Problems with ipsec betwen Cisco ASA 5505 and Juniper ssg5

Posted by Oskar Kjellin on Server Fault See other posts from Server Fault or by Oskar Kjellin
Published on 2012-03-24T16:39:42Z Indexed on 2012/03/24 17:31 UTC
Read the original article Hit count: 516

Filed under:
|
|

I am trying to set up an ipsec tunnel between our ASA 5505 and a Juniper ssg5. The tunnel is up and running, but I cannot get any data through it.

The local network I am on is 172.16.1.0 and the remote is 192.168.70.0. But I cannot ping anything on their netowork. I receive a "Phase 2 OK" when I set up the ipsec.

I think this is the part of the config that is applicable. It seems like the data is not routed through the tunnel, but I am not sure...

object network our-network
 subnet 172.16.1.0 255.255.255.0
object network their-network
 subnet 192.168.70.0 255.255.255.0
access-list outside_cryptomap extended permit ip object our-network object their-network 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer THEIR_IP
crypto map outside_map 1 set ikev1 phase1-mode aggressive 
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map 1 set ikev2 pre-shared-key *****
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside

webvpn
group-policy GroupPolicy_THEIR_IP internal
group-policy GroupPolicy_THEIR_IP attributes
 vpn-filter value outside_cryptomap
 ipv6-vpn-filter none
 vpn-tunnel-protocol ikev1 
tunnel-group THEIR_IP type ipsec-l2l
tunnel-group THEIR_IP general-attributes
 default-group-policy GroupPolicy_THEIR_IP
tunnel-group THEIR_IP ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

© Server Fault or respective owner

Related posts about cisco-asa

Related posts about ipsec