Hi Marco, I see that you are using a custom proposal in phase-1 but using compatible in phase-2, that could be the problem. You need to define exact proposal in phase-2 aswell. Could you confirm if proposal mismatch is in phase-1 (ike) or phase-2 (ipsec) ot be more specific?
regards, Asad On Mon, Mar 5, 2012 at 4:57 PM, bizza <biz...@gmail.com> wrote: > Hi, > I have some problem in to configure a vpn between a srx and a cisco asa. > This is my configuration: > > ike { > proposal trans-vpn { > authentication-method pre-shared-keys; > dh-group group5; > authentication-algorithm sha-256; > encryption-algorithm aes-256-cbc; > lifetime-seconds 86400; > } > policy ike_pol_vpn2remote { > mode main; > proposals trans-vpn; > pre-shared-key ascii-text "1234567899"; ## SECRET-DATA > } > gateway gw_vpn2remote { > ike-policy ike_pol_vpn2remote; > address X.Y.W.Z; > local-identity inet A.B.C.D; > external-interface fe-0/0/7.0; > version v1-only; > } > } > ipsec { > policy ipsec_pol_vpn2remote { > proposal-set compatible; > } > vpn vpn2remote { > bind-interface st0.0; > ike { > gateway gw_vpn2remote; > ipsec-policy ipsec_pol_vpn2remote; > } > establish-tunnels immediately; > } > } > > And in the asa side remote IT tech said that configuration is the > same: encryption, hash, lifetime, group, ecc.. > > In /var/log/kmd I found: > Mar 5 12:51:27 IKEv1 Error : Timeout > Mar 5 12:52:06 IKEv1 Error : No proposal chosen > Mar 5 12:52:27 IKEv1 Error : Timeout > Mar 5 12:52:41 IKEv1 Error : No proposal chosen > Mar 5 12:53:13 IKEv1 Error : No proposal chosen > Mar 5 12:53:27 IKEv1 Error : Timeout > Mar 5 12:53:47 IKEv1 Error : No proposal chosen > Mar 5 12:54:27 IKEv1 Error : Timeout > Mar 5 12:54:30 IKEv1 Error : No proposal chosen > Mar 5 12:55:08 IKEv1 Error : No proposal chosen > > > Any hints? > > Regards > Marco > -- > bizza > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp