Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

IPSEC L2L to netscreen peer IP problem

How do I solve for a vendor/customer that insists I includes the IPSEC PEER IP with in the crypto ACL?

A netscreen user has asked me to build a crypto ACL that includes the PeerIP address. If I use a mask structure in the ACL to exclude the Peer from the crypto domain it works and I get good SA's. If the tunnel is initiated from the netscreen, and my pix7 is the responder, then SA range includes the peer ip address and returning traffic fails.

Any suggestions? Thanks in advance..

4 REPLIES
Silver

Re: IPSEC L2L to netscreen peer IP problem

The peer ip address should be a routable public ip address and theres is no need for the peer ip address to be in the range of source and destination ip address.so try using the SA range without the peer ip address.

Community Member

Re: IPSEC L2L to netscreen peer IP problem

Beside the obvious "Peer IP can not be included in the Crypto Domain" issue, the remote CHECKPOINT needed to be in "host" mode. If it is in "network" mode then it would send a superneted mask in the originating SA that included the peer IP. That big mask would break the vpn and prevent my piX from talking to the peer IP.

THis would happen regardless of my crypto ACL's. Wierd!.

Thanks.

Re: IPSEC L2L to netscreen peer IP problem

Netscreen is not Checkpoint

Re: IPSEC L2L to netscreen peer IP problem

ask netscreen user to not include the PeerIP address in a crypto ACL

155
Views
0
Helpful
4
Replies
CreatePlease to create content