Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1317
Views
0
Helpful
4
Replies

IPsec tunnel between cisco route and netscreen SSG,cisco side can send traffic but can not receive

yang yang
Level 1
Level 1

ā€Ž02-17-2016 07:48 PM - edited ā€Ž02-21-2020 08:41 PM

i have internet IPsec connection between Cisco route and juniper net-screen SSG the tunnel is up and working.but the ping is not getting thought.

the cisco side configuration

#sho running-config
Building configuration...

Current configuration : 3588 bytes
!

!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption

ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
redundancy
!
!
!
ip ssh version 2
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key 12345678 address X.Y.Z.129

!
!
crypto ipsec transform-set Unionpay esp-3des esp-sha-hmac
 mode tunnel
!

!
crypto map UnionPay 1 ipsec-isakmp
 set peer X.Y.Z.129
 set transform-set Unionpay
 match address UPI-Test-Prod
!
interface Loopback0
 ip address 185.6.1.161 255.255.255.255
 ip nat outside
 ip virtual-reassembly in
!
interface Loopback1
 no ip address
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description ITCL-2-UPI-WAN-Telnet
 ip address A.B.C.138 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map UnionPay
!
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!

ip route 203.184.81.84 255.255.255.255 A.B.C.137
ip route X.Y.Z.129 255.255.255.255 A.B.C.137
!
ip access-list extended UPI-Test-Prod
 permit ip host 185.6.1.161 host 203.184.81.84

!
control-plane
!

!
scheduler allocate 20000 1000
!
end

===============================================================

netscreen configuration

set address "VPN" "ITC_HOSTt1_185.6.1.161" 185.6.1.161 255.255.255.255
set address "VPN" "ITC_SFTPt1_185.22.1.161" 185.22.1.161 255.255.255.255
set ike gateway "ITC_gateway" address A.B.C.138 Main outgoing-interface "ethernet0/1" preshare "12345678" proposal "pre-g2-3des-sha"
set vpn "ITC_VPN" gateway "ITC_gateway" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"
set vpn "ITC_VPN" id 0x282 bind interface tunnel.49

set vpn "ITC_VPN" proxy-id local-addr "Trust" "UPI4_HOSTt2_203.184.81.84" remote-addr "VPN" "ITC_HOSTt1_185.6.1.161" "ANY"

set policy id 90709 from "VPN" to "Trust"  "ITC_HOSTt1_185.6.1.161" "UPI4_HOSTt2_203.184.81.84" "ANY" permit log

set policy id 90712 from "Trust" to "VPN"  "UPI4_HOSTt2_203.184.81.84" "ITC_HOSTt1_185.6.1.161" "ANY" permit log

+++++++++++++++++++++++++++++++++++++++++++++++++++++
set route 185.6.1.160/28 interface tunnel.49
set route 185.6.1.160/28 interface null metric 100
==============================================================================

ping from SSG side to 203.184.81.84 Cisco 185.6.1.161 side we can no see

cisco

 local  ident (addr/mask/prot/port): (185.6.1.161/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (203.184.81.84/255.255.255.255/0/0)
   current_peer X.Y.Z.129 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: A.B.C.138, remote crypto endpt.: X.Y.Z.129
     plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x7B0DF604(2064512516)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x681D640D(1746756621)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2031, flow_id: Onboard VPN:31, sibling_flags 80000040, crypto map: UnionPay
        sa timing: remaining key lifetime (k/sec): (4263028/3523)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

no netscreen

New Bitmap Image (3)

======================================

ping from cisco to netscreen

we can see the echo replay getting back to tunnel

=========================================

the problem isļ¼Œ non of the above ping is working, it looks to me the ping has been block by cisco router, but the configure of cisco do not have any ACL or policy route. can any one help me with this.

PS. i have try to do "no  ip virtual-reassembly in" "  " no ip nat  out" even use default route to point to cisco wan interface. still not working looks like it is been route to NULL or not decryp on the cisco route side.

Labels:
Preview file
106 KB
0 Helpful
4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

ā€Ž02-17-2016 09:39 PM

Did you do the ping from your loopback interface?

ping 203.184.81.84 source 185.6.1.161

0 Helpful

yang yang
Level 1
Level 1
In response to Philip D'Ath

ā€Ž02-18-2016 12:18 AM

we are doing ping

ping 203.184.81.84 source Loopback0

and

ping 203.184.81.84 source 185.6.1.161

and the juniper firewall  over the policy trust  to VPN can see the echo reply get back to tunnel.

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to yang yang

ā€Ž02-18-2016 12:47 AM

The problem I have is with this from your output:

#pkts encaps: 0

This means your end is not encrypting and encapsulating any packets to be sent.

0 Helpful

yang yang
Level 1
Level 1
In response to Philip D'Ath

ā€Ž02-24-2016 11:53 PM

thanks for your effort. i find the problem. the ping from juniper peer IP to cisco peer IP got heavy loss of package about 40% loss. once we contact ISP to fix that all ping work. it is internet quality problem. thank you. 

0 Helpful
Customers Also Viewed These Support Documents