Firewall Wizards mailing list archives
FW: Netscreen-pix515 IPsec interop
From: David Klein <dklein () netscreen com>
Date: Tue, 2 Sep 2003 07:43:10 -0700
Sudheer, I suspect your IKE phase 2 proxy ID's are not matching. On the Cisco you are seeing: ISAKMP (0): retransmitting phase 2...IPSEC(key_engine): request timer fired: count = 1, (identity) local= 203.197.172.62, remote= 194.78.66.32, local_proxy= 192.168.70.0/255.255.255.224/6/0 (type=4), remote_proxy= 172.16.254.2/255.255.255.255/6/2401 (type=1) If you were to look at the Netscreen event log (or debug IKE output) you'll probably see phase 2 mismatch errors. You need to make sure the access policies/rules match up between the cisco and the netscreen. You included the access lists from the cisco but you did not include the policy statements from the netscreen. In a nutshell, if using a policy-based VPN on the Netscreen then the policy statements need to match with the above proxy id's. If using a route-based VPN on the Netscreen then you can just set these proxy ID's in the ("set vpn ..." CLI or AutoKey IKE WebUI) VPN settings. Dave Klein NetScreen -----Original Message----- From: Sudheer MT [mailto:mtsudheer75 () yahoo com] Sent: Monday, September 01, 2003 10:46 PM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Netscreen-pix515 IPsec interop Hi, We are using Netscreen firewall, which is configured for site to site VPN.(Both end Netscreen firewall) We need to replace netscreen, here. We have cisco 515 with IOS 6.2 We are facing problem with Phase 2 nego. Here is detail of VPN. as configured in Netscreen. P1 proposal,(pre-g2-3des-sha) Main mode, Method preshare, DH Group 2 Encrypt/Auth: 3DES/SHA Lifetime 28800 P2 Prpoposal, (g2-esp-3des-sha) Replay : Enable replay protection PFS : DH Group 2 Encap : ESP Encrypt/Auth:3DES/SHA Lifetime 3600 Here is Pix config for above. ! crypto ipsec transform-set mytranset esp-3des esp-sha-hmac sysopt ipsec pl-compatible sysopt connection permit-ipsec no sysopt route dnat ! access-list myvpn permit tcp 192.168.70.0 255.255.255.224 host 172.16.254.2 eq 2401 access-list myvpn permit tcp 192.168.70.0 255.255.255.224 host 172.16.254.2 eq www access-list myvpn permit icmp 192.168.70.0 255.255.255.224 host 172.16.254.2 ! isakmp key **** address 194.78.66.32 netmask 255.255.255.255 isakmp identity address isakmp policy 2 authentication pre-share isakmp policy 2 encryption 3des isakmp policy 2 hash sha isakmp policy 2 group 2 isakmp policy 2 lifetime 3600 isakmp enable outside ! crypto map vpn-nk 20 ipsec-isakmp crypto map vpn-nk 20 match address myvpn crypto map vpn-nk 20 set pfs group2 crypto map vpn-nk 20 set peer 194.78.66.32 crypto map vpn-nk 20 set transform-set mytranset crypto map vpn-nk interface outside ============================= Here is log: NETKRAFT515(config)# show ipsec sa VPN Peer: ISAKMP: Added new peer: ip:194.78.66.32 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:194.78.66.32 Ref cnt incremented to:1 Total VPN Peers:1 ISAKMP (0): beginning Main Mode exchange crypto_isakmp_process_block: src 194.78.66.32, dest 203.197.172.62 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (basic) of 2800 ISAKMP (0): atts are not acceptable. Next payload is 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 2 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (basic) of 2800 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): processing vendor id payload ISAKMP (0): processing vendor id payload ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR crypto_isakmp_process_block: src 194.78.66.32, dest 203.197.172.62 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0 ISAKMP (0): processing NONCE payload. message ID = 0 ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 500 length : 8 ISAKMP (0): Total payload length: 12 return status is IKMP_NO_ERROR crypto_isakmp_process_block: src 194.78.66.32, dest 203.197.172.62 OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): SA has been authenticated ISAKMP (0): beginning Quick Mode exchange, M-ID of -645140618:d98bef76IPSEC(key_engine): got a queue event... IPSEC(spi_response): getting spi 0xdc107272(3692065394) for SA from 194.78.66.32 to 203.197.172.62 for prot 3 return status is IKMP_NO_ERROR ISAKMP (0): sending INITIAL_CONTACT notify ISAKMP (0): sending NOTIFY message 24578 protocol 1 ISAKMP (0): sending INITIAL_CONTACT notify ISAKMP (0): retransmitting phase 2...IPSEC(key_engine): request timer fired: count = 1, (identity) local= 203.197.172.62, remote= 194.78.66.32, local_proxy= 192.168.70.0/255.255.255.224/6/0 (type=4), remote_proxy= 172.16.254.2/255.255.255.255/6/2401 (type=1) ISAKMP (0): beginning Quick Mode exchange, M-ID of 1524565892:5adf0784IPSEC(key_engine): got a queue event... IPSEC(spi_response): getting spi 0xfc1bf72c(4229691180) for SA from 194.78.66.32 to 203.197.172.62 for prot 3 ISAKMP (0): retransmitting phase 2... ISAKMP (0): retransmitting phase 2... ISAKMP (0): retransmitting phase 2...IPSEC(key_engine): request timer fired: count = 2, (identity) local= 203.197.172.62, remote= 194.78.66.32, local_proxy= 192.168.70.0/255.255.255.224/6/0 (type=4), remote_proxy= 172.16.254.2/255.255.255.255/6/2401 (type=1) ISAKMP (0): retransmitting phase 2... ISAKMP (0): retransmitting phase 2... ISAKMP (0): deleting SA: src 203.197.172.62, dst 194.78.66.32 ISADB: reaper checking SA 0x812c2790, conn_id = 0 DELETE IT! VPN Peer: ISAKMP: Peer ip:194.78.66.32 Ref cnt decremented to:0 Total VPN Peers:1 VPN Peer: ISAKMP: Deleted peer: ip:194.78.66.32 Total VPN peers:0 VPN Peer: ISAKMP: Added new peer: ip:194.78.66.32 Total VPN Peers:1 Sudheer __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Netscreen-pix515 IPsec interop Sudheer MT (Sep 02)
- RE: Netscreen-pix515 IPsec interop lordchariot (Sep 02)
- <Possible follow-ups>
- FW: Netscreen-pix515 IPsec interop David Klein (Sep 02)