Trying to set up site to site juniper to cisco firewall



  • hi, i hope you can help me guys
    for the last few days im tryin to set up a VPN from site to site
    in 1 site everything is set up (not by me) , got tested and works perfectly
    i have all the settings of that site and i wanna config the same settings in my site in order for this vpn to work

    the setting are like that (changed abit the numbers ofcourse):

    Site A (unconfigured site):
    trust 192.168.10.0/24 (eth 0/2)
    untrust 80.170.80.2 (eth 0/0)

    Site B (configured):
    internal 192.168.1.0/24
    firewall external 60.60.60.2

    the setting i need to set are:
    PHASE 1
    Peer 60.60.60.2
    Pre-shared key: mypassword
    Encryption - 3DES
    Hash - MD5
    DH - 2
    lifetime - 86400

    PHASE 2
    Encryption -3DES
    Hash- MD5
    PFS - disable
    Lifetime- 28800
    Local lan: 192.168.10.0/24
    Remote lan: 192.168.1.0/24

    i tried doing the following:
    1.Network > Interfaces > Edit:
    Trust Static IP, Address/Netmask: 192.168.10.0/24  (nat) eth 0/2
    Untrust Static IP, Address/Netmask: 80.170.80.2/24  (route) eth 0/0

    2.VPNs > Auto Key Advanced > Gateway > New
    Gateway Name: CGW
    Remote Gateway Type
    Static IP Address/Hostname: 60.60.60.2
    Preshared Key: mypassword
    ikev1 (maybe i need 2?!)
    Outgoing Interface: ethernet0/0

    pre-g2-3des-md5
    Mode (Initiator): Main (ID Protection)

    3. VPNs > Auto Key IKE > New
    VPN Name: CVPN
    Remote Gateway Predefined: CGW

    Security Level Predefined: nopfs-3des-md5
    Bind to: None
    Then click OK.

    4. Policy>Policies >
    Source : 192.168.10.0/24
    destination: 192.168.1.0/24

    Service: ANY
    Action: Tunnel
    Tunnel: CVPN
    Checked Modify matching bidirectional VPN policy

    i checked with get sa and i saw it is inactive

    i dunno how to check where exactly is the problem cause im not familiar with this firewall
    i guess there is a way to check if it fails in phrase1 or phrase2.

    can you please fix my configuration and tell me how to check in more detailed way where is my problem?

    thanks alot,

    Oren



  • i implemented some configuration between juniper and cisco…
    i just follow the site to site policy based vpn configuration on junipers site… - KB…it seemed straight forward.

    sometimes…cisco does a double NAT translation…which causing the problem…

    you may check if you have a double NAT.


 

36
Online

38.4k
Users

12.7k
Topics

44.5k
Posts