Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
597
Views
0
Helpful
1
Replies

Dynamic VPN From Juniper SSG5 Uses DefaultRAGroup

tomytek0709
Level 1
Level 1

‎07-24-2014 08:36 AM

I am trying to set up a VPN to an ASA5540 with a static IP address from a Juniper SSG5 with a dynamic IP address.  I have tested the configuration from an ASA to ASA and it works fine.  When I try to connect with the Juniper SSG5 it does not work.  I did a debug crypto ikev1 and it shows the SSG5 defaulting to the DefaultRAGroup.  It's supposed to use the DefaultL2LGroup.  Does anyone have an idea of what could be the problem.  I will post the configuration shortly.  I appreciate the help.

Labels:
0 Helpful
1 Reply 1

tomytek0709
Level 1
Level 1

‎07-24-2014 10:06 AM

Below is the config of the ASA.  This works fine from another ASA, but does not from the Juniper SSG5.

interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 10.1.1.2 255.255.255.252 
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
access-list vpn extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set 3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map EXTERNAL 5 match address vpn
crypto dynamic-map DYNAMIC-MAP 5 set ikev1 transform-set 3DES-SHA
crypto map EXTERNAL 5 ipsec-isakmp dynamic DYNAMIC-MAP
crypto map EXTERNAL interface outside
crypto ikev1 enable outside
crypto ikev1 policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group DefaultL2LGroup ipsec-attributes
 ikev1 pre-shared-key *****

0 Helpful
Customers Also Viewed These Support Documents