[j-nsp] Help with vpn srx - asa

Ben Dale bdale at comlinx.com.au
Mon Mar 5 07:54:46 EST 2012


On 05/03/2012, at 9:57 PM, bizza wrote:
>        gateway gw_vpn2remote {
>            ike-policy ike_pol_vpn2remote;
>            address X.Y.W.Z;
>            local-identity inet A.B.C.D;
>            external-interface fe-0/0/7.0;
>            version v1-only;
>        }

In your IKE gateway configuration above, you have configured the local-identity - this particular knob is only used for authentication when you are using aggressive mode (which you are not).  

I suspect what you really wanted to configure was the proxy-id which ASAs tend to be VERY picky about.

You'll need:

set security ipsec vpn vpn2remote ike proxy-identity local A.B.C.D/E
set security ipsec vpn vpn2remote ike proxy-identity remote F.G.H.I/J
set security ipsec vpn vpn2remote ike proxy-identity service any

where F.G.H.I/J is the subnet on the remote side.

Ben






More information about the juniper-nsp mailing list