And make sure the ACLs are in the same order.... Jim
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BAXTER, Adam Sent: Monday, June 25, 2007 6:33 PM To: ChrisSerafin Cc: [email protected] Subject: Re: [c-nsp] ASA to Netscreen VPN? Hi, I have done an IOS to Netscreen, it required a bit of playing around But looking at the error your getting it's the phase 2 section that is failing. I'd make sure that all time lifes are the same on both ASA and NS to start with. Adam. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ChrisSerafin Sent: Tuesday, 26 June 2007 6:23 AM To: [email protected] Subject: [c-nsp] ASA to Netscreen VPN? I'm trying to set up a L2L VPN with a Cisco ASA 5510 and a Juniper Netscreen Firewall. I can't find any recent documentation regarding this setup. I'm receiving some error messages from the ASDM which are below: 4 Jun 25 2007 14:32:54 713903 Group = 2.2.155.253, IP = 2.2.155.253, Freeing previously allocated memory for authorization-dn-attributes 3 Jun 25 2007 14:32:54 713119 Group = 2.2.155.253, IP = 2.2.155.253, PHASE 1 COMPLETED 3 Jun 25 2007 14:32:54 713122 IP = 2.2.155.253, Keep-alives configured on but peer does not support keep-alives (type = None) 5 Jun 25 2007 14:32:54 713904 Group = 2.2.155.253, IP = 2.2.155.253, All IPSec SA proposals found unacceptable! 3 Jun 25 2007 14:32:54 713902 Group = 2.2.155.253, IP = 2.2.155.253, QM FSM error (P2 struct &0x4274390, mess id 0x10055b4)! 3 Jun 25 2007 14:32:54 713902 Group = 2.2.155.253, IP = 2.2.155.253, Removing peer from correlator table failed, no match! The VPN config is provided below. Anything stand out? or anyone else get this to work? Any comments welcome. interface Ethernet0/0 speed 100 duplex full nameif outside security-level 0 ip address 1.1.131.196 255.255.255.192 standby 1.1.131.197 ! interface Ethernet0/1 speed 100 duplex full nameif inside security-level 100 ip address 10.254.0.253 255.255.255.0 standby 10.254.0.254 ! interface Ethernet0/3 description LAN/STATE Failover Interface ! interface Management0/0 speed 100 duplex full nameif management security-level 100 ip address 10.1.254.1 255.255.255.0 standby 10.1.254.2 ! same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group network Inside-Nets network-object 10.254.0.0 255.255.255.0 network-object 192.168.1.0 255.255.255.0 network-object 10.1.254.0 255.255.255.0 network-object 192.168.2.0 255.255.255.0 object-group service Management-Access-Group tcp description Management Access Service Group port-object eq ssh port-object eq telnet access-list management_access_in extended permit icmp any any access-list management_access_in extended permit ip any any access-list management_access_in extended permit tcp any any access-list inside_access_in extended permit icmp any any log debugging access-list inside_access_in extended permit ip any any access-list inside_access_in extended permit tcp object-group Corp-Office-Networks any access-list outside_access_in remark Allow xxxx MSSP SNMP Monitoring access-list outside_access_in extended permit udp 205.234.155.0 255.255.255.0 interface outside eq snmp access-list outside_access_in remark Allow xxxx MSSP SNMP Monitoring access-list outside_access_in extended permit udp 205.234.155.0 255.255.255.0 interface outside eq snmptrap access-list outside_access_in remark Allow ICMP from xxxx access-list outside_access_in extended permit icmp 205.234.155.0 255.255.255.0 interface outside access-list outside_access_in remark xxxx MSSP VPN Ztunnel access-list outside_access_in extended permit ip host 205.234.155.253 interface outside access-list outside_access_in remark SSH Access for xxxx Office access-list outside_access_in extended permit ip host 206.81.53.50 interface outside access-list outside_20_cryptomap extended permit ip 10.1.254.0 255.255.255.0 172.25.101.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip object-group Inside-Nets 172.25.101.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 10.1.254.0 255.255.255.0 172.25.101.0 255.255.255.0 nat (inside) 0 access-list inside_nat0_outbound access-group outside_access_in in interface outside access-group inside_access_in in interface inside access-group management_access_in in interface management crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map outside_map 20 match address outside_20_cryptomap crypto map outside_map 20 set pfs crypto map outside_map 20 set peer 2.2.155.253 crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map interface outside crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp nat-traversal 20 tunnel-group 2.2.155.253 type ipsec-l2l tunnel-group 2.2.155.253 ipsec-attributes pre-shared-key * Thanks for anything, Chris Serafin Security Engineer [EMAIL PROTECTED] _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ------------------------------------------------------------------------ ----------- This e-mail is sent by Suncorp-Metway Limited ABN 66 010 831 722 or one of its related entities "Suncorp". Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 13 11 55 or at suncorp.com.au. The content of this e-mail is the view of the sender or stated author and does not necessarily reflect the view of Suncorp. The content, including attachments, is a confidential communication between Suncorp and the intended recipient. If you are not the intended recipient, any use, interference with, disclosure or copying of this e-mail, including attachments, is unauthorised and expressly prohibited. If you have received this e-mail in error please contact the sender immediately and delete the e-mail and any attachments from your system. If this e-mail constitutes a commercial message of a type that you no longer wish to receive please reply to this e-mail by typing Unsubscribe in the subject line. _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
