Re: Policy based VPN SRX and PIX

ssuet · ‎09-21-2010

im stuck in either my config is wrong or something with proposal becuase if proposal is wrong

why run show security ike security-associations showing empty no status it must show status down thats why im asking did i make anything wrong

for sure i will do pair-policy thanks for your input

ssuet · ‎09-21-2010

i also heard that ike life-time value of juniper must be less than Cisco is it right because other peer configuring 86400

ipsec-lifetime 3600 seconds what should i configure at my end kinldy suggest if this is tha case

norgetek · ‎12-07-2010

Your lifetime should be equal or lesser for the negotiation of the tunnel to succeed.

I have a IPSEC tunnel between a SRX and a ASA 5505 (very similar to a PIX) and I have the following settings:

Cisco ASA:

IKE/ISAKMP lifetime 86400 (default for Cisco)

IPSEC SA lifetime 28800 (default for Cisco)

SRX:

IKE lifetime 28800

IPSEC SA lifetime 3600

Tunnel works just fine and I see the that Cisco device accepted my lower lifetime values during the negotiation because my lifetime are counting down from 28800 and 3600 respectively on both devices (SRX and ASA).

To know for sure what part of the negotiation is failing you will need to implement the trace options oultine in the PDF I referenced and then review the log file.