IPSEC VPN from a Juniper M20 to a Cisco ASA

[How to run the NSM GUI under Mac OS X]

How to run the NSM GUI under Mac OS X
How to setup a route-based VPN on a NetScreen
How to make your PPTP VPN client work through a NetScreen/SSG
Setting up a dial-up VPN and NetScreen Remote
How the Global Zone Works (It's probably not what you think)
How to configure NetScreen/SSG devices to work with the built in Mac OS X VPN client
How to Configure Dial-up VPN with route-based tunnels, XAuth, and use IPSecuritas

[caomhinmaye77]

Hi, has anyone ever succrssfully established an IPSEC VPN tunnel from a M20 router to a Cisco ASA device, seems to be some issue with the access list on the ASA, just wondering how do i set up the access list equivalent on the juniper, i currently have:

[edit services ipsec-vpn rule Corp_CRH-ipsec]
maye_k@G19-RE1# show
term term1 {
    from {
        source-address {
            10.99.99.0/24;
        }
        destination-address {
            10.20.20.0/24;
        }
    }
    then {
        syslog;
        remote-gateway 159.134.95.215;
        dynamic {
            ike-policy ikepolicy_corp_CRH-ipsec;
            ipsec-policy ipsec-policy_corp_CRH-ipsec;
        }
        clear-dont-fragment-bit;
        tunnel-mtu 1500;
    }
}
match-direction input;

[signal15]

What does the cisco side look like?

[caomhinmaye77]

hi there, haven't got the full config but thier relevant access lists are:

name 213.191.235.242 O2_APN_FW
name 10.99.99.0 O2_APN_Subnet
!

access-list inside_nat0_outbound extended permit ip ERP_Subnet 255.255.255.0 O2_APN_Subnet 255.255.255.0
!

access-list CRYPTO_O2_APNVPN extended permit ip ERP_Subnet 255.255.255.0 O2_APN_Subnet 255.255.255.0
access-list FILTER_O2_APNVPN extended permit tcp O2_APN_Subnet 255.255.255.0 host crhctrak eq www
access-list FILTER_O2_APNVPN extended permit tcp O2_APN_Subnet 255.255.255.0 host crhctx01 eq www
!

route outside O2_APN_Subnet 255.255.255.0 159.134.95.209 1
!
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map outside_map0 99 match address CRYPTO_O2_APNVPN
crypto map outside_map0 99 set peer O2_APN_FW
crypto map outside_map0 99 set transform-set ESP-3DES-rypto map outside_map0 99 set security-association lifetime seconds 64800
crypto map outside_map0 99 set security-association lifetime kilobytes 4608000

!

tunnel-group 213.191.235.242 type ipsec-l2l
tunnel-group 213.191.235.242 general-attributes
 default-group-policy GrpPolicy_O2APN
tunnel-group 213.191.235.242 ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
!
group-policy GrpPolicy_O2APN internal
group-policy GrpPolicy_O2APN attributes
 vpn-tunnel-protocol IPSec


cheers,

[caomhinmaye77]

