[j-nsp] Help with vpn srx - asa
Ben Dale
bdale at comlinx.com.au
Mon Mar 5 07:54:46 EST 2012
On 05/03/2012, at 9:57 PM, bizza wrote:
> gateway gw_vpn2remote {
> ike-policy ike_pol_vpn2remote;
> address X.Y.W.Z;
> local-identity inet A.B.C.D;
> external-interface fe-0/0/7.0;
> version v1-only;
> }
In your IKE gateway configuration above, you have configured the local-identity - this particular knob is only used for authentication when you are using aggressive mode (which you are not).
I suspect what you really wanted to configure was the proxy-id which ASAs tend to be VERY picky about.
You'll need:
set security ipsec vpn vpn2remote ike proxy-identity local A.B.C.D/E
set security ipsec vpn vpn2remote ike proxy-identity remote F.G.H.I/J
set security ipsec vpn vpn2remote ike proxy-identity service any
where F.G.H.I/J is the subnet on the remote side.
Ben
More information about the juniper-nsp
mailing list