Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

IPSec config - is it possible ?

kefear_
New Contributor
‎04-19-2010 09:12:AM
‎04-19-2010 09:12:AM

IPSec config - is it possible ?

Hello,

I've been trying to do such a configuration:

192.168.67.1/32----CISCO2600-------------------J6350-----11.11.11.11/32

192.168.67.2/32----/

I am trying to setup IPSec between those two devices. I've got single access list on CISCO which states, i.e.:

permit host 192.168.67.1 host 11.11.11.11

permit host 192.168.67.2 host 11.11.11.11

On Juniper I've got two route-based VPN with same configuration except for tunnel interfaces and proxy-IDs. To make things harder11.11.11.11 LAN exist in routing-instance. One tunnel interface (st0.0) goes up but the second (st0.1) doesn't.

How can I fix this configuration ? Is it possible ? I would follow with policy-based VPN but AFAIK it is not possible with tunnel interface in other routing-instance. Correct me if I am wrong.

Thanks in advance

0 Kudos
2 REPLIES 2
Jickfoo_
Super Contributor
‎04-19-2010 01:07:PM
‎04-19-2010 01:07:PM

Re: IPSec config - is it possible ?

Hi,

I think you want the Firewall Group. This is for client based SSLVPN.

On a side note though, I have a Juniper tunnel between SSG550's a an older PIX. I had to set up Policy Based VPN's to make this work. Never got the Route Based to work from Cisco to Juniper.


Good Luck,

Justin

0 Kudos
kefear_
New Contributor
‎04-20-2010 04:19:AM
‎04-20-2010 04:19:AM

Re: IPSec config - is it possible ?

Ok, I got rid of routing_instance and setup policy-based IPSec. However I am still able to piny only single address.

This my relevant part of configuration:

IPSec:

proposal IPSEC_PROP_R1 {     protocol esp;     authentication-algorithm hmac-sha1-96;     encryption-algorithm 3des-cbc;     lifetime-seconds 3600; } policy IPSEC_POL_R1 {     perfect-forward-secrecy {         keys group2;     }     proposals IPSEC_PROP_R1; } vpn VPN_AVANGARD_TO_R1 {     df-bit clear;     ike {         gateway R1_GATEWAY;         ipsec-policy IPSEC_POL_R1;     }     establish-tunnels immediately; }

Policy:

from-zone AVANGARD_ZONE to-zone INTERNET_ZONE {     policy VPN_FROM_AVANGARD_TO_R1 {         match {             source-address 11.11.11.11/32;             destination-address 192.168.67.1/32;             application any;         }         then {                                       permit {                 tunnel {                     ipsec-vpn VPN_AVANGARD_TO_R1;                 }             }         }     }     policy VPN_FROM_AVANGARD_TO_R1_2 {         match {             source-address 11.11.11.11/32;             destination-address 192.168.67.2/32;             application any;         }         then {             permit {                 tunnel {                     ipsec-vpn VPN_AVANGARD_TO_R1;                 }             }         }     } }

I am able to ping only host 192.168.67.1 from 11.11.11.11. On Cisco debug I got problems with:

_no IPSEC cryptomap exists for local address 195.88.186.243

My Cisco ACL looks like that:

Extended IP access list IPSEC_TO_JUNIPER     10 permit ip host 192.168.67.1 host 11.11.11.11      20 permit ip host 192.168.67.2 host 11.11.11.11

Is there any way to workaround this issue ?

Thank in advance !

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.