cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1794
Views
0
Helpful
31
Replies

L2L VPN

welaish77
Level 1
Level 1

I Want to configure the ASA IOS Version 8.0 to connect to Juniper Netscreen with the below configuration using L2L VPN.

Peer IP address 78.93.0.7

Host IP address 213.184.187.200

Pre-shared key: ciscoVPN

Phase 1: preg2-3des-md5

phase 2: nopfs-esp-3des-md5

Thanks in advance.

1 Accepted Solution

Accepted Solutions

Add "crypto isakmp identity address"

And double check with the remote end on the phase 1 settings & psk

View solution in original post

31 Replies 31

I tried this example but the problem is that the other party says no connection is hits is coming and i cannot monitor the ASA to check the connection is up or not.

Which end do you have access to?

ASA end

1) Check your "interesting traffic" acl's for hits.

2) Make sure you have the loacal to remote ip subnets in your "no-nat" acl/

issue the below commands

term mon

Debug crypto isakmp 20

Debug crypto ispec 20

Then try to initiate the VPN connection from your side and see what the debug tells you.

HTH>

that was the output.

Sep 02 14:03:39 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Sep 02 14:03:39 [IKEv1]: IP = 78.93.0.6, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Sep 02 14:03:42 [IKEv1]: IP = 78.93.0.6, IKE_DECODE RESENDING Message (msgid=0)with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152

Sep 02 14:03:42 [IKEv1]: IP = 78.93.0.6, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 64

Sep 02 14:03:42 [IKEv1]: IP = 78.93.0.6, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 64

Sep 02 14:03:42 [IKEv1]: IP = 78.93.0.6, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping

Sep 02 14:03:42 [IKEv1]: IP = 78.93.0.6, Information Exchange processing failed

Sep 02 14:03:45 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Sep 02 14:03:45 [IKEv1]: IP = 78.93.0.6, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

OK - you need to check your phase 1 IKE config with the remote end, you are not negotiating phase 1

Phase 1: preg2-3des-md5:-

1) Authentication - PreSharedKey

2) Encryption - 3DES

3) Hash - MD5

Make sure this this is same at both ends?

HTH>

this are my configuration the other side is accepting connections from other parties so i think it something in my configuration.

may be i am missing something.

access-list nonat permit ip 172.19.134.9 255.255.255.255 213.184.187.178 255.255.255.255

nat (inside) 0 access-list nonat

sysopt connection permit-ipsec

isakmp enable outside

Phase I.

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp key knowledge address 78.93.0.6 netmask 255.255.255.255

isakmp policy 10 lifetime 14400

Phase II.

crypto ipsec transform-set jnet_trans esp-3des esp-md5-hmac

crypto map jnet_map 10 set peer 78.93.0.6

crypto map jnet_map 10 set transform-set jnet_trans

crypto map jnet_map 10 match address nonat

crypto map jnet_map 10 ipsec-isakmp

crypto map jnet_map interface outside

Add "crypto isakmp identity address"

And double check with the remote end on the phase 1 settings & psk

Just add "Crypto isakmp identity auto"

Thanks Andrew i really appreciate it.

np - glad to help.

Andrew,

I am facing another problem in the VPN. how can i make the other side ping my host? or access service on a certain port?

Make the other side ping your host?? You tell them to ping your host?

You can apply an access-list that applies to the source traffic from the remote end to your local side and apply it to the inside interface on the "outbound" flow, you can base this on src ip - dest ip - src tcp/udp port - dst tcp/udp port.

HTH>

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: