11-30-2005 01:44 PM - edited 02-21-2020 02:08 PM
I am having some trouble connecting to netscreen box to my concentrator. On the netscreen I am being told that phase 1 is successful but phase 2 is failing. I am wondering if someone could help me to figure out why this is failing on phase 2.
12-06-2005 01:27 PM
The goal of this sample configuration is to connect a private network behind a Cisco PIX Firewall to a private network behind the Cisco VPN 3000 Concentrator. The devices on the networks know each other by their private addresses.
12-06-2005 05:14 PM
I ran into a similar issue today when trying to synch a 2651XM -> Netscreen. Same problem. P1 okay, P2 no good. I'll pass info on if a resolution is found.
12-06-2005 05:16 PM
I can say that I'm leaning towards PFS parameter. We'll see.
12-06-2005 11:59 PM
Hi,
The following documents from Juniper might help (even if one is for a NetScreen-PIX tunnel)
http://200.support.juniper.safeharbor.com/knowbase/root/public/ns10121.htm?
http://200.support.juniper.safeharbor.com/knowbase/root/public/nskb6553.htm?
HTH
Cathy
12-07-2005 06:09 AM
Good links.
more info (debugs - names and IP's changed):
Dec 6 17:21:14: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= x.x.x.x, remote= y.y.y.y,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-aes 256 esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x22
Dec 6 17:21:14: CryptoEngine0: validate proposal request
Dec 6 17:21:14: IPSEC(kei_proxy): head = fe01, map->ivrf = , kei->ivrf =
Dec 6 17:21:14: IPSEC(validate_transform_proposal): proxy identities not supported
Dec 6 17:21:14: ISAKMP (0:1): IPSec policy invalidated proposal
Dec 6 17:21:14: ISAKMP (0:1): phase 2 SA policy not acceptable! (local x.x.x.x remote y.y.y.y)
Dec 6 17:21:14: ISAKMP: set new node -1873272454 to QM_IDLE
Dec 6 17:21:14: CryptoEngine0: generate hmac context for conn id 1
ROUTER#
ROUTER#
ROUTER#
Dec 6 17:21:14: ISAKMP (0:1): Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2202668392, message ID = -1873272454
Dec 6 17:21:14: ISAKMP (0:1): sending packet to 66.54.243.171 my_port 500 peer_port 500 (R) QM_IDLE
Dec 6 17:21:14: ISAKMP (0:1): purging node -1873272454
Dec 6 17:21:14: ISAKMP (0:1): deleting node 1077236606 error TRUE reason "quick mode rejected"
Dec 6 17:21:14: ISAKMP (0:1): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH: for node 1077236606: state = IKE_QM_READY
Dec 6 17:21:14: ISAKMP (0:1): Node 1077236606, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Dec 6 17:21:14: ISAKMP (0:1): Old State = IKE_QM_READY New State = IKE_QM_READY
12-07-2005 06:20 AM
Following your links I also found this one:
Parameters required for VPN interoperability:
http://200.support.juniper.safeharbor.com/knowbase/root/public/nskb2082.htm?
12-07-2005 06:06 AM
thanks it ended up being a mismatched PFS setting that was stopping the phase 2 completion
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide