[SASAG] VPN Between ASA 5505 and Juniper SSG 320m

Stuart Kendrick skendric at fhcrc.org
Wed Nov 4 06:33:27 PST 2009


Hi Abinadi,

"Rejected an IKE packet on ethernet0/1 from 1.1.1.1:500 to 2.2.2.2:500
with cookies 4363698c047f8779 and 0000000000000000 because an initial
Phase 1 packet arrived from an unrecognized peer gateway."

This sounds odd to me, particularly the 'unrecognized peer gateway' part.  Put a 
sniffer a wire, verify that IKE packets are arriving from the address you would 
expect them to be arriving from?


We manage a number of Cisco <==> Juniper VPNs (we manage the Cisco end; various 
folks at the UW MCIS manage the Juniper ends)

Here are snippets from the Juniper side of one such tunnel (details changed for 
obscurity purposes)


JUNIPER
set ike p2-proposal "test-p2-custom1" no-pfs esp aes128 sha-1 hour 8 kbyte 4194300
set ike gateway "test" address 140.107.1.206 Main outgoing-interface 
"ethernet1/1" preshare "encrypted string here" proposal "pre-g2-aes128-sha" 
"dsa-g2-aes128-sha" "rsa-g2-aes128-sha"
set ike gateway "test" cert peer-ca-hash another-encrypted-string
set ike respond-bad-spi 1
set ike soft-lifetime-buffer 90
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "Test-Widgets" gateway "test" no-replay tunnel idletime 0 proposal 
"test-p2-custom1"
set vpn "Test-Widgets" id 1 bind interface tunnel.1
set vpn "Test-Widgets" proxy-id local-ip 10.1.2.0/24 remote-ip 10.10.1.0/24 "ANY"
set policy id 5 from "Untrust" to "Untrust"  "Any" "10.1.2.0/24" "SNMP" deny
set policy id 5
exit
set policy id 1 name "VPN-1" from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 1
exit
set policy id 2 name "VPN-2" from "Untrust" to "Trust"  "10.10.2.0/24" "Any" 
"ANY" permit
set policy id 2
exit
set policy id 3 from "Untrust" to "Trust"  "10.1.2.0/24" "Any" "ANY" permit
set policy id 3
exit
set policy id 4 name "localnet" from "Trust" to "Trust"  "192.168.2.0/24" 
"192.168.2.0/24" "ANY" permit
set policy id 4

Notice that various features are disabled, like anti-replay.  This on account of 
various bugs in the older version of ScreenOS running on this box ... we hope to 
upgrade sometime soon, to 6.3, which fixes most if not all of these issues.

hth,

--sk

> Message: 1
> Date: Mon, 2 Nov 2009 16:08:57 -0800
> From: Abinadi Rendon <azuretek at gmail.com>
> Subject: [SASAG] VPN Between ASA 5505 and Juniper SSG 320m
> To: members at lists.sasag.org
> Message-ID: <B28FB8A8-3AE9-4E42-9058-D24DA70753FE at gmail.com>
> Content-Type: text/plain; charset="us-ascii"; Format="flowed";
> 	DelSp="yes"
> 
> I'm having trouble configuring a VPN between a Cisco ASA 5505 and a  
> Juniper SSG 320m and I've tried everything I can think of to make it  
> work. I've found a little bit of information online but I can't seem  
> to solve my issue.



More information about the Members mailing list