asa to netscreen with dynamic IP

Unanswered Question
Sep 25th, 2007

Hi, has anyone set up a l2l vpn to a netscreen 5xp which uses a dynamic address? we are using one with a dynamic cryto map configured on the pix and aggressive mode on the netscreen, the pix is trying to authenticate the netscreen against the defaultRAGroup not the group set up for this connection. I have seen a similar problem posted here but with no solution other than getting the client to use a static IP. Here are the relevant config bits, thanks in advance.

tunnel-group netscreen type ipsec-l2l

tunnel-group netscreen ipsec-attributes

pre-shared-key *

crypto dynamic-map L2LDYN-MAP 10 match address IPSEC-netscreen

crypto dynamic-map L2LDYN-MAP 10 set pfs

crypto dynamic-map L2LDYN-MAP 10 set transform-set DYN-SET

crypto dynamic-map L2LDYN-MAP 10 set security-association lifetime seconds 3600

crypto ipsec transform-set DYN-SET esp-3des esp-sha-hmac

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 3600

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion