Hello,

I'm trying to configure a simple IPSec VPN between a Cisco 2911 Router and a Juniper Netscreen ScreenOS device (don't exactly now the model). At first the debbuging looks good (QM_IDLE) but than the ISAKMP SA is deleted.

The guy managing the Juniper device did send me his log excerpt:

###########################################################################

2012-08-28 10:24:16 system info  00536 IKE <WAN IP> Phase 2 msg ID

                                       9b839579: Negotiations have failed.

2012-08-28 10:24:16 system info  00536 Rejected an IKE packet on loopback.11

                                       from <WAN IP>:500 to

                                       217.150.152.45:500 with cookies

                                       87960e39d074ca49 and 9302d26c7ce324a5

                                       because There were no acceptable Phase

                                       2 proposals..

He did set the following phase 2 proposals:

set ike p2-proposal "G2_esp_aes256_sha_1800s" group2 esp aes256 sha-1 second 1800

###########################################################################

And I use these:

###########################################################################

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

!

crypto isakmp key <KEY> address 217.150.152.45

crypto ipsec transform-set esp-aes esp-aes 256 esp-sha-hmac

crypto map vpn 2 ipsec-isakmp

description *** VPN Anbindung nach ICP in Magdeburg ***

set peer 217.150.152.45

set security-association lifetime seconds 1800

set transform-set esp-aes

match address ICP-TRAFFIC

!

###########################################################################

Here is my Log:

#################################################################################################################

Aug 28 08:23:46.416: ISAKMP:(0): SA request profile is (NULL)

Aug 28 08:23:46.416: ISAKMP: Created a peer struct for 217.150.152.45, peer port 500

Aug 28 08:23:46.416: ISAKMP: New peer created peer = 0x2A2D7150 peer_handle = 0x8000003A

Aug 28 08:23:46.416: ISAKMP: Locking peer struct 0x2A2D7150, refcount 1 for isakmp_initiator

Aug 28 08:23:46.416: ISAKMP: local port 500, remote port 500

Aug 28 08:23:46.416: ISAKMP: set new node 0 to QM_IDLE

Aug 28 08:23:46.416: ISAKMP:(0):insert sa successfully sa = 31627E04

Aug 28 08:23:46.416: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

Aug 28 08:23:46.416: ISAKMP:(0):found peer pre-shared key matching 217.150.152.45

Aug 28 08:23:46.416: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

Aug 28 08:23:46.416: ISAKMP:(0): constructed NAT-T vendor-07 ID

Aug 28 08:23:46.416: ISAKMP:(0): constructed NAT-T vendor-03 ID

Aug 28 08:23:46.416: ISAKMP:(0): constructed NAT-T vendor-02 ID

Aug 28 08:23:46.416: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Aug 28 08:23:46.416: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

Aug 28 08:23:46.416: ISAKMP:(0): beginning Main Mode exchange

Aug 28 08:23:46.416: ISAKMP:(0): sending packet to 217.150.152.45 my_port 500 peer_port 500 (I) MM_NO_STATE

Aug 28 08:23:46.416: ISAKMP:(0):Sending an IKE IPv4 Packet.

Aug 28 08:23:46.448: ISAKMP (0): received packet from 217.150.152.45 dport 500 sport 500 Global (I) MM_NO_STATE

Aug 28 08:23:46.448: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Aug 28 08:23:46.448: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

Aug 28 08:23:46.448: ISAKMP:(0): processing SA payload. message ID = 0

Aug 28 08:23:46.448: ISAKMP:(0): processing vendor id payload

Aug 28 08:23:46.448: ISAKMP:(0): vendor ID seems Unity/DPD but major 239 mismatch

Aug 28 08:23:46.448: ISAKMP:(0): processing vendor id payload

Aug 28 08:23:46.448: ISAKMP:(0): vendor ID is DPD

Aug 28 08:23:46.448: ISAKMP:(0): processing vendor id payload

Aug 28 08:23:46.448: ISAKMP:(0): processing IKE frag vendor id payload

Aug 28 08:23:46.448: ISAKMP:(0):Support for IKE Fragmentation not enabled

Aug 28 08:23:46.448: ISAKMP:(0):found peer pre-shared key matching 217.150.152.45

Aug 28 08:23:46.448: ISAKMP:(0): local preshared key found

Aug 28 08:23:46.448: ISAKMP : Scanning profiles for xauth ...

Aug 28 08:23:46.448: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

Aug 28 08:23:46.448: ISAKMP:      encryption AES-CBC

Aug 28 08:23:46.448: ISAKMP:      hash SHA

Aug 28 08:23:46.448: ISAKMP:      default group 2

Aug 28 08:23:46.448: ISAKMP:      auth pre-share

Aug 28 08:23:46.448: ISAKMP:      keylength of 256

Aug 28 08:23:46.448: ISAKMP:      life type in seconds

Aug 28 08:23:46.448: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

Aug 28 08:23:46.448: ISAKMP:(0):atts are acceptable. Next payload is 0

Aug 28 08:23:46.448: ISAKMP:(0):Acceptable atts:actual life: 0

Aug 28 08:23:46.448: ISAKMP:(0):Acceptable atts:life: 0

Aug 28 08:23:46.448: ISAKMP:(0):Fill atts in sa vpi_length:4

Aug 28 08:23:46.448: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

Aug 28 08:23:46.448: ISAKMP:(0):Returning Actual lifetime: 86400

Aug 28 08:23:46.448: ISAKMP:(0)::Started lifetime timer: 86400.

Aug 28 08:23:46.448: ISAKMP:(0): processing vendor id payload

Aug 28 08:23:46.448: ISAKMP:(0): vendor ID seems Unity/DPD but major 239 mismatch

Aug 28 08:23:46.448: ISAKMP:(0): processing vendor id payload

Aug 28 08:23:46.448: ISAKMP:(0): vendor ID is DPD

Aug 28 08:23:46.448: ISAKMP:(0): processing vendor id payload

Aug 28 08:23:46.448: ISAKMP:(0): processing IKE frag vendor id payload

Aug 28 08:23:46.448: ISAKMP:(0):Support for IKE Fragmentation not enabled

Aug 28 08:23:46.448: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Aug 28 08:23:46.448: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

Aug 28 08:23:46.448: ISAKMP:(0): sending packet to 217.150.152.45 my_port 500 peer_port 500 (I) MM_SA_SETUP

Aug 28 08:23:46.448: ISAKMP:(0):Sending an IKE IPv4 Packet.

Aug 28 08:23:46.452: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Aug 28 08:23:46.452: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

Aug 28 08:23:46.484: ISAKMP (0): received packet from 217.150.152.45 dport 500 sport 500 Global (I) MM_SA_SETUP

Aug 28 08:23:46.484: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Aug 28 08:23:46.484: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

Aug 28 08:23:46.484: ISAKMP:(0): processing KE payload. message ID = 0

Aug 28 08:23:46.508: ISAKMP:(0): processing NONCE payload. message ID = 0

Aug 28 08:23:46.508: ISAKMP:(0):found peer pre-shared key matching 217.150.152.45

Aug 28 08:23:46.508: ISAKMP:(1049):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Aug 28 08:23:46.508: ISAKMP:(1049):Old State = IKE_I_MM4  New State = IKE_I_MM4

Aug 28 08:23:46.508: ISAKMP:(1049):Send initial contact

Aug 28 08:23:46.508: ISAKMP:(1049):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

Aug 28 08:23:46.508: ISAKMP (1049): ID payload

        next-payload : 8

        type         : 1

        address      : 92.67.80.237

        protocol     : 17

        port         : 500

        length       : 12

Aug 28 08:23:46.508: ISAKMP:(1049):Total payload length: 12

Aug 28 08:23:46.508: ISAKMP:(1049): sending packet to 217.150.152.45 my_port 500 peer_port 500 (I) MM_KEY_EXCH

Aug 28 08:23:46.508: ISAKMP:(1049):Sending an IKE IPv4 Packet.

