Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

LAN to LAN IPSec Concentrator to Netscreen

I am having some trouble connecting to netscreen box to my concentrator. On the netscreen I am being told that phase 1 is successful but phase 2 is failing. I am wondering if someone could help me to figure out why this is failing on phase 2.

7 REPLIES
Silver

Re: LAN to LAN IPSec Concentrator to Netscreen

The goal of this sample configuration is to connect a private network behind a Cisco PIX Firewall to a private network behind the Cisco VPN 3000 Concentrator. The devices on the networks know each other by their private addresses.

http://www.cisco.com/warp/public/471/ALTIGA_pix.html

New Member

Re: LAN to LAN IPSec Concentrator to Netscreen

I ran into a similar issue today when trying to synch a 2651XM -> Netscreen. Same problem. P1 okay, P2 no good. I'll pass info on if a resolution is found.

New Member

Re: LAN to LAN IPSec Concentrator to Netscreen

I can say that I'm leaning towards PFS parameter. We'll see.

Silver

Re: LAN to LAN IPSec Concentrator to Netscreen

Hi,

The following documents from Juniper might help (even if one is for a NetScreen-PIX tunnel)

http://200.support.juniper.safeharbor.com/knowbase/root/public/ns10121.htm?

http://200.support.juniper.safeharbor.com/knowbase/root/public/nskb6553.htm?

HTH

Cathy

New Member

Re: LAN to LAN IPSec Concentrator to Netscreen

Good links.

more info (debugs - names and IP's changed):

Dec 6 17:21:14: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= x.x.x.x, remote= y.y.y.y,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

protocol= ESP, transform= esp-aes 256 esp-md5-hmac (Tunnel),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x22

Dec 6 17:21:14: CryptoEngine0: validate proposal request

Dec 6 17:21:14: IPSEC(kei_proxy): head = fe01, map->ivrf = , kei->ivrf =

Dec 6 17:21:14: IPSEC(validate_transform_proposal): proxy identities not supported

Dec 6 17:21:14: ISAKMP (0:1): IPSec policy invalidated proposal

Dec 6 17:21:14: ISAKMP (0:1): phase 2 SA policy not acceptable! (local x.x.x.x remote y.y.y.y)

Dec 6 17:21:14: ISAKMP: set new node -1873272454 to QM_IDLE

Dec 6 17:21:14: CryptoEngine0: generate hmac context for conn id 1

ROUTER#

ROUTER#

ROUTER#

Dec 6 17:21:14: ISAKMP (0:1): Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 2202668392, message ID = -1873272454

Dec 6 17:21:14: ISAKMP (0:1): sending packet to 66.54.243.171 my_port 500 peer_port 500 (R) QM_IDLE

Dec 6 17:21:14: ISAKMP (0:1): purging node -1873272454

Dec 6 17:21:14: ISAKMP (0:1): deleting node 1077236606 error TRUE reason "quick mode rejected"

Dec 6 17:21:14: ISAKMP (0:1): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH: for node 1077236606: state = IKE_QM_READY

Dec 6 17:21:14: ISAKMP (0:1): Node 1077236606, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

Dec 6 17:21:14: ISAKMP (0:1): Old State = IKE_QM_READY New State = IKE_QM_READY

New Member

Re: LAN to LAN IPSec Concentrator to Netscreen

Following your links I also found this one:

Parameters required for VPN interoperability:

http://200.support.juniper.safeharbor.com/knowbase/root/public/nskb2082.htm?

New Member

Re: LAN to LAN IPSec Concentrator to Netscreen

thanks it ended up being a mismatched PFS setting that was stopping the phase 2 completion

327
Views
5
Helpful
7
Replies
CreatePlease to create content