cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
506
Views
0
Helpful
3
Replies

PIX to Netscreen VPN

svanguilder
Level 1
Level 1

Hi All,

We are trying to create a VPN tunnel with a PIX 506e and a Netscreen 1000.

Phase 1 seems to go OK and then it dies on phase 2 and just keep retransmitting until the whole thing dies. The Netscreen doesn't seem to give any better details.

Heres is an excerpt from the debug.

VPN Peer: ISAKMP: Added new peer: ip:xxx.228.130.194 Total VPN Peers:2

VPN Peer: ISAKMP: Peer ip:66.xxx.130.194 Ref cnt incremented to:1 Total VPN Peers:2

ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block: src xxx.228.130.194, dest xxx.173.9.34

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 2 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 7200

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src xxx.228.130.194, dest xxx.173.9.34

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src xxx.228.130.194, dest xxx.173.9.34

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): SA has been authenticated

ISAKMP: Created a peer node for xxx.228.130.194

ISAKMP (0): beginning Quick Mode exchange, M-ID of -1513388367:a5cb86b1IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0x354b0c2c(894110764) for SA

from xxx.228.130.194 to xxx.173.9.34 for prot 3

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): retransmitting phase 2...IPSEC(key_engine): request timer fired: count = 1,

(identity) local= xxx.173.9.34, remote= xxx.228.130.194,

local_proxy= 192.168.151.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.250.0.203/255.255.255.255/0/0 (type=1)

ISAKMP (0): beginning Quick Mode exchange, M-ID of -1351861563:af6c3ac5IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0x7d531ef1(2102599409) for SA

from xxx.228.130.194 to xxx.173.9.34 for prot 3

ISAKMP (0): retransmitting phase 2...

ISAKMP (0): retransmitting phase 2...

ISAKMP (0): retransmitting phase 2...IPSEC(key_engine): request timer fired: count = 2,

(identity) local= xxx.173.9.34, remote= xxx.228.130.194,

local_proxy= 192.168.151.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.250.0.203/255.255.255.255/0/0 (type=1)

VPN Peer: ISAKMP: Added new peer: ip:xxx.228.130.203 Total VPN Peers:3

VPN Peer: ISAKMP: Peer ip:xxx.228.130.203 Ref cnt incremented to:1 Total VPN Peers:3

ISAKMP (0): beginning Main Mode exchange

ISAKMP (0): retransmitting phase 2...

ISAKMP (0): retransmitting phase 2...

ISAKMP (0): deleting SA: src xxx.173.9.34, dst xxx.228.130.194

ISADB: reaper checking SA 0x8134c458, conn_id = 0

ISADB: reaper checking SA 0x81358780, conn_id = 0

ISADB: reaper checking SA 0x81370780, conn_id = 0 DELETE IT!

Anyone have suggestions? They would be greatly appreciated.

Scott VanGuilder

3 Replies 3

gfullage
Cisco Employee
Cisco Employee

Is this debug from when the Netscreen tried to initiate the tunnel, or when the PIX did? If the PIX tried to initiate, try running the same debugs when the Netscreen tries to initiate it, it'll give you more information as to what's going on.

What version of code do you have on the PIX, and on the Netscreen?

Yes the debug was with the PIX iniating the tunnel.

PIX is version 6.2

Netscreen it version 2.6.0r6

Here is the debug from the PIX with the the Netscreen initiating the tunnel.

ISADB: reaper checking SA 0x813543d8, conn_id = 0IPSEC(key_engine): request timer fired: count = 2,

(identity) local= xxx.173.9.34, remote= xxx.228.130.203,

local_proxy= 192.168.151.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.250.0.203/255.255.255.255/0/0 (type=1)

ISAKMP (0): beginning Quick Mode exchange, M-ID of 945102397:38551e3dIPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0x778fb0ab(2005905579) for SA

from xxx.228.130.194 to xxx.173.9.34 for prot 3

ISAKMP (0): retransmitting phase 2...

