Cisco to 5GT VPN

  • Hi, I’ve been tearing my hair out trying to get an IPSEC  tunnel up between a Cisco 2600 and a 5GT. Phase 1 comes up fine
    but then there is a clash when it comes to the transform sets
    even thouth it looks very much like both ends are the same.

    Is there something I should know before I waste any more time on this ?


  • Thanks chaps for your replies, will have another go. HNY

  • Hi,

    I would add a Proxy ID on the NS5-GT side that matches the ACL on the Cisco Router.  This has worked for us in the past.



  • The biggest problem I’ve had with Cisco–NEtScreen VPNs is that Cisco does not generate the proper transform.  It depends on who is the IKE initiator.  Cisco will accept various transform sets even though you didn’t tell it to.  NetScreen (properly) only accepts what you say to.  Check your PFS settings since even though you may have said on the NetScreen side use PFS (Diffie Hellman Group 2 or so), the Cisco side by default is set up for NOPFS…

    Create a new Phase 2 transform on the NetScreen for NOPFS, or make the Cisco side really send out a Phase 2 transform that works.

    It’s easy to catch this in the NetScreen debugging as well:  (from CLI) set an SA-filter for the IP address involved, turn on debugging for IKE detail, then look at the dbuffer after an attempt to bring up the tunnel.  You’ll see exactly what transforms they are sending and what you are expecting as well.  Very handy.

    Good luck.

  • Engineer

    There seem to be a lot of resources floating around the net claiming success - e.g.

    What have you tried? What errors/log messages are you getting? Did you use the VPN Resolution guide over at Juniper?