|
[x]
The Solution Rating System
|
|
|
With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating. - The Grade of the Solution
- The Zone Rank of the Expert Providing the Solution
- The Number of Author and Expert Comments
- The Number of Experts Contributing
- The Feedback of the Community
Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site. If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support. Thank you! |
|
|
|
|
I have configured a Juniper firewall for site to site vpn with a pix. Everything seems ok on the Juniper so now i'm looking at the pix for problems. I'm a total newbie to pix.
no crypto ipsec transform-set cflset esp-des esp-md5-hmac
no crypto map cflmap 20 ipsec-isakmp
no crypto map cflmap 20 match address xDSL
no crypto map cflmap 20 set peer x.120.133.98
no crypto map cflmap 20 set transform-set cflset
no crypto map cflmap interface outside
crypto ipsec transform-set cflset esp-3des esp-sha-hmac
crypto map cflmap 20 ipsec-isakmp
crypto map cflmap 20 match address xDSL
crypto map cflmap 20 set peer x.120.133.112
crypto map cflmap 20 set transform-set cflset
crypto map cflmap interface outside
no isakmp enable outside
no isakmp key wdpix address x.120.133.98 netmask 255.255.255.255 no-xauth no-config-mode
no isakmp identity address
no isakmp policy 10 authentication pre-share
no isakmp policy 10 encryption des
no isakmp policy 10 hash md5
no isakmp policy 10 group 2
no isakmp policy 10 lifetime 86400
isakmp enable outside
no isakmp key wdpix address x.120.133.112 netmask 255.255.255.255
isakmp key wdpix address x.120.133.112 netmask 255.255.255.255 no-xauth no-config-mode
no isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
Here is some of the feedback I get on the pix:
PIX
WacoDSL.Pix# show crypto ipsec sa
interface: outside
Crypto map tag: cflmap, local addr. 68.89.247.97
local ident (addr/mask/prot/port): (172.30.24.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (40.12.2.0/255.255.255.0/0/0)
current_peer: 65.120.133.112:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 68.89.247.97, remote crypto endpt.: 65.120.133.112
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (172.30.25.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (40.12.2.0/255.255.255.0/0/0)
current_peer: 65.120.133.112:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 68.89.247.97, remote crypto endpt.: 65.120.133.112
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (172.30.24.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (40.1.4.0/255.255.255.0/0/0)
current_peer: 65.120.133.112:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 68.89.247.97, remote crypto endpt.: 65.120.133.112
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (172.30.25.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (40.1.4.0/255.255.255.0/0/0)
current_peer: 65.120.133.112:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 68.89.247.97, remote crypto endpt.: 65.120.133.112
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
local ident (addr/mask/prot/port): (172.30.25.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
current_peer: 65.120.133.112:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 68.89.247.97, remote crypto endpt.: 65.120.133.112
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
--------------------------------------------------------
Any help you can give is greatly appreciated!
-----------------------------
I included some Juniper feedback as well...
The Jumiper gives me this...
IKE<68.89.247.97> Phase 1:
Retransmission limit has been reached.
SSG520-> get ike cookie
Active: 1, Dead: 1, Total 3
0001/0000, 65.120.133.112:500->68.89.247.97:500, NONE/grp0/NULL/NULL, xchg(2) (WacoDSLTest/grp-1/usr-1)
resent-tmr 33555201 lifetime 28800 lt-recv 0 nxt_rekey 28780 cert-expire 0
initiator, err cnt 5, send dir 0, cond 0x0
nat-traversal map not available
ike heartbeat : disabled
ike heartbeat last rcv time: 0
ike heartbeat last snd time: 0
XAUTH status: 0
DPD seq local 0, peer 0
p2_tasks:
task_type = 0x3
p2 sa id = 0xb (index 0x3)
app_sa_flags = 0x60a0
p2 spi = 0x0
1182f/0006, 70.3.44.71:500->65.120.133.112:500, PRESHR/grp2/AES128/SHA, xchg(4) (CFL_P1/grp2/usr1)
resent-tmr 16777218 lifetime 28800 lt-recv 0 nxt_rekey 27966 cert-expire 0
responder, err cnt 0, send dir 1, cond 0x0
nat-traversal map not available
ike heartbeat : disabled
ike heartbeat last rcv time: 0
ike heartbeat last snd time: 0
XAUTH status: 100
DPD seq local 0, peer 0
1182f/0006, 68.240.60.228:500->65.120.133.112:500, PRESHR/grp2/AES128/SHA, xchg(5) (CFL_P1/grp2/usr1)
resent-tmr 16777218 lifetime 28800 lt-recv 0 nxt_rekey 27557 cert-expire 0
responder, err cnt 0, send dir 1, cond 0x2
nat-traversal map not available
ike heartbeat : disabled
ike heartbeat last rcv time: 0
ike heartbeat last snd time: 0
XAUTH status: 100
DPD seq local 0, peer 0
SSG520-> get sa
total configured sa: 6
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000007< 0.0.0.0 500 esp:a128/sha1 00000000 expir unlim I/I 40 0
00000007> 0.0.0.0 500 esp:a128/sha1 00000000 expir unlim I/I 39 0
0000000a< 0.0.0.0 500 esp:3des/sha1 00000000 expir unlim I/I 42 0
0000000a> 0.0.0.0 500 esp:3des/sha1 00000000 expir unlim I/I -1 0
00000005< 0.0.0.0 500 esp:a128/sha1 00000000 expir unlim I/I 33 0
00000005> 0.0.0.0 500 esp:a128/sha1 00000000 expir unlim I/I 34 0
0000000b< 68.89.247.97 500 esp:3des/sha1 00000000 expir unlim I/I -1 0
0000000b> 68.89.247.97 500 esp:3des/sha1 00000000 expir unlim I/I -1 0
0000800e< 68.240.60.228 500 esp:a128/sha1 b7c205ed 2322 unlim I/I 40 0
0000800e> 68.240.60.228 500 esp:a128/sha1 6280b69c 2322 unlim I/I 39 0
0000800f< 70.3.44.71 500 esp:a128/sha1 b8c205ed 2810 unlim A/- 40 0
0000800f> 70.3.44.71 500 esp:a128/sha1 418d3192 2810 unlim A/- 39 0
SSG520->
--------------------
I need to get this up and running ASAP...
