Thanks James for fast reply.

I changed the access-list as you suggest, but result is still same. And as far as I undestund it should be as it was first. First I must define local network(s) and after remote network(s) in access-list?

So, problem still occurs, any help/ideas?

~Teemu~

What if you were to rem out the following

crypto map OUTSIDE_map 1 set nat-t-disable. What happens?

What if you were to rem out the following

crypto map OUTSIDE_map 1 set nat-t-disable. What happens?

Instead

crypto map OUTSIDE_map 1 Whci will apply the crypto-map to the outside interface.

What I meant in my earlier comment was to rem out just the following

crypto map OUTSIDE_map 1 match address OUTSIDE_1_cryptomap

crypto map OUTSIDE_map 1 set pfs

crypto map OUTSIDE_map 1 set connection-type originate-only

crypto map OUTSIDE_map 1 set peer remote_IP

crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA

crypto map OUTSIDE_map 1 Rem this section out set nat-t-disable

crypto map OUTSIDE_map 1

Disregard earlier comments, I was assuming it was a different issue, sorry for the inconvienance

Hello ,

can you post working config for route based vpns ( ASA --- Juniper) for reference ?

I am also in same kind of situation.

Thank you,

Dwarakanath

Hi Teemu,

If you think your ACL is good then you need to verify with your ISP that they have configured EXACTLY the same on their side. Juniper is quite particular so if you have configured 192.168.1.206 and they have configured 192.168.1.0/24 then it will not work.

The error you're getting relates to the negotiation of the network IDs between the two VPN peers. If you read the error carefully and look at the Cisco ACL and the Juniper ACL then you will see where the problem is.

Regards

Hi Teemu,

Try running "debug crypto isakmp" too, that should give you a good idea of what is really happening

Regards

I have the exact same problem. Some more detailed logs on the Juniper shows:

## 2009-04-21 16:39:49 : rcv_local_addr = 10.20.1.0, rcv_local_mask = 255.255.255.0, p_rcv_local_real = 10.20.1.0

## 2009-04-21 16:39:49 : rcv_remote_addr = 65.1.1.1, rcv_remote_mask = 255.255.255.248, p_rcv_remote_real = 65.1.1.1

## 2009-04-21 16:39:49 : ike_p2_id->local_ip = 65.1.1.1, cfg_local_mask = 255.255.255.248, p_cfg_local_real = 65.1.1.1

## 2009-04-21 16:39:49 : ike_p2_id->remote_ip = 10.20.1.0, cfg_remote_mask = 255.255.255.0, p_cfg_remote_real = 10.20.1.0

## 2009-04-21 16:39:49 : IKE<65.1.1.1> local address NOT matched.

I've spent a lot of time troubleshooting this one and haven't gotten anywhere...unfortunately it doesn't look like there are any working ASA to Juniper configs when using policy-based VPN on the Juniper side.

Got it working with the route based VPNs...we found that policy-based VPNs don't work if you are trying to pass multiple subnets across the VPN.

access-list VPN extended permit ip 172.16.10.0 255.255.255.0 10.20.1.0 255.255.255.0

access-list VPN2 extended permit ip 172.17.10.0 255.255.255.0 10.20.1.0 255.255.255.0

crypto ipsec transform-set AES256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association lifetime kilobytes 4608000

crypto map NS-map 10 match address VPN

crypto map NS-map 10 set pfs

crypto map NS-map 10 set peer 10.20.20.1

crypto map NS-map 10 set transform-set AES256-SHA

crypto map NS-map 10 set security-association lifetime seconds 3600

crypto map NS-map 20 match address VPN2

crypto map NS-map 20 set pfs

crypto map NS-map 20 set peer 10.20.20.1

crypto map NS-map 20 set transform-set AES256-SHA

crypto map NS-map 20 set security-association lifetime seconds 3600

crypto map NS-map interface inside

crypto isakmp identity address

crypto isakmp enable inside

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 28800

no crypto isakmp nat-traversal

Just follow the vanilla route-based VPN instructions in any Juniper documentaiton

Hope this helps...