VPN between 6500 Sup720 with SPA accelerated card and NetScreen.

geraldjacksontx · ‎08-25-2010

I have at least 20 other VPNs to Cisco Router IOS and ASA, with similar configuration.

but this connection from my side gets:

When I initiate the connection with debug cry is

peer does not accept paranoid keepalive.

deletes the connection after Phase 1.

When Netscreen initiates the connection it gets to:

Phase 2 and and QM_IDLE.

I working with the other end to try to get a debug when he tries to connect.

When I have seen this in the past, I just added cryto isakmp keepalives 30.

The NetScreen setup is:

External interface 3.3.3.14

VPN Peer 4.4.4.34

ESP-3DES-MD5

Encryption 3DES

Hash MD5

Group 2

2.2.2.145 Remote Server

3.3.3.184 Internal server

Preshared Key XXXX

Cisco configuration is 6500 Sup720 with SPA-IPSEC-2G, ver 12.2(18)SXF17a :

Crypto isakmp key XXXX address 3.3.3.14

Crypto isakmp transform-set 3des esp-3des esp-md5-hmac

Mode transport

Crypto isakmp policy 10

Enc 3des

Hash md5

Authentication pre-share

Crypt map IPSecTunnel 80 ipsec-isakmp

Des VPN_NetScreen

Set peer 3.3.3.14

Set transform-set 3des

Match address CryptoMap_NetScreen

Ip access-list extended CryptoMap_NetScreen

Permit ip host 2.2.2.145 host 3.3.3.184

Permit udp host 4.4.4.34 eq isakmp 3.3.3.14

Yudong Wu · ‎08-25-2010

You might need to remove "Permit udp host 4.4.4.34 eq isakmp 3.3.3.14" from CAT6500 side.

Please provide the debug output if you would like us to troubleshoot it.

geraldjacksontx · ‎08-26-2010

I found the problem with my side anyway.

you need to set - pfs group2 if you are using group2 DH

geraldjacksontx · ‎08-26-2010

At least with Netscreen, I have customers with ASA that it works without.