SSG 550 Site-to-Site with Cisco VPN 3015



  • I’m trying to establish a VPN tunnel with a customer who has a Juniper Netscreen SSG 550. We have a Cisco VPN 3015 at our location.

    My customer needs to connect with networks:

    10.20.30.0/24
    10.20.40.0/24
    10.50.0.0/16
    10.51.0.0/16
    10.20.50.0/24
    <there’s more="" than="" this…just="" keeping="" it="" short="">To the following on my end:

    10.100.10.4/32
    10.100.10.5/32
    172.20.30.2/32
    44.199.27.20/32
    44.199.27.21/32
    44.199.27.22/32
    <again, there’s="" more,="" just="" trying="" to="" keep="" it="" short="">However, when he configures the Proxy ID, that is the only thing that can connect. For example, if he was to configure the Proxy ID on his side for 10.20.30.0/24 and my side as 10.100.10.4/32, then the tunnel will build and everything will work FOR THAT NETWORK AND HOST ONLY.

    I’ve asked about turning it off hoping that it will pass the network that it’s coming from and that doesn’t work. He’s also configured it with all 0s (0.0.0.0) and it passes that as the Source and Destination.

    So, my question, how to do get the Netscreen SSG 550 configured to use more than 1 host and/or network so that it matches the Cisco Network Lists which is used to filter approved traffic? I’m trying to help him out as he’s been working on this for almost 4 days and I’ve been involved for the last 2…

    Thanks for any assistance you can provide.</again,></there’s>



  • Yeah i had the same problem before solustion don’t set the proxy-ID on the netscreen side use policy base vpn"s not route base.



  • I think the issue here, and I am encountering the same problem is the PIX is picky about proxy-ids.  IF the IDs dont match phase 2 cant complete.  The netscreen may not care but the PIX does.  Any ideas?

    disco

    I am using a 515e BTW with the same problems



  • Use a route-based VPN. Proxy-IDs are not needed - just setup the routes accordingly.


 

21
Online

38.4k
Users

12.7k
Topics

44.5k
Posts