02-11-2010 05:51 PM
I've configured an SSG140 to form a VPN tunnel to a Cisco ASA. It appears as if the tunnel comes up:
IKE 220.127.116.11 Phase 2 msg ID 47974d9c: Completed negotiations with SPI 4e088288, tunnel ID 2, and lifetime 3600 seconds/4608000 KB.
I cannot ping through the tunnel to hosts on the other side in either direction. It looks like I have all the routing and policies in place to support this. The ASA on the remote side sees the pings in both directions and is passing them through as expected.
I've attached the config file. Any advice would be appreciated.
02-12-2010 04:05 PM
From the configuration I'm guessing you are setting up a policy based VPN.
In that case when you create the policy you need to select "tunnel" as action and then the phase 2 name to attach the policy with. Then you check the box to have matching policies so they are a valid pair. This binds the policy to your vpn connection.
The config would look like this:
set policy id 1 name "FromUs" from "Trust" to "Untrust" "Trust_LAN" "TheirLAN" "ANY" tunnel vpn "Connection" id 0x20 policy-pair 2
set policy id 1
set policy id 2 name "FromThem" from "Untrust" to "Trust" "TheirLAN" "Trust_LAN" "ANY" tunnel vpn "Connection" id 0x21 policy-pair 1
set policy id 2
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCDA JNCDS-DC JNCDS-SEC
ACE PanOS 6 ACE PanOS 7