The ASAs are usually quite picky about Propxy-ID, and since you haven't specified one, the SRX will use "any, any, any" (all 0). That kind of Proxy-ID (or lack of) usually works well when you are using a route-based setup. The ASA on the other hand (almost) always use policy based VPN, where you have to specify source and destination networks.
I don't think this is your problem yet, since the phase 1 handshake doesn't work. I would say: remove the local-identity from the gateway definition. This can mess things up. It is normally enough that the remote end can see your external interface source address. /Per 5 mar 2012 kl. 12:57 skrev bizza: > Hi, > I have some problem in to configure a vpn between a srx and a cisco asa. > This is my configuration: > > ike { > proposal trans-vpn { > authentication-method pre-shared-keys; > dh-group group5; > authentication-algorithm sha-256; > encryption-algorithm aes-256-cbc; > lifetime-seconds 86400; > } > policy ike_pol_vpn2remote { > mode main; > proposals trans-vpn; > pre-shared-key ascii-text "1234567899"; ## SECRET-DATA > } > gateway gw_vpn2remote { > ike-policy ike_pol_vpn2remote; > address X.Y.W.Z; > local-identity inet A.B.C.D; > external-interface fe-0/0/7.0; > version v1-only; > } > } > ipsec { > policy ipsec_pol_vpn2remote { > proposal-set compatible; > } > vpn vpn2remote { > bind-interface st0.0; > ike { > gateway gw_vpn2remote; > ipsec-policy ipsec_pol_vpn2remote; > } > establish-tunnels immediately; > } > } > > And in the asa side remote IT tech said that configuration is the > same: encryption, hash, lifetime, group, ecc.. > > In /var/log/kmd I found: > Mar 5 12:51:27 IKEv1 Error : Timeout > Mar 5 12:52:06 IKEv1 Error : No proposal chosen > Mar 5 12:52:27 IKEv1 Error : Timeout > Mar 5 12:52:41 IKEv1 Error : No proposal chosen > Mar 5 12:53:13 IKEv1 Error : No proposal chosen > Mar 5 12:53:27 IKEv1 Error : Timeout > Mar 5 12:53:47 IKEv1 Error : No proposal chosen > Mar 5 12:54:27 IKEv1 Error : Timeout > Mar 5 12:54:30 IKEv1 Error : No proposal chosen > Mar 5 12:55:08 IKEv1 Error : No proposal chosen > > > Any hints? > > Regards > Marco > -- > bizza > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp