08-28-2012 02:37 AM - edited 02-21-2020 06:17 PM
Hello,
I'm trying to configure a simple IPSec VPN between a Cisco 2911 Router and a Juniper Netscreen ScreenOS device (don't exactly now the model). At first the debbuging looks good (QM_IDLE) but than the ISAKMP SA is deleted.
The guy managing the Juniper device did send me his log excerpt:
###########################################################################
2012-08-28 10:24:16 system info 00536 IKE <WAN IP> Phase 2 msg ID
9b839579: Negotiations have failed.
2012-08-28 10:24:16 system info 00536 Rejected an IKE packet on loopback.11
from <WAN IP>:500 to
217.150.152.45:500 with cookies
87960e39d074ca49 and 9302d26c7ce324a5
because There were no acceptable Phase
2 proposals..
He did set the following phase 2 proposals:
set ike p2-proposal "G2_esp_aes256_sha_1800s" group2 esp aes256 sha-1 second 1800
###########################################################################
And I use these:
###########################################################################
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
!
crypto isakmp key <KEY> address 217.150.152.45
crypto ipsec transform-set esp-aes esp-aes 256 esp-sha-hmac
crypto map vpn 2 ipsec-isakmp
description *** VPN Anbindung nach ICP in Magdeburg ***
set peer 217.150.152.45
set security-association lifetime seconds 1800
set transform-set esp-aes
match address ICP-TRAFFIC
!
###########################################################################
Here is my Log:
#################################################################################################################
Aug 28 08:23:46.416: ISAKMP:(0): SA request profile is (NULL)
Aug 28 08:23:46.416: ISAKMP: Created a peer struct for 217.150.152.45, peer port 500
Aug 28 08:23:46.416: ISAKMP: New peer created peer = 0x2A2D7150 peer_handle = 0x8000003A
Aug 28 08:23:46.416: ISAKMP: Locking peer struct 0x2A2D7150, refcount 1 for isakmp_initiator
Aug 28 08:23:46.416: ISAKMP: local port 500, remote port 500
Aug 28 08:23:46.416: ISAKMP: set new node 0 to QM_IDLE
Aug 28 08:23:46.416: ISAKMP:(0):insert sa successfully sa = 31627E04
Aug 28 08:23:46.416: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Aug 28 08:23:46.416: ISAKMP:(0):found peer pre-shared key matching 217.150.152.45
Aug 28 08:23:46.416: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Aug 28 08:23:46.416: ISAKMP:(0): constructed NAT-T vendor-07 ID
Aug 28 08:23:46.416: ISAKMP:(0): constructed NAT-T vendor-03 ID
Aug 28 08:23:46.416: ISAKMP:(0): constructed NAT-T vendor-02 ID
Aug 28 08:23:46.416: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Aug 28 08:23:46.416: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Aug 28 08:23:46.416: ISAKMP:(0): beginning Main Mode exchange
Aug 28 08:23:46.416: ISAKMP:(0): sending packet to 217.150.152.45 my_port 500 peer_port 500 (I) MM_NO_STATE
Aug 28 08:23:46.416: ISAKMP:(0):Sending an IKE IPv4 Packet.
Aug 28 08:23:46.448: ISAKMP (0): received packet from 217.150.152.45 dport 500 sport 500 Global (I) MM_NO_STATE
Aug 28 08:23:46.448: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 28 08:23:46.448: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Aug 28 08:23:46.448: ISAKMP:(0): processing SA payload. message ID = 0
Aug 28 08:23:46.448: ISAKMP:(0): processing vendor id payload
Aug 28 08:23:46.448: ISAKMP:(0): vendor ID seems Unity/DPD but major 239 mismatch
Aug 28 08:23:46.448: ISAKMP:(0): processing vendor id payload
Aug 28 08:23:46.448: ISAKMP:(0): vendor ID is DPD
Aug 28 08:23:46.448: ISAKMP:(0): processing vendor id payload
Aug 28 08:23:46.448: ISAKMP:(0): processing IKE frag vendor id payload
Aug 28 08:23:46.448: ISAKMP:(0):Support for IKE Fragmentation not enabled
Aug 28 08:23:46.448: ISAKMP:(0):found peer pre-shared key matching 217.150.152.45
Aug 28 08:23:46.448: ISAKMP:(0): local preshared key found
Aug 28 08:23:46.448: ISAKMP : Scanning profiles for xauth ...
Aug 28 08:23:46.448: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
Aug 28 08:23:46.448: ISAKMP: encryption AES-CBC
Aug 28 08:23:46.448: ISAKMP: hash SHA
Aug 28 08:23:46.448: ISAKMP: default group 2
Aug 28 08:23:46.448: ISAKMP: auth pre-share
Aug 28 08:23:46.448: ISAKMP: keylength of 256
Aug 28 08:23:46.448: ISAKMP: life type in seconds
Aug 28 08:23:46.448: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Aug 28 08:23:46.448: ISAKMP:(0):atts are acceptable. Next payload is 0
Aug 28 08:23:46.448: ISAKMP:(0):Acceptable atts:actual life: 0
Aug 28 08:23:46.448: ISAKMP:(0):Acceptable atts:life: 0
Aug 28 08:23:46.448: ISAKMP:(0):Fill atts in sa vpi_length:4
Aug 28 08:23:46.448: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Aug 28 08:23:46.448: ISAKMP:(0):Returning Actual lifetime: 86400
Aug 28 08:23:46.448: ISAKMP:(0)::Started lifetime timer: 86400.
Aug 28 08:23:46.448: ISAKMP:(0): processing vendor id payload
Aug 28 08:23:46.448: ISAKMP:(0): vendor ID seems Unity/DPD but major 239 mismatch
Aug 28 08:23:46.448: ISAKMP:(0): processing vendor id payload
Aug 28 08:23:46.448: ISAKMP:(0): vendor ID is DPD
Aug 28 08:23:46.448: ISAKMP:(0): processing vendor id payload
Aug 28 08:23:46.448: ISAKMP:(0): processing IKE frag vendor id payload
Aug 28 08:23:46.448: ISAKMP:(0):Support for IKE Fragmentation not enabled
Aug 28 08:23:46.448: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Aug 28 08:23:46.448: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Aug 28 08:23:46.448: ISAKMP:(0): sending packet to 217.150.152.45 my_port 500 peer_port 500 (I) MM_SA_SETUP
Aug 28 08:23:46.448: ISAKMP:(0):Sending an IKE IPv4 Packet.
Aug 28 08:23:46.452: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Aug 28 08:23:46.452: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Aug 28 08:23:46.484: ISAKMP (0): received packet from 217.150.152.45 dport 500 sport 500 Global (I) MM_SA_SETUP
Aug 28 08:23:46.484: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 28 08:23:46.484: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Aug 28 08:23:46.484: ISAKMP:(0): processing KE payload. message ID = 0
Aug 28 08:23:46.508: ISAKMP:(0): processing NONCE payload. message ID = 0
Aug 28 08:23:46.508: ISAKMP:(0):found peer pre-shared key matching 217.150.152.45
Aug 28 08:23:46.508: ISAKMP:(1049):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Aug 28 08:23:46.508: ISAKMP:(1049):Old State = IKE_I_MM4 New State = IKE_I_MM4
Aug 28 08:23:46.508: ISAKMP:(1049):Send initial contact
Aug 28 08:23:46.508: ISAKMP:(1049):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Aug 28 08:23:46.508: ISAKMP (1049): ID payload
next-payload : 8
type : 1
address : 92.67.80.237
protocol : 17
port : 500
length : 12
Aug 28 08:23:46.508: ISAKMP:(1049):Total payload length: 12
Aug 28 08:23:46.508: ISAKMP:(1049): sending packet to 217.150.152.45 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Aug 28 08:23:46.508: ISAKMP:(1049):Sending an IKE IPv4 Packet.
Aug 28 08:23:46.508: ISAKMP:(1049):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Aug 28 08:23:46.508: ISAKMP:(1049):Old State = IKE_I_MM4 New State = IKE_I_MM5
Aug 28 08:23:46.540: ISAKMP (1049): received packet from 217.150.152.45 dport 500 sport 500 Global (I) MM_KEY_EXCH
Aug 28 08:23:46.540: ISAKMP:(1049): processing ID payload. message ID = 0
Aug 28 08:23:46.540: ISAKMP (1049): ID payload
next-payload : 8
type : 1
address : 217.150.152.45
protocol : 17
port : 500
length : 12
Aug 28 08:23:46.540: ISAKMP:(0):: peer matches *none* of the profiles
Aug 28 08:23:46.540: ISAKMP:(1049): processing HASH payload. message ID = 0
Aug 28 08:23:46.540: ISAKMP:(1049):SA authentication status:
authenticated
Aug 28 08:23:46.540: ISAKMP:(1049):SA has been authenticated with 217.150.152.45
Aug 28 08:23:46.540: ISAKMP: Trying to insert a peer <WAN IP>/217.150.152.45/500/, and inserted successfully 2A2D7150.
Aug 28 08:23:46.540: ISAKMP:(1049):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 28 08:23:46.540: ISAKMP:(1049):Old State = IKE_I_MM5 New State = IKE_I_MM6
Aug 28 08:23:46.540: ISAKMP:(1049):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Aug 28 08:23:46.540: ISAKMP:(1049):Old State = IKE_I_MM6 New State = IKE_I_MM6
Aug 28 08:23:46.540: ISAKMP:(1049):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Aug 28 08:23:46.540: ISAKMP:(1049):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Aug 28 08:23:46.540: ISAKMP:(1049):beginning Quick Mode exchange, M-ID of -1582159006
Aug 28 08:23:46.552: ISAKMP:(1049):QM Initiator gets spi
Aug 28 08:23:46.552: ISAKMP:(1049): sending packet to 217.150.152.45 my_port 500 peer_port 500 (I) QM_IDLE
Aug 28 08:23:46.552: ISAKMP:(1049):Sending an IKE IPv4 Packet.
Aug 28 08:23:46.552: ISAKMP:(1049):Node -1582159006, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Aug 28 08:23:46.552: ISAKMP:(1049):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Aug 28 08:23:46.552: ISAKMP:(1049):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Aug 28 08:23:46.552: ISAKMP:(1049):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Aug 28 08:23:46.584: ISAKMP (1049): received packet from 217.150.152.45 dport 500 sport 500 Global (I) QM_IDLE
Aug 28 08:23:46.584: ISAKMP: set new node -452721455 to QM_IDLE
Aug 28 08:23:46.584: ISAKMP:(1049): processing HASH payload. message ID = -452721455
Aug 28 08:23:46.584: ISAKMP:(1049): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 1
spi 0, message ID = -452721455, sa = 0x31627E04
Aug 28 08:23:46.584: ISAKMP:(1049):peer does not do paranoid keepalives.
Aug 28 08:23:46.584: ISAKMP:(1049):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 217.150.152.45)
Aug 28 08:23:46.584: ISAKMP:(1049):deleting node -452721455 error FALSE reason "Informational (in) state 1"
Aug 28 08:23:46.584: ISAKMP:(1049):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Aug 28 08:23:46.584: ISAKMP:(1049):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Aug 28 08:23:46.584: ISAKMP: set new node 494253780 to QM_IDLE
Aug 28 08:23:46.584: ISAKMP:(1049): sending packet to 217.150.152.45 my_port 500 peer_port 500 (I) QM_IDLE
Aug 28 08:23:46.584: ISAKMP:(1049):Sending an IKE IPv4 Packet.
Aug 28 08:23:46.584: ISAKMP:(1049):purging node 494253780
Aug 28 08:23:46.584: ISAKMP:(1049):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Aug 28 08:23:46.584: ISAKMP:(1049):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Aug 28 08:23:46.584: ISAKMP:(1049):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 217.150.152.45)
Intertoys_Zentrale_Waddinxveen_01#
Aug 28 08:23:46.584: ISAKMP: Unlocking peer struct 0x2A2D7150 for isadb_mark_sa_deleted(), count 0
Aug 28 08:23:46.584: ISAKMP: Deleting peer node by peer_reap for 217.150.152.45: 2A2D7150
Aug 28 08:23:46.584: ISAKMP:(1049):deleting node -1582159006 error FALSE reason "IKE deleted"
Aug 28 08:23:46.584: ISAKMP:(1049):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 28 08:23:46.584: ISAKMP:(1049):Old State = IKE_DEST_SA New State = IKE_DEST_SA
#################################################################################################################
Is there anything special that needs to be considered when building a VPN to Juniper devices?
Greetings
Thomas
Solved! Go to Solution.
08-28-2012 02:57 AM
The IPSec-peer has PFS enabled, do the same in your crypto-map:
crypto map vpn 2 ipsec-isakmp
set pfs group2
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-28-2012 02:57 AM
The IPSec-peer has PFS enabled, do the same in your crypto-map:
crypto map vpn 2 ipsec-isakmp
set pfs group2
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-28-2012 03:06 AM
Awsome, it is working.
Thank you Karsten.
Kind regards,
Thomas
08-28-2012 07:00 AM
Hi Karsten,
Could you tell me, how did you identify that Juniper has pfs enabled or how did you know from the Router logs ?? this will help us.
08-28-2012 07:12 AM
it was in the config-output ("group2") of the juniper:
set ike p2-proposal "G2_esp_aes256_sha_1800s" group2 esp aes256 sha-1 second 1800
but not in the config of the cisco-router:
crypto map vpn 2 ipsec-isakmp
description *** VPN Anbindung nach ICP in Magdeburg ***
set peer 217.150.152.45
set security-association lifetime seconds 1800
set transform-set esp-aes
match address ICP-TRAFFIC
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-28-2012 09:09 PM
OK. Assuming by specifying group-2 for phase2 DH means pfs !!! Because DH is for session keys and in phase2 it means to create multiple sess.keys for each sessions, and hence...pls correct if im wrong.
http://www.juniper.net/techpubs/software/erx/junose700/swcmdref-n-z/html/opqr-commands69.html
08-28-2012 11:47 PM
Nothing to correct, that's the way it works!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide