SRX Services Gateway
Reply
Contributor
ssuet
Posts: 101
Registered: ‎09-21-2010
0

Re: Policy based VPN SRX and PIX

im stuck in either my config is wrong or something with proposal becuase if proposal is wrong 

 

why run show security ike security-associations  showing empty no status it must show status down thats why im asking did i make anything  wrong


for sure i will do pair-policy  thanks for your input

 

 

Contributor
ssuet
Posts: 101
Registered: ‎09-21-2010
0

Re: Policy based VPN SRX and PIX

i also heard that ike life-time value of juniper must be less than Cisco is it right because other peer configuring 86400

 

ipsec-lifetime 3600 seconds what should i configure at my end  kinldy suggest if this is tha case

Visitor
norgetek
Posts: 7
Registered: ‎12-07-2010
0

Re: Policy based VPN SRX and PIX

 

Your lifetime should be equal or lesser for the negotiation of the tunnel to succeed.

 

I have a IPSEC tunnel between a SRX and a ASA 5505 (very similar to a PIX) and I have the following settings:

 

Cisco ASA:

IKE/ISAKMP lifetime 86400 (default for Cisco)

IPSEC SA lifetime 28800 (default for Cisco)

 

SRX:

IKE lifetime 28800

IPSEC SA lifetime 3600

 

Tunnel works just fine and I see the that Cisco device accepted my lower lifetime values during the negotiation because my lifetime are counting down from 28800 and 3600 respectively on both devices (SRX and ASA).

 

To know for sure what part of the negotiation is failing you will need to implement the trace options oultine in the PDF I referenced and then review the log file.

 

 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.