Hi,
I have some problem in to configure a vpn between a srx and a cisco asa.
This is my configuration:
ike {
proposal trans-vpn {
authentication-method pre-shared-keys;
dh-group group5;
authentication-algorithm sha-256;
Hi Marco,
I see that you are using a custom proposal in phase-1 but using compatible
in phase-2, that could be the problem. You need to define exact proposal in
phase-2 aswell. Could you confirm if proposal mismatch is in phase-1 (ike)
or phase-2 (ipsec) ot be more specific?
regards,
Asad
On
On Mon, Mar 5, 2012 at 1:28 PM, Asad Raza asadgard...@gmail.com wrote:
Hi Marco,
I see that you are using a custom proposal in phase-1 but using compatible
in phase-2, that could be the problem. You need to define exact proposal in
phase-2 aswell. Could you confirm if proposal mismatch is in
On 05/03/2012, at 9:57 PM, bizza wrote:
gateway gw_vpn2remote {
ike-policy ike_pol_vpn2remote;
address X.Y.W.Z;
local-identity inet A.B.C.D;
external-interface fe-0/0/7.0;
version v1-only;
}
In your IKE gateway
The ASAs are usually quite picky about Propxy-ID, and since you haven't
specified one, the SRX will use any, any, any (all 0). That kind of Proxy-ID
(or lack of) usually works well when you are using a route-based setup. The ASA
on the other hand (almost) always use policy based VPN, where you
If that is the actual config off the ASA, then another thing that may be
affecting connectivity:
crypto map foo 5 match address MYACL
crypto map foo 5 set pfs
crypto map foo 5 set peer x.y.w.z
crypto map foo 5 set transform-set ipsec-p2
crypto map foo interface outside
you have
On Mon, Mar 5, 2012 at 2:55 PM, Ben Dale bd...@comlinx.com.au wrote:
If that is the actual config off the ASA, then another thing that may be
affecting connectivity:
crypto map foo 5 match address MYACL
crypto map foo 5 set pfs
crypto map foo 5 set peer x.y.w.z
crypto map foo 5
7 matches
Mail list logo