NS-25 to Cisco ASA VPN

  • Hello,

    Anyone have experience with Netscreen to Cisco ASA?  I have configured NS-25 to Cisco Pix and VPN concentrators without any huge issues.  Typically, we run into Proxy ID mismatches or issues with the PSK.

    We have a client that uses Cisco ASA without much experience configuring it.  So, I am looking for any pointers or advice.

    Thank you!



  • easiest way is to use policy based vpn’s and make sure proxy id and p1 p2 proposals match. i’ve done many many asa to screenos 5.4+ with out any problems as long as all the confgis match

  • Global Moderator


    the only thing you can do then I think is to configure multiple phases 2 on one phase 1. Each matichng one encryption domain from the other party.

  • Thanks.  The problem is that the other side defines multiple encryption domains and doesn’t offer the proxy-id in the exchange.

  • Global Moderator

    In advanced options op auto-key ike vpn (phase II settings) you can set your proxy id manualy. Normaly it’s taken from your policy (policybased VPN) or all zero’s (routebased vpn) It doesn’t realy matter mutch, as lomg as it matches the otherside VPN will come up.

  • Hi,

    Thanks.  We were able to build the tunnel, but the other engineer said there is no way to configure a Proxy ID.  I had to configure a policy for each subnet (4 total) in order for this to work.



  • Global Moderator

    I dealed with it once. The “other party” configured it in such a way that proxy id was a range. That’s somting we can’t match. So I asked them to allow just 1 ip adress. Pit this address on tunnel interface, source nated all IP behind this address, filed in proxy ID with this adress /32 mask. This worked.

    In general: Just let the otherside initiate the connection and look in the logs what’s comming in and match it.

    The one relay import thing in IPSEC is that paramters must match the otherside.

  • Engineer

    Past versions of code from the two vendors tend to use different default values for P1 lifetimes.