[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

<Need Help - Cisco ASA 8.4.1 to Juniper SSG-550 6.2.0r1.0VPN Configuration>



Hello All,

                I have been working for two days trying to get an ASA to setup a VPN tunnel to a SSG-550.  I have the VPN tunnel Setup and ready to go on the ASA.  I ran a Debug crypto IPSec 200 and crypto ikve1 200.  I do the command ping PRIVATE <ip address> and I get in the console


Sending 5, 100-byte ICMP Echos to 10.1.4.81, timeout is 2 seconds:
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.20.1.2, sport=29733, daddr=10.1.4.81, dport=29733
IPSEC(crypto_map_check)-5: Checking crypto map CARIBOU-VPN-1 10: skipping incomplete map.  No peer, access-list or transform-set specified.
IPSEC(crypto_map_check)-1: Error: No crypto map matched.

>From my understanding this is caused by the crypto map not being able to establish a tunnel to the Juniper.

On my Juniper configuration I have built the Gateway and set the Phase 1 Proposal to "pre-g2-3des-md5" followed by "pre-g2-3des-sha"

For the VPN configuration I use the predefined gateway configuration.

Under the advanced button, I use the predefined of "compatible" and the Phase 2 Proposal "nopfs-esp-3des" followed by "nopfs-esp-3des"
The proxy id is the local IP / Network block and the remote IP network block is the destination IP block.  The only part that has me wondering, because the Juniper has multiple zones, i.e. a DMZ, Trust, and Untrust.  Each Zone has its own IP block that is assigned to it.  I have entered a policy into one of the zones, i.e. Untrust to Trust, input source block, destination block, specified it is a tunnel, set for bi-directional entry and that should be it.

Any help in this as always will be greatly appreciated.  Thank you.



Thank You,

MAR

CONFIDENTIALITY NOTICE: This message is intended only for the individual or entity to which it is addressed and may contain information that is confidential or exempt from disclosure under applicable law. If you are not the intended recipient, you have received this communication in error. In such case, please notify us immediately by reply e-mail and immediately delete this message and its attachments. Any use, dissemination, redistribution or reproduction of this communication is strictly prohibited. Unless the message explicitly states otherwise, no e-mail correspondence claims to be a contractual offer or acceptance. LST Financial has instructed its employees not to send libelous or inappropriate statements and disclaims responsibility for such. Subject to applicable law, LST Financial may monitor, review and retain e-communications traveling through its networks/systems. By messaging with LST Financial you consent to the foregoing.