thanks for your effort. i

yang yang · ‎02-17-2016

i have internet IPsec connection between Cisco route and juniper net-screen SSG the tunnel is up and working.but the ping is not getting thought.

the cisco side configuration

#sho running-config
Building configuration...

Current configuration : 3588 bytes
!

!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption

ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
redundancy
!
!
!
ip ssh version 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key 12345678 address X.Y.Z.129

!
!
crypto ipsec transform-set Unionpay esp-3des esp-sha-hmac
mode tunnel
!

!
crypto map UnionPay 1 ipsec-isakmp
set peer X.Y.Z.129
set transform-set Unionpay
match address UPI-Test-Prod
!
interface Loopback0
ip address 185.6.1.161 255.255.255.255
ip nat outside
ip virtual-reassembly in
!
interface Loopback1
no ip address
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description ITCL-2-UPI-WAN-Telnet
ip address A.B.C.138 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map UnionPay
!
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!

ip route 203.184.81.84 255.255.255.255 A.B.C.137
ip route X.Y.Z.129 255.255.255.255 A.B.C.137
!
ip access-list extended UPI-Test-Prod
permit ip host 185.6.1.161 host 203.184.81.84

!
control-plane
!

!
scheduler allocate 20000 1000
!
end

===============================================================

netscreen configuration

set address "VPN" "ITC_HOSTt1_185.6.1.161" 185.6.1.161 255.255.255.255
set address "VPN" "ITC_SFTPt1_185.22.1.161" 185.22.1.161 255.255.255.255
set ike gateway "ITC_gateway" address A.B.C.138 Main outgoing-interface "ethernet0/1" preshare "12345678" proposal "pre-g2-3des-sha"
set vpn "ITC_VPN" gateway "ITC_gateway" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"
set vpn "ITC_VPN" id 0x282 bind interface tunnel.49

set vpn "ITC_VPN" proxy-id local-addr "Trust" "UPI4_HOSTt2_203.184.81.84" remote-addr "VPN" "ITC_HOSTt1_185.6.1.161" "ANY"

set policy id 90709 from "VPN" to "Trust" "ITC_HOSTt1_185.6.1.161" "UPI4_HOSTt2_203.184.81.84" "ANY" permit log

set policy id 90712 from "Trust" to "VPN" "UPI4_HOSTt2_203.184.81.84" "ITC_HOSTt1_185.6.1.161" "ANY" permit log

+++++++++++++++++++++++++++++++++++++++++++++++++++++
set route 185.6.1.160/28 interface tunnel.49
set route 185.6.1.160/28 interface null metric 100
==============================================================================

ping from SSG side to 203.184.81.84 Cisco 185.6.1.161 side we can no see

cisco

local ident (addr/mask/prot/port): (185.6.1.161/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (203.184.81.84/255.255.255.255/0/0)
   current_peer X.Y.Z.129 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: A.B.C.138, remote crypto endpt.: X.Y.Z.129
     plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x7B0DF604(2064512516)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x681D640D(1746756621)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2031, flow_id: Onboard VPN:31, sibling_flags 80000040, crypto map: UnionPay
        sa timing: remaining key lifetime (k/sec): (4263028/3523)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

no netscreen

New Bitmap Image (3)

======================================

ping from cisco to netscreen

we can see the echo replay getting back to tunnel

=========================================

the problem is， non of the above ping is working, it looks to me the ping has been block by cisco router, but the configure of cisco do not have any ACL or policy route. can any one help me with this.

PS. i have try to do "no ip virtual-reassembly in" " " no ip nat out" even use default route to point to cisco wan interface. still not working looks like it is been route to NULL or not decryp on the cisco route side.

Philip D'Ath · ‎02-17-2016

Did you do the ping from your loopback interface?

ping 203.184.81.84 source 185.6.1.161

yang yang · ‎02-18-2016

we are doing ping

ping 203.184.81.84 source Loopback0

and

ping 203.184.81.84 source 185.6.1.161

and the juniper firewall over the policy trust to VPN can see the echo reply get back to tunnel.

Philip D'Ath · ‎02-18-2016

The problem I have is with this from your output:

#pkts encaps: 0

This means your end is not encrypting and encapsulating any packets to be sent.

yang yang · ‎02-24-2016

thanks for your effort. i find the problem. the ping from juniper peer IP to cisco peer IP got heavy loss of package about 40% loss. once we contact ISP to fix that all ping work. it is internet quality problem. thank you.

IPsec tunnel between cisco route and netscreen SSG,cisco side can send traffic but can not receive