[j-nsp] Help with vpn srx - asa

Asad Raza asadgardezi at gmail.com
Mon Mar 5 07:28:14 EST 2012 

Hi Marco,

I see that you are using a custom proposal in phase-1 but using compatible
in phase-2, that could be the problem. You need to define exact proposal in
phase-2 aswell. Could you confirm if proposal mismatch is in phase-1 (ike)
or phase-2 (ipsec) ot be more specific?

regards,

Asad

On Mon, Mar 5, 2012 at 4:57 PM, bizza <bizzam at gmail.com> wrote:

> Hi,
> I have some problem in to configure a vpn between a srx and a cisco asa.
> This is my configuration:
>
>    ike {
>        proposal trans-vpn {
>            authentication-method pre-shared-keys;
>            dh-group group5;
>            authentication-algorithm sha-256;
>            encryption-algorithm aes-256-cbc;
>            lifetime-seconds 86400;
>        }
>        policy ike_pol_vpn2remote {
>            mode main;
>            proposals trans-vpn;
>            pre-shared-key ascii-text "1234567899"; ## SECRET-DATA
>        }
>        gateway gw_vpn2remote {
>            ike-policy ike_pol_vpn2remote;
>            address X.Y.W.Z;
>            local-identity inet A.B.C.D;
>            external-interface fe-0/0/7.0;
>            version v1-only;
>        }
>    }
>    ipsec {
>        policy ipsec_pol_vpn2remote {
>            proposal-set compatible;
>        }
>        vpn vpn2remote {
>            bind-interface st0.0;
>            ike {
>                gateway gw_vpn2remote;
>                ipsec-policy ipsec_pol_vpn2remote;
>            }
>            establish-tunnels immediately;
>        }
>    }
>
> And in the asa side remote IT tech said that configuration is the
> same: encryption, hash, lifetime, group, ecc..
>
> In /var/log/kmd I found:
> Mar  5 12:51:27   IKEv1 Error : Timeout
> Mar  5 12:52:06   IKEv1 Error : No proposal chosen
> Mar  5 12:52:27   IKEv1 Error : Timeout
> Mar  5 12:52:41   IKEv1 Error : No proposal chosen
> Mar  5 12:53:13   IKEv1 Error : No proposal chosen
> Mar  5 12:53:27   IKEv1 Error : Timeout
> Mar  5 12:53:47   IKEv1 Error : No proposal chosen
> Mar  5 12:54:27   IKEv1 Error : Timeout
> Mar  5 12:54:30   IKEv1 Error : No proposal chosen
> Mar  5 12:55:08   IKEv1 Error : No proposal chosen
>
>
> Any hints?
>
> Regards
> Marco
> --
> bizza
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list