Oct 13 15:13:18 asafw01 %ASA-5-713119: Group = 213.191.235.242, IP = 213.191.235.242, PHASE 1 COMPLETED
Oct 13 15:13:18 asafw01 %ASA-7-713121: IP = 213.191.235.242, Keep-alive type for this connection: None
Oct 13 15:13:18 asafw01 %ASA-7-715080: Group = 213.191.235.242, IP = 213.191.235.242, Starting P1 rekey timer: 48600 seconds.
Oct 13 15:13:18 asafw01 %ASA-7-714003: IP = 213.191.235.242, IKE Responder starting QM: msg id = e8d13989
Oct 13 15:13:18 asafw01 %ASA-7-713236: IP = 213.191.235.242, IKE_DECODE RECEIVED Message (msgid=e8d13989) with payloads : HDR + HASH ( + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 332
Oct 13 15:13:18 asafw01 %ASA-7-715047: Group = 213.191.235.242, IP = 213.191.235.242, processing hash payload
Oct 13 15:13:18 asafw01 %ASA-7-715047: Group = 213.191.235.242, IP = 213.191.235.242, processing SA payload
Oct 13 15:13:18 asafw01 %ASA-7-715047: Group = 213.191.235.242, IP = 213.191.235.242, processing nonce payload
Oct 13 15:13:18 asafw01 %ASA-7-715047: Group = 213.191.235.242, IP = 213.191.235.242, processing ke payload
Oct 13 15:13:18 asafw01 %ASA-7-713906: Group = 213.191.235.242, IP = 213.191.235.242, processing ISA_KE for PFS in phase 2
Oct 13 15:13:18 asafw01 %ASA-7-715047: Group = 213.191.235.242, IP = 213.191.235.242, processing ID payload
Oct 13 15:13:18 asafw01 %ASA-7-714011: Group = 213.191.235.242, IP = 213.191.235.242, ID_IPV4_ADDR_SUBNET ID received--10.99.99.0--255.255.255.0
Oct 13 15:13:18 asafw01 %ASA-7-713035: Group = 213.191.235.242, IP = 213.191.235.242, Received remote IP Proxy Subnet data in ID Payload:   Address 10.99.99.0, Mask 255.255.255.0, Protocol 0, Port 0
Oct 13 15:13:18 asafw01 %ASA-7-715047: Group = 213.191.235.242, IP = 213.191.235.242, processing ID payload
Oct 13 15:13:18 asafw01 %ASA-7-714011: Group = 213.191.235.242, IP = 213.191.235.242, ID_IPV4_ADDR_SUBNET ID received--10.20.20.0--255.255.255.0
Oct 13 15:13:18 asafw01 %ASA-7-713034: Group = 213.191.235.242, IP = 213.191.235.242, Received local IP Proxy Subnet data in ID Payload:   Address 10.20.20.0, Mask 255.255.255.0, Protocol 0, Port 0
Oct 13 15:13:18 asafw01 %ASA-7-713906: Group = 213.191.235.242, IP = 213.191.235.242, QM IsRekeyed old sa not found by addr
Oct 13 15:13:18 asafw01 %ASA-7-713221: Group = 213.191.235.242, IP = 213.191.235.242, Static Crypto Map check, checking map = outside_map0, seq = 99...
Oct 13 15:13:18 asafw01 %ASA-7-713225: Group = 213.191.235.242, IP = 213.191.235.242, Static Crypto Map check, map outside_map0, seq = 99 is a successful match
Oct 13 15:13:18 asafw01 %ASA-7-713066: Group = 213.191.235.242, IP = 213.191.235.242, IKE Remote Peer configured for crypto map: outside_map0
Oct 13 15:13:18 asafw01 %ASA-7-715047: Group = 213.191.235.242, IP = 213.191.235.242, processing IPSec SA payload
Oct 13 15:13:18 asafw01 %ASA-5-713904: Group = 213.191.235.242, IP = 213.191.235.242, All IPSec SA proposals found unacceptable!
Oct 13 15:13:18 asafw01 %ASA-7-713906: Group = 213.191.235.242, IP = 213.191.235.242, sending notify message
Oct 13 15:13:18 asafw01 %ASA-7-715046: Group = 213.191.235.242, IP = 213.191.235.242, constructing blank hash payload
Oct 13 15:13:18 asafw01 %ASA-7-713906: Group = 213.191.235.242, IP = 213.191.235.242, constructing ipsec notify payload for msg id e8d13989
Oct 13 15:13:18 asafw01 %ASA-3-713902: Group = 213.191.235.242, IP = 213.191.235.242, QM FSM error (P2 struct &0xcd712450, mess id 0xe8d13989)!

•      Forum/Home
•      Store
•      Articles
•        Tech Articles
•        Industry News
•        Site News
•      Knowledgebase
•        JUNOS/Routing
•        NS/ISG/SSG/NSM
•        SSL VPN
•      Downloads

Please consider donating if we've saved you time or money. It helps pay for the bandwidth, equipment, and hosting charges to keep this site running

Submit Article/KB - Do not submit questions here.

[Today]

• SRX-210H port-mirroring s... by ociz [Today at 02:14:13 PM]
• configs out of sync by ciscler [Today at 01:11:30 PM]
• Monitoring user bandwidth... by x0rerror [Today at 12:30:20 PM]
• NSRP active/passive with ... by junreaper [Today at 08:41:52 AM]
• Ladies’ fashionable shoes... by fivefingers8 [Yesterday at 06:54:36 PM]
• Routing Traffic From Cust... by fivefingers8 [Yesterday at 06:52:49 PM]
• Load balancing on J-serie... by fivefingers8 [Yesterday at 06:49:46 PM]
• Juniper SSG or other bran... by whoppi [Yesterday at 11:23:49 AM]
• NS25 and NS Remote - Want... by mbrown [Yesterday at 10:38:14 AM]
• Netscreen SSG Policy base... by thisisnuts999 [Yesterday at 07:01:01 AM]

Members

• Total Members: 22068
• Latest: vu.luu@flysfo.com

Stats

• Total Posts: 39593
• Total Topics: 10459
• Online Today: 72
• Online Ever: 393
• (August 06, 2008, 07:40:57 AM)

Users Online

Users: 1
Guests: 31
Total: 32

eagq