Advertisement

12.20.2006 at 03:28PM PST, ID: 22099914
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
8.8

Pix to Netscreen VPN

Asked by snowsurfer in Virtual Private Networking (VPN), IPSec Security Protocol, Cisco PIX Firewall

Tags: , ,

I am working on getting a PIX515 to connect to a Netscreen 5GT

In my lab I have a PIX 501 running 6.3(4).  I can connect to my 5GT without any problems

When I do a get sa from the Netscreen I get

0000000a<     6*.*.*.*  500 esp:3des/md5  2695cc0c 28610  403M A/-    -1 0
0000000a>     6*.*.*.*  500 esp:3des/md5  e614d74c 28610  403M A/-    -1 0

When i try and connect to my 515 in production running 6.3(1) it wont connect and I get the following


0000000a<    6*.*.*.*  500 esp:3des/md5  00000000 expir unlim I/I    -1 0
0000000a>    6*.*.*.*  500 esp:3des/md5  00000000 expir unlim I/I    -1 0

Here is the error in the logs
2006-12-20 08:06:21 info IKE: Removed Phase 2 SAs after receiving a notification message.
2006-12-20 08:06:21 info IKE<*.*.*.*>: Received a notification message for DOI <1> <14> <NO-PROPOSAL-CHOSEN>.
2006-12-20 08:06:21 info IKE<*.*.*.*> Phase 2: Initiated negotiations.


here are the relvant portions of the configs

set ike p1-proposal "toPIX" preshare group2 esp 3des md5 second 86400
set ike p2-proposal "toPIX" group2 esp 3des md5 second 3600
set vpn "VPN" gateway "GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-md5"
set vpn "VPN" id 10 bind interface tunnel.1
set vpn "VPN" proxy-id local-ip 172.16.10.0/24 remote-ip 172.16.0.0/24 "ANY"

Here is the config that isnt working

crypto ipsec transform-set caset esp-3des esp-md5-hmac
crypto map newmap 20 ipsec-isakmp dynamic camap
crypto map newmap 200 ipsec-isakmp
crypto map newmap 200 match address 200
crypto map newmap 200 set peer *.*.*.*
crypto map newmap 200 set transform-set caset
crypto map newmap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400


Here is the config that is working

crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address vpn
crypto map outside_map 30 set peer *.*.*.*
crypto map outside_map 30 set transform-set esp-3des-md5
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400Start Free Trial
 
Keywords: Pix to Netscreen VPN
Title
1 Pix to Pix VPN
2 adding 2nd VPN to PIX
3 PIX AND ISA IPSEC VPN
4 Remote access to a Pix from a Pix prot…
5 PIX
6 pix VPN
 
Loading Advertisement...
 
[+][-]12.21.2006 at 10:00AM PST, ID: 18182039

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]12.22.2006 at 06:00AM PST, ID: 18186857

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]12.22.2006 at 06:04AM PST, ID: 18186869

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Virtual Private Networking (VPN), IPSec Security Protocol, Cisco PIX Firewall
Tags: netscreen, vpn, pix
Sign Up Now!
Solution Provided By: lrmoore
Participating Experts: 2
Solution Grade: B
 
 
[+][-]12.22.2006 at 06:47AM PST, ID: 18187119

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32