I recently had to setup an IPSec Tunnel between a Netscreen (Juniper SSG5) and a Cisco router running ASA code. There were numerous problems that I came across when deciding on a workable Phase2 proposal. Eventually I found one that worked and am writing this post as a reference for later.

On the Juniper, the salient configuration points are:

1. Ensure that there is a Proxy ID defined.
2. Ensure that there is a policy for every proxy ID defined.
3. Ensure that the Phase2 proposal is pre-g2-3des-md5

On the ASA, the cryptomap should look something like this:

crypto map xohm 3 ipsec-isakmp
set peer <peer ip>
set security-association lifetime seconds 28800
set transform-set <set name>
set pfs group2
match address <addressbook entry>
crypto ipsec transform-set <set name> esp-3des esp-md5-hmac

 

The tunnel should just start working when you start sending traffic after this.