Hello.
I'm trying to build route based vpn.
On Juniper side I used scenario 2 from http://kb.juniper.net/InfoCenter/index?page=content&id=KB4147
In my case VPN configuration is:
set ike gateway "To-Cisco" address 10.0.0.4 Main outgoing-interface "ethernet0/0" preshare "netscreen" proposal "pre-g2-des-sha"
set vpn "To-Cisco-VPN" gateway "To-Cisco" no-replay tunnel idletime 0 proposal "nopfs-esp-des-sha"
set interface "tunnel.1" zone "Trust"
set interface tunnel.1 ip unnumbered interface ethernet0/0
set vpn "To-Cisco-VPN" bind interface tunnel.1
set vpn "To-Cisco-VPN" proxy-id local-ip 192.168.11.0/24 remote-ip 192.168.10.0/24 "ANY"
set route 192.168.10.0/24 interface tunnel.1
On Cisco side I'm going via Wizard. VPN is up but I can only ping Juniper from computer behind Cisco, If I ping other IP (192.168.11.34) Cisco tells me (in logging)
IPSEC: Received an ESP packet (SPI= 0x439DA50C, sequence number= 0x4) from juniper (user= 10.0.0.3) to this-Cisco. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 192.168.10.1, its source as juniper, and its protocol as 1. The SA specifies its local proxy as inside_network/255.255.255.0/0/0 and its remote_proxy as juniper_network/255.255.255.0/0/0.
Cisco configuration is
Saved
:
ASA Version 7.2(4)
!
hostname pixfirewall
domain-name test.com
enable password w/sdDXZ8Zen0X1KN encrypted
passwd w/sdDXZ8Zen0X1KN encrypted
names
name 192.168.10.0 inside_network
name 192.168.11.0 juniper_network
name 10.0.0.3 juniper
name 10.0.0.4 this-Cisco
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address this-Cisco 255.255.255.0
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name test.com
access-list outside_in extended permit icmp any any
access-list outside_in extended permit tcp any interface outside eq 3389
access-list outside_1_cryptomap extended permit ip inside_network 255.255.255.0 juniper_network 255.255.255.0
access-list inside_nat0_outbound extended permit ip inside_network 255.255.255.0 juniper_network 255.255.255.0
pager lines 24
logging enable
logging list ip level debugging class ip
logging asdm-buffer-size 512
logging buffered ip
logging asdm informational
logging ftp-server 192.168.1.101 1 asa ****
mtu inside 1500
mtu outside 1500
ip local pool p_c 192.168.10.5
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.10.10 3389 netmask 255.255.255.255
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association replay disable
crypto dynamic-map l2tp 8 set security-association lifetime seconds 28800
crypto map secure 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer juniper
crypto map outside_map 1 set transform-set ESP-3DES-SHA ESP-DES-SHA ESP-3DES-MD5 ESP-AES-128-SHA ESP-DES-MD5 ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5
crypto map outside_map0 1 match address outside_1_cryptomap
crypto map outside_map0 1 set peer juniper
crypto map outside_map0 1 set transform-set ESP-3DES-SHA ESP-DES-SHA ESP-DES-MD5 ESP-3DES-MD5
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 3
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.254.0 inside
telnet timeout 5
ssh 192.168.0.0 255.255.254.0 inside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 50
console timeout 0
management-access inside
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
username admin password Fhz/CER3/llqXbgYdEmKJA== nt-encrypted
username admin attributes
vpn-tunnel-protocol l2tp-ipsec
username infocell password 0E0pnyutmsBk.CZH encrypted privilege 15
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group 10.0.0.3 type ipsec-l2l
tunnel-group 10.0.0.3 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:db9ed7c51f828bd21baa742d836d3b9d
: end
What I made wrong?