Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
640
Views
0
Helpful
3
Replies

VPN between 3845 and Netscreen 208

beatdaenzer
Level 1
Level 1

‎10-04-2006 03:37 AM

Hi

I'm trying to create a VPN tunnel with my 3845 and the customer Netscreen208 firewall.

My side

------------------------------

Hardware: Cisco3845

IOS: 12.4.(8a)

Configuration:

crypto isakmp policy 30

encr 3des

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp key xxx address <IP Remote Peer>

crypto isakmp keepalive 20

crypto ipsec transform-set MEDIUM_SEC esp-3des esp-sha-hmac

!

crypto map PUBLIC-MAP 60 ipsec-isakmp

description xxxx

set peer 2a.b.c.d

set transform-set MEDIUM_SEC

set pfs group2

match address xxx

------------------------------

Customer side:

Hardware: Netscreen 208

Phase1:pre-g2-3des-sha1-3600

Phase2:g2-3des-sha1-3600

------------------------------

What's the problem ?

Labels:
0 Helpful
3 Replies 3

ajagadee
Cisco Employee
Cisco Employee

‎10-04-2006 10:28 AM

Hi,

Check the Access-List for the crypto map to make sure they are mirror images of each other.

For example:

If you have a local network of 10.1.1.0 255.255.255.0 and a remote network of 192.168.1.0 255.255.255.0. Then the configuration on the local router should be

Access-list xxx permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255

And on the Sonic Firewall, the access-list should be mirrored.

Access-list xxx permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

Also, I see that you have configured an ISAKMP and IPSEC Lifetime to one hour. Is this a requirement. If not, I would set a higher value for ISAKMP. For example: 28800 secs = 8 hours.

If possible, please do post the isakmp and ipsec debugs when you try to bring up the tunnel.

Let me know if it helps.

Regards,

Arul

0 Helpful

beatdaenzer
Level 1
Level 1
In response to ajagadee

‎10-05-2006 03:05 AM

Hi,

The ACL is correct. Here's the debug file. First part is when the customer makes a ping and the second is, when I ping the remote host.

In the log file I see, that Phase 1 is complete, but phase 2 not. I have multiple crypto-maps with different sequenze numbers one the same HSRP-Interface.

Any idea?

thanks beat

Preview file
56 KB
0 Helpful

ajagadee
Cisco Employee
Cisco Employee
In response to beatdaenzer

‎10-06-2006 07:22 AM

DEBUGS:

Oct 5 10:56:00.913: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address ++++ IP MY PEER +++++

Oct 5 10:56:00.913: ISAKMP:(0:402:HW:2): IPSec policy invalidated proposal

Oct 5 10:56:00.913: ISAKMP:(0:402:HW:2): phase 2 SA policy not acceptable! (local ++++ IP MY PEER +++++ remote ++++ IP REMOTE PEER +++++)

Looking at the above debugs, the router is complaining about the crypto local address. Are you sourcing the crypto configuration from the Outgoing physical Interface or a Loopback Address.

Can you check the configuration to make sure that peer address are configured correctly.

Regards,

Arul

0 Helpful
Customers Also Viewed These Support Documents