Hi all,
I write by following. I need create one VPN from SRX210B to PIX535, and I was configure it.
show
## Last changed: 2011-09-29 10:21:28 UTC
version 10.0R3.10;
system {
host-name ROU-PLATCO;
root-authentication {
encrypted-password "$1$WOzy96.aaaaaaaaaaaaaaaaaa5lwc6Oy1"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
}
}
}
interfaces {
interface-range interfaces-trust {
member ge-0/0/1;
member fe-0/0/3;
member fe-0/0/4;
member fe-0/0/5;
member fe-0/0/6;
unit 0 {
family ethernet-switching;
}
}
ge-0/0/0 {
unit 0;
}
fe-0/0/7 {
speed 100m;
link-mode full-duplex;
unit 0 {
family inet {
address 10.0.16.3/24;
}
}
}
e1-1/0/0 {
encapsulation cisco-hdlc;
e1-options {
framing g704;
}
unit 0 {
family inet {
address 192.168.41.222/30;
}
}
}
st0 {
unit 0 {
family inet;
}
}
}
routing-options {
static {
route 206.49.166.0/24 next-hop st0.0;
}
}
security {
ike {
proposal P1-3DES {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 1440;
}
policy IKE-POLICY-1 {
mode main;
proposals P1-3DES;
pre-shared-key ascii-text "$9$7RNwwwwwwww-Vws4ZUDkQ36"; ## SECRET-DATA
}
gateway GW-1 {
ike-policy IKE-POLICY-1;
address 192.168.41.221;
external-interface e1-1/0/0.0;
}
}
ipsec {
proposal P2-3DES {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm 3des-cbc;
}
policy IPSEC-POLICY-1 {
perfect-forward-secrecy {
keys group2;
}
proposals P2-3DES;
}
vpn VPN-1 {
bind-interface st0.0;
ike {
gateway GW-1;
ipsec-policy IPSEC-POLICY-1;
}
establish-tunnels immediately;
}
}
zones {
security-zone untrust {
host-inbound-traffic {
system-services {
ping;
ike;
all;
}
}
interfaces {
e1-1/0/0.0 {
host-inbound-traffic {
system-services {
ike;
all;
}
}
}
}
}
security-zone trust {
address-book {
address LAN 10.0.16.0/24;
}
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
fe-0/0/7.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
st0.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy untrust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
}
[edit]
I don't skills with VPN. The topology is following form:
SRX--->Router Cisco--->PIX
These be parameters of configuring:
IKE - Hashing algorithm :IKE/3DES/SHA-1/DH2/Aggressive mode=no
IKE - SA lifetime :1440sec
Initital mode :Main mode
IPSEC :ESP
IPSEC- ESP Encryption Algorithm :3DES
IPSEC - Hashing algorithm :MD5
IPSEC - SA time lifetime: :3600sec
IPSEC - PFS :No (It is possible to change it)
Compression :None
Authentication (pre-share only) 
re-shared (provided by phone)
re-shared (provided by phone)Protocol :IP
When i do write command show security ike security-association detail, these is results
IKE peer 206.49.166.253, Index 52,
Role: Initiator, State: DOWN
Initiator cookie: ac99e923555018cb, Responder cookie: 0000000000000000
Exchange type: Main, Authentication method: Pre-shared-keys
Local: 192.168.41.222:500, Remote: 206.49.166.253:500
Lifetime: Expires in 1331 seconds
Algorithms:
Authentication : unknown
Encryption : unknown
Pseudo random function: unknown
Traffic statistics:
Input bytes : 0
Output bytes : 1300
Input packets: 0
Output packets: 5
IPSec security associations: 0 created, 0 deleted
Phase 2 negotiations in progress: 0
The VPN is DOWN, i don't know do...
Helpme please.
Thanks,
1 ACCEPTED SOLUTION
Accepted Solutions
