Security Basics mailing list archives
Cisco & Juniper vpn remote client problem
From: "Rajaie Issaid" <rajaie () palnet com>
Date: Thu, 13 Nov 2008 08:56:16 +0200
Hi, I have an ADSL line connected through Cisco router 837, and behind the Cisco router there is an SSG140 with a virtual ip. The Cisco router has a fixed dialer ip, and the Ethernet interface have a virtual ip from the same subnet of the un-trust zone of the juniper. I have made static Nat translation on the following ports from the Cisco to the juniper ssg140: • Tcp, udp 50 • Tcp 500 • Tcp 11111, 11112, 42496 I have a laptop with a configured account of remote net screen client of juniper, and I am trying to connect over the internet to the SSG140, unfortunately I am encountering the following error log: Initiating IKE Phase 1 (IP ADDR=real-ip-address) SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 6x) RECEIVED<<< ISAKMP OAK AG (SA, VID 3x, KE, NON, ID, HASH) Peer supports Dead Peer Detection Version 1.0 Dead Peer Detection enabled Cannot match Phase 1 ID with Policy Entry: received ID IP ADDR=10.4.1.2 SENDING>>>> ISAKMP OAK INFO (HASH, NOTIFY:INVALID_ID_INFO) Discarding IKE SA negotiation MY COOKIE 54 1b 33 29 6c 14 41 51 HIS COOKIE 66 ec df 8 6 5a ba a7 RECEIVED<<< ISAKMP OAK AG (SA, VID 3x, KE, NON, ID, HASH) Received message for non-active SA (Ip address of ssg140 outside interface is 10.4.1.2 , ip address of Cisco Ethernet 10.4.1.1 , Nat on Cisco is done for the whole subnet class , static Nat is done for mentioned ports) And whenever I give the laptop an ip from the virtual subnet between the juniper and the Cisco, the remote client will connect without a problem. I am almost convinced that it is a Nat traversal issue, but did I miss something? Regards
Current thread:
- Cisco & Juniper vpn remote client problem Rajaie Issaid (Nov 13)
- R: Cisco & Juniper vpn remote client problem Massimo Baschieri (Nov 14)