On 05/03/2012, at 9:57 PM, bizza wrote: > gateway gw_vpn2remote { > ike-policy ike_pol_vpn2remote; > address X.Y.W.Z; > local-identity inet A.B.C.D; > external-interface fe-0/0/7.0; > version v1-only; > }
In your IKE gateway configuration above, you have configured the local-identity - this particular knob is only used for authentication when you are using aggressive mode (which you are not). I suspect what you really wanted to configure was the proxy-id which ASAs tend to be VERY picky about. You'll need: set security ipsec vpn vpn2remote ike proxy-identity local A.B.C.D/E set security ipsec vpn vpn2remote ike proxy-identity remote F.G.H.I/J set security ipsec vpn vpn2remote ike proxy-identity service any where F.G.H.I/J is the subnet on the remote side. Ben _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp