05-12-2015 01:13 AM
Hi To all
we are trying to establish s2s vpn with juniper and cisco asa
The tunnel is up ( phase 1 and phase 2 are ok ) but the ping is not working
Topology:
ISP-->Cisco Router--->ASA-->LAN
ISP-->Juniper-->Lan
Do you have any idea?
Phase 1:
IKE Peer: 217.17.2.168
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Phase 2:
access-list outside_1_cryptomap extended permit ip 10.21.41.0 255.255.255.0 172.26.3.0 255.255.255.0
local ident (addr/mask/prot/port): (10.21.41.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.26.3.0/255.255.255.0/0/0)
current_peer: 217.17.2.168
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 213.207.13.8/0, remote crypto endpt.: 217.17.2.168/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: AB1E5340
current inbound spi : 675A50E9
inbound esp sas:
spi: 0x675A50E9 (1733972201)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 123334656, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3563519/2011)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xAB1E5340 (2870891328)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 123334656, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3563518/2011)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
05-12-2015 01:29 AM
hi,
could you post the ASA and juniper's sanitized configs and equivalent show crypto command output from juniper FW?
05-12-2015 02:29 AM
Hi From cisco asa
tunnel-group 217.17.2.168 type ipsec-l2l
tunnel-group 217.17.2.168 general-attributes
!
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 217.17.2.168
crypto map outside_map 1 set transform-set S2S_VPN_Bahrain
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map 1 set security-association lifetime kilobytes 4194303
crypto map outside_map 1 set nat-t-disable
!
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
!
crypto ipsec transform-set S2S_VPN_Bahrain esp-aes-256 esp-sha-hmac
!
access-list outside_1_cryptomap extended permit ip 10.21.41.0 255.255.255.0 172.26.3.0 255.255.255.0
!
access-list inside_access_in extended permit ip any any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide