Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
605
Views
0
Helpful
3
Replies

L2L VPN between a Juniper and Cisco ASA 5515x

man3mar3n
Level 1
Level 1

‎03-29-2016 07:30 AM

Hi,

I have a problem to connect a Juniper Firewall and our Cisco 5515x firewall.

I was given a snapshot of the Juniper Firewall config and ask to match it. Below is the Juniper Firewall config.

set interface tunnel.2 ip unnumbered interface ethernet0/0

set ike gateway "TEST1" address DEST_IP Main outgoing-interface "ethernet0/1" preshare "PRESHARE-KEY" proposal "pre-g2-3des-sha" "pre-g2-3des-md5"

set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60

set vpn "TEST1" gateway "TEST1" no-replay tunnel idletime 0 proposal "g2-esp-3des-md5-1800"
set vpn "TEST1" monitor optimized
set vpn "TEST1" id 0xc bind interface tunnel.2

Below are my cisco config.

crypto ipsec ikev1 transform-set TSET-TEST esp-3des esp-sha-hmac
crypto map CMAP-TEST 30 match address ACL-CMAP-TEST
crypto map CMAP-TEST 30 set pfs
crypto map CMAP-TEST 30 set peer SOURCE_IP
crypto map CMAP-TEST 30 set ikev1 transform-set TSET-TEST

crypto map CMAP-TEST interface outside

crypto ikev1 enable outside

crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400


crypto ikev1 policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 1800


crypto ikev1 policy 40
authentication pre-share
encryption aes
hash sha
group 2
lifetime 43200

tunnel-group SOURCE_IP type ipsec-l2l
tunnel-group SOURCE_IP ipsec-attributes
ikev1 pre-shared-key PRESHARE-KEY

The config does not work. I ran debug on ikev1 and gets the following error

[IKEv1]Group = DEST-IP, IP = DEST-IP, Session is being torn down. Reason: crypto map policy not found

Please share some idea on this problem.

Labels:
0 Helpful
3 Replies 3

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎03-29-2016 08:30 AM

Hi,

Can you please confirm if the "ACL-CMAP-TEST" access-list is matching on both the sides.
I have seen such issues coming up if the encryption domain/ crypto access-lists are not matching on either end.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

man3mar3n
Level 1
Level 1
In response to Dinesh Moudgil

‎03-30-2016 09:05 PM

Hi,

This is my ACL


object network OBJ-NET-CUSTR
subnet 192.168.0.0 255.255.255.0

object network OBJ-NET-CUSTL
subnet 10.100.0.0 255.255.0.0

access-list ACL-CMAP-TEST extended permit ip object OBJ-NET-CUSTL object OBJ-NET-CUSTR
access-list ACL-CMAP-TEST extended permit ip object OBJ-NET-CUSTR object OBJ-NET-CUSTL

This is Customer ACL

set policy id 10 from "Untrust" to "TESTSIDE" "10.100.0.0/16" "192.168.0.0/24" "ANY" permit log
set policy id 10
exit
set policy id 11 from "TESTSIDE" to "Untrust" "192.168.0.0/24" "10.100.0.0/16" "ANY" permit log
set policy id 11

It looks good to me. 

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to man3mar3n

‎03-30-2016 09:22 PM

Hi,

First of all we do not require a bi-directional ACL.

We just need an ACL with source as local subnet and destination as remote subnet.

Crypto ACL's are bi-directional.

Also are you using NO-NAT for this traffic ?

Regards,

Aditya

Please rate helpful posts.

0 Helpful
Customers Also Viewed These Support Documents