Aug 28 08:23:46.508: ISAKMP:(1049):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Aug 28 08:23:46.508: ISAKMP:(1049):Old State = IKE_I_MM4  New State = IKE_I_MM5

Aug 28 08:23:46.540: ISAKMP (1049): received packet from 217.150.152.45 dport 500 sport 500 Global (I) MM_KEY_EXCH

Aug 28 08:23:46.540: ISAKMP:(1049): processing ID payload. message ID = 0

Aug 28 08:23:46.540: ISAKMP (1049): ID payload

        next-payload : 8

        type         : 1

        address      : 217.150.152.45

        protocol     : 17

        port         : 500

        length       : 12

Aug 28 08:23:46.540: ISAKMP:(0):: peer matches *none* of the profiles

Aug 28 08:23:46.540: ISAKMP:(1049): processing HASH payload. message ID = 0

Aug 28 08:23:46.540: ISAKMP:(1049):SA authentication status:

        authenticated

Aug 28 08:23:46.540: ISAKMP:(1049):SA has been authenticated with 217.150.152.45

Aug 28 08:23:46.540: ISAKMP: Trying to insert a peer <WAN IP>/217.150.152.45/500/,  and inserted successfully 2A2D7150.

Aug 28 08:23:46.540: ISAKMP:(1049):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Aug 28 08:23:46.540: ISAKMP:(1049):Old State = IKE_I_MM5  New State = IKE_I_MM6

Aug 28 08:23:46.540: ISAKMP:(1049):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Aug 28 08:23:46.540: ISAKMP:(1049):Old State = IKE_I_MM6  New State = IKE_I_MM6

Aug 28 08:23:46.540: ISAKMP:(1049):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Aug 28 08:23:46.540: ISAKMP:(1049):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

Aug 28 08:23:46.540: ISAKMP:(1049):beginning Quick Mode exchange, M-ID of -1582159006

Aug 28 08:23:46.552: ISAKMP:(1049):QM Initiator gets spi

Aug 28 08:23:46.552: ISAKMP:(1049): sending packet to 217.150.152.45 my_port 500 peer_port 500 (I) QM_IDLE

Aug 28 08:23:46.552: ISAKMP:(1049):Sending an IKE IPv4 Packet.

Aug 28 08:23:46.552: ISAKMP:(1049):Node -1582159006, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

Aug 28 08:23:46.552: ISAKMP:(1049):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

Aug 28 08:23:46.552: ISAKMP:(1049):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

Aug 28 08:23:46.552: ISAKMP:(1049):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Aug 28 08:23:46.584: ISAKMP (1049): received packet from 217.150.152.45 dport 500 sport 500 Global (I) QM_IDLE

Aug 28 08:23:46.584: ISAKMP: set new node -452721455 to QM_IDLE

Aug 28 08:23:46.584: ISAKMP:(1049): processing HASH payload. message ID = -452721455

Aug 28 08:23:46.584: ISAKMP:(1049): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 1

        spi 0, message ID = -452721455, sa = 0x31627E04

Aug 28 08:23:46.584: ISAKMP:(1049):peer does not do paranoid keepalives.

Aug 28 08:23:46.584: ISAKMP:(1049):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE       (peer 217.150.152.45)

Aug 28 08:23:46.584: ISAKMP:(1049):deleting node -452721455 error FALSE reason "Informational (in) state 1"

Aug 28 08:23:46.584: ISAKMP:(1049):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Aug 28 08:23:46.584: ISAKMP:(1049):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Aug 28 08:23:46.584: ISAKMP: set new node 494253780 to QM_IDLE

Aug 28 08:23:46.584: ISAKMP:(1049): sending packet to 217.150.152.45 my_port 500 peer_port 500 (I) QM_IDLE

Aug 28 08:23:46.584: ISAKMP:(1049):Sending an IKE IPv4 Packet.

Aug 28 08:23:46.584: ISAKMP:(1049):purging node 494253780

Aug 28 08:23:46.584: ISAKMP:(1049):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Aug 28 08:23:46.584: ISAKMP:(1049):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

Aug 28 08:23:46.584: ISAKMP:(1049):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE       (peer 217.150.152.45)

Intertoys_Zentrale_Waddinxveen_01#

Aug 28 08:23:46.584: ISAKMP: Unlocking peer struct 0x2A2D7150 for isadb_mark_sa_deleted(), count 0

Aug 28 08:23:46.584: ISAKMP: Deleting peer node by peer_reap for 217.150.152.45: 2A2D7150

Aug 28 08:23:46.584: ISAKMP:(1049):deleting node -1582159006 error FALSE reason "IKE deleted"

Aug 28 08:23:46.584: ISAKMP:(1049):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Aug 28 08:23:46.584: ISAKMP:(1049):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

#################################################################################################################

Is there anything special that needs to be considered when building a VPN to Juniper devices?

Greetings

Thomas