11-21-2008 05:43 AM
We have setup a network to network VPN between a pix501 and a Netscreen NS-500. This was a working configuration with an access rule that allowed only a single tcp port.
Recently we wanted have an other port open so on both sides a rule was added to allow the extra port. Now whatever we do we are never able to establish the VPN.
Looking at the pix501 logs it always fails in phase 2. Here some log fragment:
ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0xb3707fc5
ISAKMP (0): retransmitting phase 2 (1/0)... mess_id 0xb3707fc5
ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0xb3707fc5
ISAKMP (0): retransmitting phase 2 (3/0)... mess_id 0xb3707fc5
Here some configuration from the pix:
object-group service Matiptelnet tcp
port-object eq telnet
port-object eq 7500
access-list outside_cryptomap_20 permit tcp somenattednet 255.255.255.240 host somehost object-group Matiptelnet
Any idear what could be wrong ?
Lex
11-26-2008 08:07 PM
its a phase 2 policy mismatch. check the PFS on pix firewall, by default it is enabled while usually, it is disabled on other FW vendors.
please rate if it helps
11-27-2008 06:48 AM
Thanks for the suggestion, the PFS was already disabled, I tried to enable it but this made no difference.
Lex
11-26-2008 08:33 PM
Hi,
From the debug, it looks like a IPSEC ACL Mismatch issu. Check the crypto ACL on bot the Pix and Netscreen and make sure that they are mirror images of each other.
Regards,
Arul
*Pls rate if it helps*
11-27-2008 06:54 AM
Hi,
Unfortunately we don't have access to the netscreen config and have to rely on what their admin guy tells us. I only know we had a working link and after we added the extra port we never could get the link up. My suspicien is there is some kind of incompatability between the pix and the netscreen in this type of configuration.
Lex
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: