Juniper SSG5 IPsec VPN to Cisco ASA

  • Hi,
    I have some questions about creating a IPsec VPN between SSG5 and ASA. Our SSG has outgoing eth0/1- untrusted zone ,and eth0/5  from trusted .There is no NAT  . The traffic is routed from Ip1(Eth0/1) to Ip2(Eth0/5) .My boss want to create a ipsec VPN via internet from our costumer (cisco ASA) to application running on host connected to eth0/5. I read junos howto ,and i think the policy based VPN is the best way, but I am afraid to create it, because Eth0/1 is our outside interface and all real traffic comes from it.
    Is this a way to re-route all traffic by mistake and how I make it safetly?
    I apologize if the question is stupid, but I am inexpert in networking.
    Thanks in advance

  • I fixed it. The problem was in me. The policy I created has been in incorrect order. When you create a policy, it is important to pay attention where it is placed. 🙂

  • Hi again,
    I createed a policy-based site-to-site VPN between a Juniper SSG5 and Cisco ASA ,but there is a problem.
    The tunnel comes up (Phase 2 completes). From Cisco to Jun has a ping, but in the Cisco error logs once the tunnel is up there is message:

    IPSEC: Received an ESP packet (SPI= 0xBBADD0EE, sequence number= 0x1A) from
    SiteAPublicIP (user= X.X.X.X) to SiteBPublicIP. The decapsulated inner packet
    doesn’t match the negotiated policy in the SA. The packet specifies its
    destination as SiteBPublicIP, its source as SiteAPublicIP, and its protocol as
    1. The SA specifies its local proxy as and its
    remote_proxy as

    Unfortunately I haven’t cisco configuration.
    PS. I unchecked “rekey” and “VPN Monitor”  without success .

  • Hi, again.
    We already have policy which includes custumer peer end IP to our MIP. Is it possible to create second policy to the same destination to put traffic from this direction in ipsec VPN? Here is what I have done: I create tunnel.1 in untrusted zone bind it to eth0/1, set phase 1  and 2, check VPN monitor, the VPN has to be up even no traffic on it, but it is down?
    I am looking  for some auto fail over way, but i don’t know how to create it?