[c-nsp] Cisco - Netscreen VPN

info at beprojects.com info at beprojects.com
Thu Oct 13 10:21:19 EDT 2005


I think you have mismatched lifetimes on the proposals.  Cisco's default 
lifetimes are 86400 for ISAKMP and 28800 for IPSec.  I believe NS's 
defaults are 28800 for ISAKMP and 3600 for IPSec.  If you change the 
Cisco lifetimes to match the NS, you will probably have better luck.

Here is the ISAKMP stuff:
crypto isakmp policy 10
lifetime 28800

I don't recall how to set the IPSec lifetime in IOS, but I believe it is 
under "crypto ipsec profile XX1".  Probably something like "set lifetime 
...".



Ryan O'Connell wrote:
> On 13/10/2005 14:09, info at beprojects.com wrote:
> 
>> What do you have for the config on both ends?  I've gotten it to work 
>> in the past (but I don't have copies of the configs).
>>  
>>
> 
> At the Cisco end:
> ! Cisco IOS Software, 7200 Software (C7200-JK9O3S-M), Version 12.4(3), 
> RELEASE SOFTWARE (fc2)
> 
> crypto isakmp policy 10
> encr aes
> authentication pre-share
> group 2
> crypto isakmp key xxxxxxxxx address XXX.XX.XXX.132
> !
> crypto ipsec transform-set xx1 esp-aes esp-sha-hmac
> !
> crypto ipsec profile XX1
> set transform-set xx1
> !
> interface Tunnel0
> ip unnumbered FastEthernet1/0 (Fast1/0 is the inside NAT interface)
> ip mtu 1300
> tunnel source Loopback0
> tunnel destination XXX.XX.XXX.132
> tunnel mode ipsec ipv4
> tunnel protection ipsec profile XX1
> !
> interface Loopback0
> ip address XXX.XXX.XXX.163 255.255.255.255
> !
> ip route XXX.XX.XXX.88 255.255.255.248 Tunnel0
> 
> 
> And on the Netscreen:
> 
> !Software Version: 5.0.0r10b.0
> set interface "ethernet3" zone "Untrust"
> set interface "tunnel.1" zone "Trust"
> set interface ethernet3 ip XXX.XX.XXX.132/28
> set interface tunnel.1 ip unnumbered interface ethernet1
> set flow path-mtu
> set ike gateway "Xxxxxx" address XXX.XXX.XXX.163 Main outgoing-interface 
> "ethernet3" preshare "XXXXXXXXX" proposal "pre-g2-aes128-sha"
> set ike respond-bad-spi 1
> set vpn "Xxxxxx" gateway "Xxxxxx" no-replay tunnel idletime 0 proposal 
> "nopfs-esp-aes128-sha" set vpn "Xxxxxx" id 1 bind interface tunnel.1
> set route  192.168.1.0/24 interface tunnel.1
> 
> 
> 


More information about the cisco-nsp mailing list