Firewall Wizards mailing list archives
RE: Netscreen-pix515 IPsec interop
From: <lordchariot () earthlink net>
Date: Tue, 2 Sep 2003 10:36:10 -0400
Suhdeer, A very useful site for interoperability is: http://www.vpnc.org/InteropProfiles/ They have a list of VPN devices setup in a common manner to connect to each other. Netscreen is listed, but PIX is not. However, the profile for IOS may be useful. Good Luck, Erik -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Sudheer MT Sent: Monday, September 01, 2003 11:46 PM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Netscreen-pix515 IPsec interop Hi, We are using Netscreen firewall, which is configured for site to site VPN.(Both end Netscreen firewall) We need to replace netscreen, here. We have cisco 515 with IOS 6.2 We are facing problem with Phase 2 nego. Here is detail of VPN. as configured in Netscreen. P1 proposal,(pre-g2-3des-sha) Main mode, Method preshare, DH Group 2 Encrypt/Auth: 3DES/SHA Lifetime 28800 P2 Prpoposal, (g2-esp-3des-sha) Replay : Enable replay protection PFS : DH Group 2 Encap : ESP Encrypt/Auth:3DES/SHA Lifetime 3600 Here is Pix config for above. ! crypto ipsec transform-set mytranset esp-3des esp-sha-hmac sysopt ipsec pl-compatible sysopt connection permit-ipsec no sysopt route dnat ! access-list myvpn permit tcp 192.168.70.0 255.255.255.224 host 172.16.254.2 eq 2401 access-list myvpn permit tcp 192.168.70.0 255.255.255.224 host 172.16.254.2 eq www access-list myvpn permit icmp 192.168.70.0 255.255.255.224 host 172.16.254.2 ! isakmp key **** address 194.78.66.32 netmask 255.255.255.255 isakmp identity address isakmp policy 2 authentication pre-share isakmp policy 2 encryption 3des isakmp policy 2 hash sha isakmp policy 2 group 2 isakmp policy 2 lifetime 3600 isakmp enable outside ! crypto map vpn-nk 20 ipsec-isakmp crypto map vpn-nk 20 match address myvpn crypto map vpn-nk 20 set pfs group2 crypto map vpn-nk 20 set peer 194.78.66.32 crypto map vpn-nk 20 set transform-set mytranset crypto map vpn-nk interface outside ============================= Here is log: NETKRAFT515(config)# show ipsec sa VPN Peer: ISAKMP: Added new peer: ip:194.78.66.32 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:194.78.66.32 Ref cnt incremented to:1 Total VPN Peers:1 ISAKMP (0): beginning Main Mode exchange crypto_isakmp_process_block: src 194.78.66.32, dest 203.197.172.62 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (basic) of 2800 ISAKMP (0): atts are not acceptable. Next payload is 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 2 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (basic) of 2800 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): processing vendor id payload ISAKMP (0): processing vendor id payload ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR crypto_isakmp_process_block: src 194.78.66.32, dest 203.197.172.62 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0 ISAKMP (0): processing NONCE payload. message ID = 0 ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 500 length : 8 ISAKMP (0): Total payload length: 12 return status is IKMP_NO_ERROR crypto_isakmp_process_block: src 194.78.66.32, dest 203.197.172.62 OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): SA has been authenticated ISAKMP (0): beginning Quick Mode exchange, M-ID of -645140618:d98bef76IPSEC(key_engine): got a queue event... IPSEC(spi_response): getting spi 0xdc107272(3692065394) for SA from 194.78.66.32 to 203.197.172.62 for prot 3 return status is IKMP_NO_ERROR ISAKMP (0): sending INITIAL_CONTACT notify ISAKMP (0): sending NOTIFY message 24578 protocol 1 ISAKMP (0): sending INITIAL_CONTACT notify ISAKMP (0): retransmitting phase 2...IPSEC(key_engine): request timer fired: count = 1, (identity) local= 203.197.172.62, remote= 194.78.66.32, local_proxy= 192.168.70.0/255.255.255.224/6/0 (type=4), remote_proxy= 172.16.254.2/255.255.255.255/6/2401 (type=1) ISAKMP (0): beginning Quick Mode exchange, M-ID of 1524565892:5adf0784IPSEC(key_engine): got a queue event... IPSEC(spi_response): getting spi 0xfc1bf72c(4229691180) for SA from 194.78.66.32 to 203.197.172.62 for prot 3 ISAKMP (0): retransmitting phase 2... ISAKMP (0): retransmitting phase 2... ISAKMP (0): retransmitting phase 2...IPSEC(key_engine): request timer fired: count = 2, (identity) local= 203.197.172.62, remote= 194.78.66.32, local_proxy= 192.168.70.0/255.255.255.224/6/0 (type=4), remote_proxy= 172.16.254.2/255.255.255.255/6/2401 (type=1) ISAKMP (0): retransmitting phase 2... ISAKMP (0): retransmitting phase 2... ISAKMP (0): deleting SA: src 203.197.172.62, dst 194.78.66.32 ISADB: reaper checking SA 0x812c2790, conn_id = 0 DELETE IT! VPN Peer: ISAKMP: Peer ip:194.78.66.32 Ref cnt decremented to:0 Total VPN Peers:1 VPN Peer: ISAKMP: Deleted peer: ip:194.78.66.32 Total VPN peers:0 VPN Peer: ISAKMP: Added new peer: ip:194.78.66.32 Total VPN Peers:1 Sudheer __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Netscreen-pix515 IPsec interop Sudheer MT (Sep 02)
- RE: Netscreen-pix515 IPsec interop lordchariot (Sep 02)
- <Possible follow-ups>
- FW: Netscreen-pix515 IPsec interop David Klein (Sep 02)