Problems with ipsec betwen Cisco ASA 5505 and Juniper ssg5
Posted
by
Oskar Kjellin
on Server Fault
See other posts from Server Fault
or by Oskar Kjellin
Published on 2012-03-24T16:39:42Z
Indexed on
2012/03/24
17:31 UTC
Read the original article
Hit count: 516
I am trying to set up an ipsec tunnel between our ASA 5505 and a Juniper ssg5. The tunnel is up and running, but I cannot get any data through it.
The local network I am on is 172.16.1.0 and the remote is 192.168.70.0. But I cannot ping anything on their netowork. I receive a "Phase 2 OK" when I set up the ipsec.
I think this is the part of the config that is applicable. It seems like the data is not routed through the tunnel, but I am not sure...
object network our-network
subnet 172.16.1.0 255.255.255.0
object network their-network
subnet 192.168.70.0 255.255.255.0
access-list outside_cryptomap extended permit ip object our-network object their-network
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer THEIR_IP
crypto map outside_map 1 set ikev1 phase1-mode aggressive
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map 1 set ikev2 pre-shared-key *****
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
webvpn
group-policy GroupPolicy_THEIR_IP internal
group-policy GroupPolicy_THEIR_IP attributes
vpn-filter value outside_cryptomap
ipv6-vpn-filter none
vpn-tunnel-protocol ikev1
tunnel-group THEIR_IP type ipsec-l2l
tunnel-group THEIR_IP general-attributes
default-group-policy GroupPolicy_THEIR_IP
tunnel-group THEIR_IP ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
© Server Fault or respective owner