cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
336
Views
0
Helpful
3
Replies

Site to site vpn

malbalhaj
Beginner
Beginner

Dears

i Have main srx firewall all sites are connected to it 

there is new site with Cisco Asa 5505 firewall

ive done srx side configuration, and basics configuration for cisco i tried to create the tunnel with ipsec 

with no luck can any body help me.

3 Replies 3

Richard Burts
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru

You have not given us any detail to work with. Can you provide the crypto parameters that you are using? Even better - can you provide the config for the Cisco side?

Since you posted in a Cisco forum most of us will prefer to focus on troubleshooting from the Cisco side. As a start can you enable debug for ISAKMP, attempt to bring up the tunnel, and post all debug output?

HTH

Rick

HTH

Rick

Dear Richard,

my main problem am trying to migrate current pix to asa 5505 v9.0 please see below :

crypto ipsec transform-set strong esp-3des esp-sha-hmac

crypto ipsec transform-set mynet-aes esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto map mynet 50 ipsec-isakmp    x

crypto map mynet 50 match address vpn-amman     

crypto map mynet 50 set pfs group2

crypto map mynet 50 set peer 212.118.13.230

crypto map mynet 50 set transform-set strong

crypto map mynet 50 set security-association lifetime seconds 28800 kilobytes 4608000

crypto map mynet interface outside      

isakmp enable outside

isakmp key ******** address 11.11.11.11 netmask 255.255.255.255 no-xauth no-config-mode x

isakmp identity address

isakmp policy 5 authentication pre-share

isakmp policy 5 encryption 3des

isakmp policy 5 hash sha

isakmp policy 5 group 2

isakmp policy 5 lifetime 86400

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 28800

am facing the problem with below commands

isakmp key ******** address 11.11.11.11 netmask 255.255.255.255 no-xauth no-config-mode

crypto map mynet 50 ipsec-isakmp

also I tried to enable below command:

 debug crypto condition error isakmp

the result

show crypto debug-condition
Crypto conditional debug is turned ON
IKE debug context unmatched flag:  OFF
IPSec debug context unmatched flag:  OFF
IKE debug context error flag:  ON
IPSec debug context error flag:  OFF

Thank you for the additional information. The crypto parameters seem reasonable. Can we assume that they do match what is configured at the head end?

I would expect to see a tunnel group configured for the peer but it is not shown here. Is it that you have it in the config but did not post it or is it not in the config?

When I have used conditional debug for crypto it has been to identify a particular peer for which I want to see debug output. Which raises a question about whether this ASA has multiple VPN peers or has only the single peer for whom we are testing?  Unless the environment is complicated I would suggest instead of  

debug crypto condition error isakmp

I would suggest just doing

debug crypto ikev1

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers