daemon@ATHENA.MIT.EDU (Michael Ruiz)
Fri Jul 8 15:47:42 2011
From: Michael Ruiz <mruiz@lstfinancial.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Fri, 8 Jul 2011 19:46:53 +0000
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hello All,
I have been working for two days trying to get an ASA to se=
tup a VPN tunnel to a SSG-550. I have the VPN tunnel Setup and ready to go=
on the ASA. I ran a Debug crypto IPSec 200 and crypto ikve1 200. I do th=
e command ping PRIVATE <ip address> and I get in the console
Sending 5, 100-byte ICMP Echos to 10.1.4.81, timeout is 2 seconds:
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=3D=
1, saddr=3D10.20.1.2, sport=3D29733, daddr=3D10.1.4.81, dport=3D29733
IPSEC(crypto_map_check)-5: Checking crypto map CARIBOU-VPN-1 10: skipping i=
ncomplete map. No peer, access-list or transform-set specified.
IPSEC(crypto_map_check)-1: Error: No crypto map matched.
>From my understanding this is caused by the crypto map not being able to es=
tablish a tunnel to the Juniper.
On my Juniper configuration I have built the Gateway and set the Phase 1 Pr=
oposal to "pre-g2-3des-md5" followed by "pre-g2-3des-sha"
For the VPN configuration I use the predefined gateway configuration.
Under the advanced button, I use the predefined of "compatible" and the Pha=
se 2 Proposal "nopfs-esp-3des" followed by "nopfs-esp-3des"
The proxy id is the local IP / Network block and the remote IP network bloc=
k is the destination IP block. The only part that has me wondering, becaus=
e the Juniper has multiple zones, i.e. a DMZ, Trust, and Untrust. Each Zon=
e has its own IP block that is assigned to it. I have entered a policy int=
o one of the zones, i.e. Untrust to Trust, input source block, destination =
block, specified it is a tunnel, set for bi-directional entry and that shou=
ld be it.
Any help in this as always will be greatly appreciated. Thank you.
Thank You,
MAR
CONFIDENTIALITY NOTICE: This message is intended only for the individual or=
entity to which it is addressed and may contain information that is confid=
ential or exempt from disclosure under applicable law. If you are not the i=
ntended recipient, you have received this communication in error. In such c=
ase, please notify us immediately by reply e-mail and immediately delete th=
is message and its attachments. Any use, dissemination, redistribution or r=
eproduction of this communication is strictly prohibited. Unless the messag=
e explicitly states otherwise, no e-mail correspondence claims to be a cont=
ractual offer or acceptance. LST Financial has instructed its employees not=
to send libelous or inappropriate statements and disclaims responsibility =
for such. Subject to applicable law, LST Financial may monitor, review and =
retain e-communications traveling through its networks/systems. By messagin=
g with LST Financial you consent to the foregoing.
