cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11245
Views
0
Helpful
8
Replies

Peer Address

Network Pro
Beginner
Beginner

Hi all,

i am setting up a LAN to LAN VPN between Cisco ASA 5520 and Juniper device. its my first time i am setting this up. What will be the peer device of my device that i need to give to the other person.. is this the outside address of my device ?

Also with the setup i have made i am getting the follwong error msg:

IKE Peer: 81.45.22.222
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_WAIT_MSG5

Could ypou please let me know what the above means? also i was getting Type: user intead of l2l - what does htis mean as well

Thanks

1 Accepted Solution

Accepted Solutions

Hi there,

So, you are both on the same LAN, with a router separating you? I am assuming that you have full IP connectivity between each device then?

The peer IP address is the IP address of the device that the VPNs will terminate at.

So, if your Cisco ASA has the IP address 172.22.1.2, the Juniper will use this as the peer address. You will need to use the IP address 172.22.2.2 as the peer address at your end, as that will point all VPN traffic at the Juniper device.

This will work as long as you have IP connectivity between the devices.

Cisco ASA(172.22.1.2) >>>>>>>>>(ROUTER)<<<<<<<<<<<

Hope this helps

Jonathan

View solution in original post

8 Replies 8

jonathanaxford
Participant
Participant

Hi,

You will need to inform the other person yuor external IP address so they can use this in their config, you should have the IP details of the other end so you can use this in your own config.

It looks like MM_WAIT_MSG5 indicates that the device is chekcing the hashes of the PSK's you are using. Make sure that the PSK is the same at each end.

Cheers

Jonathan

So just to confirm this is NOT the outside address of my firewall... this is the ip address

set to me by the ISP ? right ?

Thanks

I am on  A LAN and so as the other company. we both are on the same LAN but jsut two different entities

my outside ip is 172.22.1.2 and my d.g is 172.22.1.1

similarly his outside address is 172.22.2.2 and d.g is 172.22.2.1

so just to confirm my peer address will be 172.22.1.1 (and NOT 172.22.1.2) - right?

and his peer address will be 172.22.2.1 (and NOT 172.22.2.2) - right ?

Thanks

Hi there,

So, you are both on the same LAN, with a router separating you? I am assuming that you have full IP connectivity between each device then?

The peer IP address is the IP address of the device that the VPNs will terminate at.

So, if your Cisco ASA has the IP address 172.22.1.2, the Juniper will use this as the peer address. You will need to use the IP address 172.22.2.2 as the peer address at your end, as that will point all VPN traffic at the Juniper device.

This will work as long as you have IP connectivity between the devices.

Cisco ASA(172.22.1.2) >>>>>>>>>(ROUTER)<<<<<<<<<<<

Hope this helps

Jonathan

Thanks for the clear explanation.

Just have 1 more query. this is a different scenario so that i can understand the peer addresss concept. Say if these sites were on the internet (broadband sites) and if i were to connect a LAN 2 LAN tunnel then what would be the peer address here ?

Cisco ASA(172.22.1.2) >>>>>>>>>(ROUTER- 82.23.222.1)<<<<<<<<<<<<<<<(Router - 82.34.123.1)>>>>>><<<

So if i were to do a whatsmyip on both these sites then these will display 82.23.222.1 and 82.34.123.1 respectively. So what would be the peer address here ?

Thanks

s

Hi,


This is a little more complicated as we would need to introduce NAT into the equation. Essentially, your Peer address is ALWAYS the IP address of the remote device with which you are forming an IPsec tunnel.


So, when the devices you are using are hidden behind an internet router, you will need to use NAT to translate the public IP address of the routers into the private IP address of the VPN device.

In your example, the Peer IP's would be the public IP address of the router (As this is a routable IP address on the internet) but you would need to NAT the connection through to the VPN device.


There are issues with NAT and VPN, but the NAT-T feature does address these, the following document may shed some more light for you:


http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html


Hope this helps,


Jonathan

Thanks for your help !!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers