[j-nsp] Help with vpn srx - asa
bizza
bizzam at gmail.com
Mon Mar 5 07:55:57 EST 2012
On Mon, Mar 5, 2012 at 1:28 PM, Asad Raza <asadgardezi at gmail.com> wrote:
> Hi Marco,
>
> I see that you are using a custom proposal in phase-1 but using compatible
> in phase-2, that could be the problem. You need to define exact proposal in
> phase-2 aswell. Could you confirm if proposal mismatch is in phase-1 (ike)
> or phase-2 (ipsec) ot be more specific?
I've just changed my configuration as follow:
security {
ike {
proposal ike-p1 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 86400;
}
policy ike_pol_lan2remote {
mode main;
proposals ike-p1;
pre-shared-key ascii-text "blablabla"; ## SECRET-DATA
}
gateway gw_lan2remote {
ike-policy ike_pol_lan2remote;
address x.y.w.z;
external-interface fe-0/0/7.0;
version v1-only;
}
}
ipsec {
proposal ipsec-p2 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 86400;
lifetime-kilobytes 1048576;
}
policy ipsec_pol_lan2remote {
proposals ipsec-p2;
}
vpn lan2remote {
bind-interface st0.0;
ike {
gateway gw_lan2remote;
ipsec-policy ipsec_pol_lan2remote;
}
establish-tunnels immediately;
}
}
And I'm waiting that in the other side people change the asa
configuration, that will be something lije this:
crypto isakmp policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ipsec transform-set ipsec-p2 esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 1048576
crypto map foo 5 match address MYACL
crypto map foo 5 set pfs
crypto map foo 5 set peer x.y.w.z
crypto map foo 5 set transform-set ipsec-p2
crypto map foo interface outside
Do you think this will be enough?
Regards
Marco
--
bizza
More information about the juniper-nsp
mailing list