01-21-2011 08:11 AM
im stuck in either my config is wrong or something with proposal becuase if proposal is wrong
why run show security ike security-associations showing empty no status it must show status down thats why im asking did i make anything wrong
for sure i will do pair-policy thanks for your input
01-21-2011 08:19 AM
i also heard that ike life-time value of juniper must be less than Cisco is it right because other peer configuring 86400
ipsec-lifetime 3600 seconds what should i configure at my end kinldy suggest if this is tha case
01-21-2011 09:53 AM
Your lifetime should be equal or lesser for the negotiation of the tunnel to succeed.
I have a IPSEC tunnel between a SRX and a ASA 5505 (very similar to a PIX) and I have the following settings:
IKE/ISAKMP lifetime 86400 (default for Cisco)
IPSEC SA lifetime 28800 (default for Cisco)
IKE lifetime 28800
IPSEC SA lifetime 3600
Tunnel works just fine and I see the that Cisco device accepted my lower lifetime values during the negotiation because my lifetime are counting down from 28800 and 3600 respectively on both devices (SRX and ASA).
To know for sure what part of the negotiation is failing you will need to implement the trace options oultine in the PDF I referenced and then review the log file.