Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN between 3845 and Netscreen 208


I'm trying to create a VPN tunnel with my 3845 and the customer Netscreen208 firewall.

My side


Hardware: Cisco3845

IOS: 12.4.(8a)


crypto isakmp policy 30

encr 3des

authentication pre-share

group 2

lifetime 3600


crypto isakmp key xxx address <IP Remote Peer>

crypto isakmp keepalive 20

crypto ipsec transform-set MEDIUM_SEC esp-3des esp-sha-hmac


crypto map PUBLIC-MAP 60 ipsec-isakmp

description xxxx

set peer 2a.b.c.d

set transform-set MEDIUM_SEC

set pfs group2

match address xxx


Customer side:

Hardware: Netscreen 208




What's the problem ?

Cisco Employee

Re: VPN between 3845 and Netscreen 208


Check the Access-List for the crypto map to make sure they are mirror images of each other.

For example:

If you have a local network of and a remote network of Then the configuration on the local router should be

Access-list xxx permit ip

And on the Sonic Firewall, the access-list should be mirrored.

Access-list xxx permit ip

Also, I see that you have configured an ISAKMP and IPSEC Lifetime to one hour. Is this a requirement. If not, I would set a higher value for ISAKMP. For example: 28800 secs = 8 hours.

If possible, please do post the isakmp and ipsec debugs when you try to bring up the tunnel.

Let me know if it helps.



New Member

Re: VPN between 3845 and Netscreen 208


The ACL is correct. Here's the debug file. First part is when the customer makes a ping and the second is, when I ping the remote host.

In the log file I see, that Phase 1 is complete, but phase 2 not. I have multiple crypto-maps with different sequenze numbers one the same HSRP-Interface.

Any idea?

thanks beat

Cisco Employee

Re: VPN between 3845 and Netscreen 208


Oct 5 10:56:00.913: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address ++++ IP MY PEER +++++

Oct 5 10:56:00.913: ISAKMP:(0:402:HW:2): IPSec policy invalidated proposal

Oct 5 10:56:00.913: ISAKMP:(0:402:HW:2): phase 2 SA policy not acceptable! (local ++++ IP MY PEER +++++ remote ++++ IP REMOTE PEER +++++)

Looking at the above debugs, the router is complaining about the crypto local address. Are you sourcing the crypto configuration from the Outgoing physical Interface or a Loopback Address.

Can you check the configuration to make sure that peer address are configured correctly.



CreatePlease to create content