ISAKMP: Deleting peer node for xxx.228.130.194IPSEC(key_engine): request timer fired: count = 1,

(identity) local= xxx.173.9.34, remote= xxx.228.130.194,

local_proxy= 192.168.151.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.250.0.203/255.255.255.255/0/0 (type=1)

ISAKMP (0): beginning Quick Mode exchange, M-ID of 172971442:a4f55b2IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0x392e5013(959336467) for SA

from xxx.228.130.194 to xxx.173.9.34 for prot 3

ISAKMP (0): retransmitting phase 2...

ISAKMP (0): retransmitting phase 2...

ISAKMP (0): retransmitting phase 2...IPSEC(key_engine): request timer fired: count = 2,

(identity) local= xxx.173.9.34, remote= xxx.228.130.194,

local_proxy= 192.168.151.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.250.0.203/255.255.255.255/0/0 (type=1)

VPN Peer: ISAKMP: Added new peer: ip:xxx.228.130.203 Total VPN Peers:2

VPN Peer: ISAKMP: Peer ip:xxx.228.130.203 Ref cnt incremented to:1 Total VPN Peers:2

ISAKMP (0): beginning Main Mode exchange

ISAKMP (0): retransmitting phase 2...

ISAKMP (0): retransmitting phase 2...

ISAKMP (0): deleting SA: src xxx.228.130.194, dst xxx.173.9.34

ISADB: reaper checking SA 0x8136e660, conn_id = 0

ISADB: reaper checking SA 0x813606a8, conn_id = 0 DELETE IT!

ISADB: reaper checking SA 0x8136e660, conn_id = 0

ISADB: reaper checking SA 0x81353c98, conn_id = 0 DELETE IT!

ISADB: reaper checking SA 0x8136e660, conn_id = 0

ISADB: reaper checking SA 0x8134c458, conn_id = 0

ISADB: reaper checking SA 0x81352c18, conn_id = 0 DELETE IT!

ISADB: reaper checking SA 0x8136e660, conn_id = 0

ISADB: reaper checking SA 0x8134c458, conn_id = 0

ISADB: reaper checking SA 0x8136c6a0, conn_id = 0

ISADB: reaper checking SA 0x8136ed60, conn_id = 0

ISADB: reaper checking SA 0x81352240, conn_id = 0 DELETE IT!

ISADB: reaper checking SA 0x8136e660, conn_id = 0

ISADB: reaper checking SA 0x8134c458, conn_id = 0

ISADB: reaper checking SA 0x8136c6a0, conn_id = 0

ISADB: reaper checking SA 0x8136ed60, conn_id = 0

ISADB: reaper checking SA 0x8136cda0, conn_id = 0

ISADB: reaper checking SA 0x81353318, conn_id = 0 DELETE IT!

ISADB: reaper checking SA 0x8136e660, conn_id = 0

ISADB: reaper checking SA 0x8134c458, conn_id = 0

ISADB: reaper checking SA 0x8136c6a0, conn_id = 0

ISADB: reaper checking SA 0x8136ed60, conn_id = 0

ISADB: reaper checking SA 0x8136cda0, conn_id = 0

ISADB: reaper checking SA 0x8136bf70, conn_id = 0

ISADB: reaper checking SA 0x8136dc60, conn_id = 0

ISADB: reaper checking SA 0x8133df78, conn_id = 0

ISADB: reaper checking SA 0x81359c48, conn_id = 0

ISADB: reaper checking SA 0x81354ad8, conn_id = 0 DELETE IT!

ISADB: reaper checking SA 0x8136e660, conn_id = 0

ISADB: reaper checking SA 0x8134c458, conn_id = 0

ISADB: reaper checking SA 0x8136c6a0, conn_id = 0

ISADB: reaper checking SA 0x8136ed60, conn_id = 0

ISADB: reaper checking SA 0x8136cda0, conn_id = 0

ISADB: reaper checking SA 0x8136bf70, conn_id = 0

ISADB: reaper checking SA 0x8136dc60, conn_id = 0

ISADB: reaper checking SA 0x8133df78, conn_id = 0

ISADB: reaper checking SA 0x81359c48, conn_id = 0

ISADB: reaper checking SA 0x81359548, conn_id = 0

ISADB: reaper checking SA 0x8135ffa8, conn_id = 0 DELETE IT!

ISADB: reaper checking SA 0x8136e660, conn_id = 0

ISADB: reaper checking SA 0x8134c458, conn_id = 0

ISADB: reaper checking SA 0x8136c6a0, conn_id = 0

ISADB: reaper checking SA 0x8136ed60, conn_id = 0

ISADB: reaper checking SA 0x8136cda0, conn_id = 0

ISADB: reaper checking SA 0x8136bf70, conn_id = 0

ISADB: reaper checking SA 0x8136dc60, conn_id = 0

ISADB: reaper checking SA 0x8133df78, conn_id = 0

ISADB: reaper checking SA 0x81359c48, conn_id = 0

ISADB: reaper checking SA 0x81359548, conn_id = 0

ISADB: reaper checking SA 0x8136f5d0, conn_id = 0

ISADB: reaper checking SA 0x8136d560, conn_id = 0

ISADB: reaper checking SA 0x813543d8, conn_id = 0

I appreciate any input

Scott VanGuilder

Here is the debug log and config from the Netscreen.

Here is the log:

01/31/2003 09:53:47 Generic_Co: Respond to initiate contact notify for p1. 01/31/2003 09:53:16 Generic_Co: Respond to initiate contact notify for

p2 sas.

01/31/2003 09:53:16 Generic_Co: Receive Notify Payload: doi(1),

msg(24578), txt nxt(0)

01/31/2003 09:53:16 Receive UDP packets from (x.x.x.x/500) on untrust

(66.228.128.194/500)

01/31/2003 09:53:16 Generic_Co: Phase 2 (x.x.x.x) start (initiator). 01/31/2003 09:53:16 Generic_Co: Phase 1 (x.x.x.x) complete, aggr. mode,

28800sec.

01/31/2003 09:53:16 Receive UDP packets from (x.x.x.x/500) on untrust

(66.228.128.194/500)

01/31/2003 09:53:16 Receive UDP packets from (x.x.x.x/500) on untrust

(66.228.128.194/500)

01/31/2003 09:53:16 Receive UDP packets from (x.x.x.x/500) on untrust

(66.228.128.194/500)

01/31/2003 09:53:16 Receive UDP packets from (x.x.x.x/500) on untrust

(66.228.128.194/500)

01/31/2003 09:53:16 Generic_Co: Phase 1 (x.x.x.x) start (initiator)

aggr. mode.

Here is the SA that I get and then disappears after 15 seconds or so:

005/0, 66.228.130.194->x.x.x.x: PRESHR/grp2/3DES/SHA, xchg(4) usr(d-1/u-1) resent-tmr 0 lifetime 28800 lt-recv 0 nxt_rekey 28739 cert-expire 0

initiator 1, in-out 1, err cnt 11, send dir 0, cond

102f/3, x.x.x.x->y.y.y.y: PRESHR/grp1/3DES/SHA, xchg(2) usr(d-1/u-1) resent-tmr 0 lifetime 7200 lt-recv 7200 nxt_rekey 7154 cert-expire 0

initiator 0, in-out 0, err cnt 0, send dir 1, cond 0

Here is the config:

set ike p1-proposal "pre-g2-3des-sha (Med Pact)" Preshare Group2 esp

3DES SHA second 7200

set ike p2-proposal "nopfs-esp-3des-sha (Med Pact)" no-pfs ESP 3DES SHA

second 7200 kbyte 10000

set ike gateway "Med Pact" ip x.x.x.x aggr preshare "xxxxxx" proposal

"pre-g2-3des-sha (Med Pac)"

x=PIX y=NS-1000

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: