Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  VPn SSG320 et router Cisco 2800

    Posted 09-02-2011 16:18

     

    i have a problem to etalblish the VPN between Router cisco 2800 et SSG 320 M

     

    can i someone help me please :

     

     encr 3des
     authentication pre-share
     group 2
     lifetime 28800
    crypto isakmp key password address 83.206.43.38
    !
    crypto ipsec transform-set aes-sha esp-aes esp-md5-hmac
    !
    crypto map ipsec-remoteoffice 11 ipsec-isakmp
     set peer 83.206.43.38
     set transform-set aes-sha
     set pfs group2
     match address 101

    access-list 101 permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.1.255

    interface f 1/0
     description outside_interface
     crypto map ipsec-remoteoffic

    Juniper Site :


    set address "Trust" "local" 192.168.0.0 255.255.254.0
    set address "Untrust" "remote" 172.16.0.0 255.255.255.0

    set ike p2-proposal "cisco" group2 esp aes128 md5 second 3600
    set ike gateway "Mountain View" address217.126.54.74 Main outgoing-interface "ethernet0/0" preshare "password" proposal "pre-g2-3des-sha"
    set vpn "Moco-MV" gateway "Mountain View" replay tunnel idletime 0 proposal "cisco"
    set vpn "Moco-MV" proxy-id local-ip 192.168.0.0/23 remote-ip 17216.0.0/24 "ANY"

    set policy id 9 from "Untrust" to "Trust"  "remote" "lokal" "ANY" tunnel vpn "Moco-MV" id 1 pair-policy 8 log
    set policy id 8 from "Trust" to "Untrust"  "lokal" "remote" "ANY" tunnel vpn "Moco-MV" id 1 pair-policy 9 log



  • 2.  RE: VPn SSG320 et router Cisco 2800

    Posted 09-03-2011 05:52

    I would double check the match on the encryption packages.  I don't really know Cisco, but it looks like you are using md5 for phase 1 on the Cisco side and 3des on the Juniper.

     

    Also we don't see what the parameters are in the custom phase 2 crypto package "cisco" on the Juniper.  Make sure they match those on the Cisco side.  It looks like you have pfs enabled there so be sure that is in the Juniper package.

     

    Usually troubleshooting vpn connects is easier from the error logs and the status of the tunnel.  Check out kb9221 which walks through the potential issues and what to look for on the Juniper side.

     

    http://kb.juniper.net/kb/documents/public/resolution_path/J_visio_kb9221.htm



  • 3.  RE: VPn SSG320 et router Cisco 2800

    Posted 09-03-2011 06:24
      |   view attached

    Thank you for the answer but I tried of changed the  MD5 and 3des, but it's always the same, I'll want to know what is what we can come up a vpn on a classic ADSL line. Livebox  for example, this shema thanks in advance

    Attachment(s)

    docx
    Cisco 2800 - JUNIPER VPN.docx   93 KB 1 version


  • 4.  RE: VPn SSG320 et router Cisco 2800
    Best Answer

    Posted 09-04-2011 06:56

    If there is nothing obviously mismatched in the configurations, you will need to follow this troubleshooting process to narrow down the issue.

     

    Please open kb9221 for the decision tree.

     

    http://kb.juniper.net/kb/documents/public/resolution_path/J_visio_kb9221.htm

     

    Then start by testing "Tunnel SA Active?" using the "get sa" command as described in kb6134 linked in the decision box.  Based on the output here you follow down to the next step in the decision tree and so on until the problem is isolated.