Trying to set up site to site juniper to cisco firewall

  • hi, i hope you can help me guys
    for the last few days im tryin to set up a VPN from site to site
    in 1 site everything is set up (not by me) , got tested and works perfectly
    i have all the settings of that site and i wanna config the same settings in my site in order for this vpn to work

    the setting are like that (changed abit the numbers ofcourse):

    Site A (unconfigured site):
    trust (eth 0/2)
    untrust (eth 0/0)

    Site B (configured):
    firewall external

    the setting i need to set are:
    PHASE 1
    Pre-shared key: mypassword
    Encryption - 3DES
    Hash - MD5
    DH - 2
    lifetime - 86400

    PHASE 2
    Encryption -3DES
    Hash- MD5
    PFS - disable
    Lifetime- 28800
    Local lan:
    Remote lan:

    i tried doing the following:
    1.Network > Interfaces > Edit:
    Trust Static IP, Address/Netmask:  (nat) eth 0/2
    Untrust Static IP, Address/Netmask:  (route) eth 0/0

    2.VPNs > Auto Key Advanced > Gateway > New
    Gateway Name: CGW
    Remote Gateway Type
    Static IP Address/Hostname:
    Preshared Key: mypassword
    ikev1 (maybe i need 2?!)
    Outgoing Interface: ethernet0/0

    Mode (Initiator): Main (ID Protection)

    3. VPNs > Auto Key IKE > New
    VPN Name: CVPN
    Remote Gateway Predefined: CGW

    Security Level Predefined: nopfs-3des-md5
    Bind to: None
    Then click OK.

    4. Policy>Policies >
    Source :

    Service: ANY
    Action: Tunnel
    Tunnel: CVPN
    Checked Modify matching bidirectional VPN policy

    i checked with get sa and i saw it is inactive

    i dunno how to check where exactly is the problem cause im not familiar with this firewall
    i guess there is a way to check if it fails in phrase1 or phrase2.

    can you please fix my configuration and tell me how to check in more detailed way where is my problem?

    thanks alot,


  • i implemented some configuration between juniper and cisco…
    i just follow the site to site policy based vpn configuration on junipers site… - KB…it seemed straight forward.

    sometimes…cisco does a double NAT translation…which causing the problem…

    you may check if you have a double NAT.