[c-nsp] ASA to Netscreen VPN?
Jim McBurnett
jim at tgasolutions.com
Mon Jun 25 23:21:48 EDT 2007
And make sure the ACLs are in the same order....
Jim
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of BAXTER, Adam
Sent: Monday, June 25, 2007 6:33 PM
To: ChrisSerafin
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA to Netscreen VPN?
Hi,
I have done an IOS to Netscreen, it required a bit of playing around
But looking at the error your getting it's the phase 2 section that is
failing.
I'd make sure that all time lifes are the same on both ASA and NS to
start with.
Adam.
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of ChrisSerafin
Sent: Tuesday, 26 June 2007 6:23 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ASA to Netscreen VPN?
I'm trying to set up a L2L VPN with a Cisco ASA 5510 and a Juniper
Netscreen Firewall. I can't find any recent
documentation regarding this setup. I'm receiving some error messages
from the ASDM which are below:
4 Jun 25 2007 14:32:54 713903 Group = 2.2.155.253,
IP = 2.2.155.253, Freeing
previously allocated memory for authorization-dn-attributes
3 Jun 25 2007 14:32:54 713119 Group = 2.2.155.253,
IP = 2.2.155.253, PHASE 1
COMPLETED
3 Jun 25 2007 14:32:54 713122 IP = 2.2.155.253,
Keep-alives configured on but
peer does not support keep-alives (type = None)
5 Jun 25 2007 14:32:54 713904 Group = 2.2.155.253,
IP = 2.2.155.253, All IPSec SA
proposals found unacceptable!
3 Jun 25 2007 14:32:54 713902 Group = 2.2.155.253,
IP = 2.2.155.253, QM FSM error
(P2 struct &0x4274390, mess id 0x10055b4)!
3 Jun 25 2007 14:32:54 713902 Group = 2.2.155.253,
IP = 2.2.155.253, Removing
peer from correlator table failed, no match!
The VPN config is provided below. Anything stand out? or anyone else get
this to work? Any comments welcome.
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 1.1.131.196 255.255.255.192 standby 1.1.131.197
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.254.0.253 255.255.255.0 standby 10.254.0.254
!
interface Ethernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
speed 100
duplex full
nameif management
security-level 100
ip address 10.1.254.1 255.255.255.0 standby 10.1.254.2
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Inside-Nets
network-object 10.254.0.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 10.1.254.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
object-group service Management-Access-Group tcp
description Management Access Service Group
port-object eq ssh
port-object eq telnet
access-list management_access_in extended permit icmp any any
access-list management_access_in extended permit ip any any
access-list management_access_in extended permit tcp any any
access-list inside_access_in extended permit icmp any any log debugging
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp object-group
Corp-Office-Networks any
access-list outside_access_in remark Allow xxxx MSSP SNMP Monitoring
access-list outside_access_in extended permit udp 205.234.155.0
255.255.255.0 interface outside eq snmp
access-list outside_access_in remark Allow xxxx MSSP SNMP Monitoring
access-list outside_access_in extended permit udp 205.234.155.0
255.255.255.0 interface outside eq snmptrap
access-list outside_access_in remark Allow ICMP from xxxx
access-list outside_access_in extended permit icmp 205.234.155.0
255.255.255.0 interface outside
access-list outside_access_in remark xxxx MSSP VPN Ztunnel
access-list outside_access_in extended permit ip host 205.234.155.253
interface outside
access-list outside_access_in remark SSH Access for xxxx Office
access-list outside_access_in extended permit ip host 206.81.53.50
interface outside
access-list outside_20_cryptomap extended permit ip 10.1.254.0
255.255.255.0 172.25.101.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group
Inside-Nets 172.25.101.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.254.0
255.255.255.0 172.25.101.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group management_access_in in interface management
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 2.2.155.253
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group 2.2.155.253 type ipsec-l2l
tunnel-group 2.2.155.253 ipsec-attributes
pre-shared-key *
Thanks for anything,
Chris Serafin
Security Engineer
chris at chrisserafin.com
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
------------------------------------------------------------------------
-----------
This e-mail is sent by Suncorp-Metway Limited ABN 66 010 831 722 or one
of its related entities "Suncorp".
Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on
13 11 55 or at suncorp.com.au.
The content of this e-mail is the view of the sender or stated author
and does not necessarily reflect the view of Suncorp. The content,
including attachments, is a confidential communication between Suncorp
and the intended recipient. If you are not the intended recipient, any
use, interference with, disclosure or copying of this e-mail, including
attachments, is unauthorised and expressly prohibited. If you have
received this e-mail in error please contact the sender immediately and
delete the e-mail and any attachments from your system.
If this e-mail constitutes a commercial message of a type that you no
longer wish to receive please reply to this e-mail by typing Unsubscribe
in the subject line.
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list