L2L VPN with PIX525 and Juniper

Unanswered Question
Jan 7th, 2009

Hi,

My PIX525 firewall is configured for S2S (already 3 more S2S vpn is configured) with Juniper firewall at the other end.

The problem I'm now facing is that although the tunnel is getting up but no traffic can pass between end-to-end.

When I gave sh crypto ipsec sa I could see following

pixfirewall(config)# sh crypto ipsec sa

interface: outside

Crypto map tag: dyngroup, seq num: 30, local addr: 212.77.203.226

local ident (addr/mask/prot/port): (FIX_CLNT_TST1/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (192.168.36.2/255.255.255.255/0/0)

current_peer: 86.51.9.254

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 247, #pkts decrypt: 247, #pkts verify: 247

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#send errors: 0, #recv errors: 228

Can anyone advise me why I'm not able to ping/access the other side of the lan (Juniper firewall side) also I want to make sure whether there's anything wrong in myside (my configuration).

Thanks in advance.

For ready reference I have attached the VPN configuration in my PIX firewall.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Fri, 01/09/2009 - 11:46

Hi, As you can see on the show crypto output:

Crypto map tag: dyngroup,

The matched crypto map is a dynamic map, which I assume due to the name. The uploaded configuration shows that this should be using a static crypto map rather than this dynamic.

What happens here is that the SA offer that juniper sends does not match to what the PIX has configured, on your configuration you have the match address using TCP ports (which is not supported by CISCO) but the SA created is using port 0:

local ident (addr/mask/prot/port): (FIX_CLNT_TST1/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (192.168.36.2/255.255.255.255/0/0)

Which means that the offering is done with protocol IP (0) rather than TCP (6)

You need to change the match address on your Pix to match IP rather than TCP.

pemasirid Wed, 01/14/2009 - 13:10

Hi Imartino,

Many thanks for your reply and regret for delay on response.

Yes, the 'sh crypto ipsec sa' output still show Crypto map tag as dyngroup which is configured for remote access VPN.

I changed the static crypto map name outside_map with seq 10 but still its shows the Crypto map tag as dyngroup with its seq no. (30).

I have changed the ACL with IP level rather than TCP but there was no luck. However customer doesnt want to allow IP level and only want to allow access to the particular port (4444 and 4445).

I could see only local indent pkts decaps: 52, #pkts decrypt: 52, #pkts verify: 52 only. (one side) with some error packts.

Please suggest a solution to resolve this issue. The sh crypto ipsec sa output is attached.

thanks in advance.

Attachment: 
balint.pal Thu, 01/15/2009 - 03:12

Hi,

is your FIX_CLNT_TST1 server in the nonat acl already?

Use the "sh xlate" for more infos.

Actions

This Discussion