm having trouble configuring a VPN between a Cisco ASA 5505 and a Juniper SSG 320m and I've tried everything I can think of to make it work. I've found a little bit of information online but I can't seem to solve my issue.

It's a simple configuration, from my local site at 1.1.1.1 to a remote location at 2.2.2.2. The internal addresses are 10.0.10.1 at 1.1.1.1 and 10.248.1.0 at 2.2.2.2. Are there any examples or instructions on how to get this to work? According to Juniper and other people it's not supported, but I also have read online that it does actually work but I'm not sure what I'm doing wrong with the configuration.

The error I keep getting when I apply the changes I find online is...

Rejected an IKE packet on ethernet0/1 from 1.1.1.1:500 to 2.2.2.2:500 with cookies 4363698c047f8779 and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway.

I've verified that my pre-shared key is the same between the two devices  and that they both have the same access list rules for the correct networks. I'm stuck right now just trying different settings and nothing seems to work.

thanks,

Abirendon.com<http://Abirendon.com>
Abi Rendon
Systems Administrator and Web Developer

Mobile: +1 (206) 801-0490
Email 1: abi at abirendon.com<mailto:abi at abirendon.com> | Email 2: azuretek at gmail.com<mailto:azuretek at gmail.com> | Web: www.abirendon.com<http://www.abirendon.com/>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sasag.org/pipermail/members/attachments/20091103/df5c436c/attachment.html>


More information about the Members mailing list