SRX Services Gateway
Reply
Contributor
ssuet
Posts: 101
Registered: ‎09-21-2010
0

VPN ISSUE

To all

there is one weird problem i facing when remote end ASA intiate  VPN my VPN establish and if i try to initiate VPN it doesnt

what would be the reason can any1 knw that its site to site VPN

 

 

 

 

Thanks

Contributor
pkcpkc
Posts: 89
Registered: ‎11-10-2010
0

Re: VPN ISSUE

You should enable ike trace and also check on the asa what are the error messages related to this vpn tunnel. can you post the output of "show security ike security-associations" and "show security ipsec security-associations" when tunnel is established and when tunnel doesn't come up ? can you also post your asa vpn config and srx vpn config ?
Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: VPN ISSUE

This is because Cisco ASAs are less tolerant of mismatched proxy IDs than Juniper boxes are.

 

Juniper boxes will accept a proxy ID that is a match, or a superset of a match.  Cisco boxes will only accept an exact match.

 

So, if you have a proxy ID on your Juniper side of 192.168.1.0/24 and the Cisco side is 192.168.1.5/32, then if the Cisco side initiates that tunnel your Juniper will accept that and build the SA. If the Juniper tries to initiate, the Cisco will deny it because it's not an exact match.

 

You need to make sure your proxy IDs are carefully set on both ends. Cisco devices build their proxy IDs using their ACL entires, so, for policy-based VPN on your Juniper, that means building a separate policy (or pair of policies, for bi-directional VPNs) to exactly match each line of the ACL entries on the ASA side.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.