[c-nsp] ASA to Netscreen VPN?

Jim McBurnett jim at tgasolutions.com
Mon Jun 25 23:21:48 EDT 2007


And make sure the ACLs are in the same order....
Jim


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of BAXTER, Adam
Sent: Monday, June 25, 2007 6:33 PM
To: ChrisSerafin
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA to Netscreen VPN?

Hi,

I have done an IOS to Netscreen, it required a bit of playing around

But looking at the error your getting it's the phase 2 section that is
failing.

I'd make sure that all time lifes are the same on both ASA and NS to
start with.

Adam.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of ChrisSerafin
Sent: Tuesday, 26 June 2007 6:23 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ASA to Netscreen VPN?

I'm trying to set up a L2L VPN with a Cisco ASA 5510 and a Juniper 
Netscreen Firewall.  I can't find any recent

documentation regarding this setup. I'm receiving some error messages 
from the ASDM which are below:

4    Jun 25 2007    14:32:54    713903             Group = 2.2.155.253, 
IP = 2.2.155.253, Freeing

previously allocated memory for authorization-dn-attributes
3    Jun 25 2007    14:32:54    713119             Group = 2.2.155.253, 
IP = 2.2.155.253, PHASE 1

COMPLETED
3    Jun 25 2007    14:32:54    713122             IP = 2.2.155.253, 
Keep-alives configured on but

peer does not support keep-alives (type = None)
5    Jun 25 2007    14:32:54    713904             Group = 2.2.155.253, 
IP = 2.2.155.253, All IPSec SA

proposals found unacceptable!
3    Jun 25 2007    14:32:54    713902             Group = 2.2.155.253, 
IP = 2.2.155.253, QM FSM error

(P2 struct &0x4274390, mess id 0x10055b4)!
3    Jun 25 2007    14:32:54    713902             Group = 2.2.155.253, 
IP = 2.2.155.253, Removing

peer from correlator table failed, no match!

The VPN config is provided below. Anything stand out? or anyone else get

this to work? Any comments welcome.




interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 1.1.131.196 255.255.255.192 standby 1.1.131.197
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.254.0.253 255.255.255.0 standby 10.254.0.254
!
interface Ethernet0/3
 description LAN/STATE Failover Interface
!
interface Management0/0
 speed 100
 duplex full
 nameif management
 security-level 100
 ip address 10.1.254.1 255.255.255.0 standby 10.1.254.2
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Inside-Nets
 network-object 10.254.0.0 255.255.255.0
 network-object 192.168.1.0 255.255.255.0
 network-object 10.1.254.0 255.255.255.0
 network-object 192.168.2.0 255.255.255.0
object-group service Management-Access-Group tcp
 description Management Access Service Group
 port-object eq ssh
 port-object eq telnet
access-list management_access_in extended permit icmp any any
access-list management_access_in extended permit ip any any
access-list management_access_in extended permit tcp any any
access-list inside_access_in extended permit icmp any any log debugging
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp object-group 
Corp-Office-Networks any
access-list outside_access_in remark Allow xxxx MSSP SNMP Monitoring
access-list outside_access_in extended permit udp 205.234.155.0 
255.255.255.0 interface outside eq snmp
access-list outside_access_in remark Allow xxxx MSSP SNMP Monitoring
access-list outside_access_in extended permit udp 205.234.155.0 
255.255.255.0 interface outside eq snmptrap
access-list outside_access_in remark Allow  ICMP from xxxx
access-list outside_access_in extended permit icmp 205.234.155.0 
255.255.255.0 interface outside
access-list outside_access_in remark xxxx MSSP VPN Ztunnel
access-list outside_access_in extended permit ip host 205.234.155.253 
interface outside
access-list outside_access_in remark SSH Access for xxxx Office
access-list outside_access_in extended permit ip host 206.81.53.50 
interface outside
access-list outside_20_cryptomap extended permit ip 10.1.254.0 
255.255.255.0 172.25.101.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group 
Inside-Nets 172.25.101.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.254.0 
255.255.255.0 172.25.101.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group management_access_in in interface management
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 2.2.155.253
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group 2.2.155.253 type ipsec-l2l
tunnel-group 2.2.155.253 ipsec-attributes
 pre-shared-key *


Thanks for anything,

Chris Serafin
Security Engineer
chris at chrisserafin.com
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

------------------------------------------------------------------------
-----------
This e-mail is sent by Suncorp-Metway Limited ABN 66 010 831 722 or one
of its related entities "Suncorp". 

Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on
13 11 55  or at suncorp.com.au.

The content of this e-mail is the view of the sender or stated author
and does not necessarily reflect the view of Suncorp. The content,
including attachments, is a confidential communication between Suncorp
and the intended recipient. If you are not the intended recipient, any
use, interference with, disclosure or copying of this e-mail, including
attachments, is unauthorised and expressly prohibited. If you have
received this e-mail in error please contact the sender immediately and
delete the e-mail and any attachments from your system.

If this e-mail constitutes a commercial message of a type that you no
longer wish to receive please reply to this e-mail by typing Unsubscribe
in the subject line.


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list