On Mon, Mar 5, 2012 at 1:28 PM, Asad Raza <asadgard...@gmail.com> wrote: > Hi Marco, > > I see that you are using a custom proposal in phase-1 but using compatible > in phase-2, that could be the problem. You need to define exact proposal in > phase-2 aswell. Could you confirm if proposal mismatch is in phase-1 (ike) > or phase-2 (ipsec) ot be more specific?
I've just changed my configuration as follow: security { ike { proposal ike-p1 { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm aes-128-cbc; lifetime-seconds 86400; } policy ike_pol_lan2remote { mode main; proposals ike-p1; pre-shared-key ascii-text "blablabla"; ## SECRET-DATA } gateway gw_lan2remote { ike-policy ike_pol_lan2remote; address x.y.w.z; external-interface fe-0/0/7.0; version v1-only; } } ipsec { proposal ipsec-p2 { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-128-cbc; lifetime-seconds 86400; lifetime-kilobytes 1048576; } policy ipsec_pol_lan2remote { proposals ipsec-p2; } vpn lan2remote { bind-interface st0.0; ike { gateway gw_lan2remote; ipsec-policy ipsec_pol_lan2remote; } establish-tunnels immediately; } } And I'm waiting that in the other side people change the asa configuration, that will be something lije this: crypto isakmp policy 5 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ipsec transform-set ipsec-p2 esp-aes esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 1048576 crypto map foo 5 match address MYACL crypto map foo 5 set pfs crypto map foo 5 set peer x.y.w.z crypto map foo 5 set transform-set ipsec-p2 crypto map foo interface outside Do you think this will be enough? Regards Marco -- bizza _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp