[c-nsp] Cisco - Netscreen VPN

Luan Nguyen luan.nguyen at mci.com
Thu Oct 13 12:00:17 EDT 2005


Cisco default is 3600 for ipsec which the same as NS.  So yeah, try changing
the lifetime of isakmp to 28800. 

Luan

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of info at beprojects.com
Sent: Thursday, October 13, 2005 10:21 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco - Netscreen VPN

I think you have mismatched lifetimes on the proposals.  Cisco's default
lifetimes are 86400 for ISAKMP and 28800 for IPSec.  I believe NS's defaults
are 28800 for ISAKMP and 3600 for IPSec.  If you change the Cisco lifetimes
to match the NS, you will probably have better luck.

Here is the ISAKMP stuff:
crypto isakmp policy 10
lifetime 28800

I don't recall how to set the IPSec lifetime in IOS, but I believe it is
under "crypto ipsec profile XX1".  Probably something like "set lifetime
...".



Ryan O'Connell wrote:
> On 13/10/2005 14:09, info at beprojects.com wrote:
> 
>> What do you have for the config on both ends?  I've gotten it to work 
>> in the past (but I don't have copies of the configs).
>>  
>>
> 
> At the Cisco end:
> ! Cisco IOS Software, 7200 Software (C7200-JK9O3S-M), Version 12.4(3), 
> RELEASE SOFTWARE (fc2)
> 
> crypto isakmp policy 10
> encr aes
> authentication pre-share
> group 2
> crypto isakmp key xxxxxxxxx address XXX.XX.XXX.132 !
> crypto ipsec transform-set xx1 esp-aes esp-sha-hmac !
> crypto ipsec profile XX1
> set transform-set xx1
> !
> interface Tunnel0
> ip unnumbered FastEthernet1/0 (Fast1/0 is the inside NAT interface) ip 
> mtu 1300 tunnel source Loopback0 tunnel destination XXX.XX.XXX.132 
> tunnel mode ipsec ipv4 tunnel protection ipsec profile XX1 !
> interface Loopback0
> ip address XXX.XXX.XXX.163 255.255.255.255 !
> ip route XXX.XX.XXX.88 255.255.255.248 Tunnel0
> 
> 
> And on the Netscreen:
> 
> !Software Version: 5.0.0r10b.0
> set interface "ethernet3" zone "Untrust"
> set interface "tunnel.1" zone "Trust"
> set interface ethernet3 ip XXX.XX.XXX.132/28 set interface tunnel.1 ip 
> unnumbered interface ethernet1 set flow path-mtu set ike gateway 
> "Xxxxxx" address XXX.XXX.XXX.163 Main outgoing-interface "ethernet3" 
> preshare "XXXXXXXXX" proposal "pre-g2-aes128-sha"
> set ike respond-bad-spi 1
> set vpn "Xxxxxx" gateway "Xxxxxx" no-replay tunnel idletime 0 proposal 
> "nopfs-esp-aes128-sha" set vpn "Xxxxxx" id 1 bind interface tunnel.1 
> set route  192.168.1.0/24 interface tunnel.1
> 
> 
> 
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list