08-31-2008 09:37 PM
I Want to configure the ASA IOS Version 8.0 to connect to Juniper Netscreen with the below configuration using L2L VPN.
Peer IP address 78.93.0.7
Host IP address 213.184.187.200
Pre-shared key: ciscoVPN
Phase 1: preg2-3des-md5
phase 2: nopfs-esp-3des-md5
Thanks in advance.
Solved! Go to Solution.
09-02-2008 03:08 AM
Add "crypto isakmp identity address"
And double check with the remote end on the phase 1 settings & psk
09-01-2008 09:02 AM
09-01-2008 08:38 PM
I tried this example but the problem is that the other party says no connection is hits is coming and i cannot monitor the ASA to check the connection is up or not.
09-02-2008 02:24 AM
Which end do you have access to?
09-02-2008 02:31 AM
ASA end
09-02-2008 02:37 AM
1) Check your "interesting traffic" acl's for hits.
2) Make sure you have the loacal to remote ip subnets in your "no-nat" acl/
issue the below commands
term mon
Debug crypto isakmp 20
Debug crypto ispec 20
Then try to initiate the VPN connection from your side and see what the debug tells you.
HTH>
09-02-2008 02:45 AM
that was the output.
Sep 02 14:03:39 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Sep 02 14:03:39 [IKEv1]: IP = 78.93.0.6, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Sep 02 14:03:42 [IKEv1]: IP = 78.93.0.6, IKE_DECODE RESENDING Message (msgid=0)with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152
Sep 02 14:03:42 [IKEv1]: IP = 78.93.0.6, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 64
Sep 02 14:03:42 [IKEv1]: IP = 78.93.0.6, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 64
Sep 02 14:03:42 [IKEv1]: IP = 78.93.0.6, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
Sep 02 14:03:42 [IKEv1]: IP = 78.93.0.6, Information Exchange processing failed
Sep 02 14:03:45 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Sep 02 14:03:45 [IKEv1]: IP = 78.93.0.6, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
09-02-2008 02:51 AM
OK - you need to check your phase 1 IKE config with the remote end, you are not negotiating phase 1
Phase 1: preg2-3des-md5:-
1) Authentication - PreSharedKey
2) Encryption - 3DES
3) Hash - MD5
Make sure this this is same at both ends?
HTH>
09-02-2008 02:58 AM
this are my configuration the other side is accepting connections from other parties so i think it something in my configuration.
may be i am missing something.
access-list nonat permit ip 172.19.134.9 255.255.255.255 213.184.187.178 255.255.255.255
nat (inside) 0 access-list nonat
sysopt connection permit-ipsec
isakmp enable outside
Phase I.
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp key knowledge address 78.93.0.6 netmask 255.255.255.255
isakmp policy 10 lifetime 14400
Phase II.
crypto ipsec transform-set jnet_trans esp-3des esp-md5-hmac
crypto map jnet_map 10 set peer 78.93.0.6
crypto map jnet_map 10 set transform-set jnet_trans
crypto map jnet_map 10 match address nonat
crypto map jnet_map 10 ipsec-isakmp
crypto map jnet_map interface outside
09-02-2008 03:08 AM
Add "crypto isakmp identity address"
And double check with the remote end on the phase 1 settings & psk
09-02-2008 03:46 AM
Just add "Crypto isakmp identity auto"
09-02-2008 03:52 AM
Thanks Andrew i really appreciate it.
09-02-2008 03:54 AM
np - glad to help.
09-08-2008 08:17 PM
Andrew,
I am facing another problem in the VPN. how can i make the other side ping my host? or access service on a certain port?
09-08-2008 10:30 PM
Make the other side ping your host?? You tell them to ping your host?
You can apply an access-list that applies to the source traffic from the remote end to your local side and apply it to the inside interface on the "outbound" flow, you can base this on src ip - dest ip - src tcp/udp port - dst tcp/udp port.
HTH>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide