Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN between 3845 and Netscreen 208

Hi

I'm trying to create a VPN tunnel with my 3845 and the customer Netscreen208 firewall.

My side

------------------------------

Hardware: Cisco3845

IOS: 12.4.(8a)

Configuration:

crypto isakmp policy 30

encr 3des

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp key xxx address <IP Remote Peer>

crypto isakmp keepalive 20

crypto ipsec transform-set MEDIUM_SEC esp-3des esp-sha-hmac

!

crypto map PUBLIC-MAP 60 ipsec-isakmp

description xxxx

set peer 2a.b.c.d

set transform-set MEDIUM_SEC

set pfs group2

match address xxx

------------------------------

Customer side:

Hardware: Netscreen 208

Phase1:pre-g2-3des-sha1-3600

Phase2:g2-3des-sha1-3600

------------------------------

What's the problem ?

3 REPLIES
Cisco Employee

Re: VPN between 3845 and Netscreen 208

Hi,

Check the Access-List for the crypto map to make sure they are mirror images of each other.

For example:

If you have a local network of 10.1.1.0 255.255.255.0 and a remote network of 192.168.1.0 255.255.255.0. Then the configuration on the local router should be

Access-list xxx permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255

And on the Sonic Firewall, the access-list should be mirrored.

Access-list xxx permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

Also, I see that you have configured an ISAKMP and IPSEC Lifetime to one hour. Is this a requirement. If not, I would set a higher value for ISAKMP. For example: 28800 secs = 8 hours.

If possible, please do post the isakmp and ipsec debugs when you try to bring up the tunnel.

Let me know if it helps.

Regards,

Arul

New Member

Re: VPN between 3845 and Netscreen 208

Hi,

The ACL is correct. Here's the debug file. First part is when the customer makes a ping and the second is, when I ping the remote host.

In the log file I see, that Phase 1 is complete, but phase 2 not. I have multiple crypto-maps with different sequenze numbers one the same HSRP-Interface.

Any idea?

thanks beat

Cisco Employee

Re: VPN between 3845 and Netscreen 208

DEBUGS:

Oct 5 10:56:00.913: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address ++++ IP MY PEER +++++

Oct 5 10:56:00.913: ISAKMP:(0:402:HW:2): IPSec policy invalidated proposal

Oct 5 10:56:00.913: ISAKMP:(0:402:HW:2): phase 2 SA policy not acceptable! (local ++++ IP MY PEER +++++ remote ++++ IP REMOTE PEER +++++)

Looking at the above debugs, the router is complaining about the crypto local address. Are you sourcing the crypto configuration from the Outgoing physical Interface or a Loopback Address.

Can you check the configuration to make sure that peer address are configured correctly.

Regards,

Arul

211
Views
0
Helpful
3
Replies
CreatePlease to create content