Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
840
Views
5
Helpful
7
Replies

LAN to LAN IPSec Concentrator to Netscreen

smolz
Level 4
Level 4

‎11-30-2005 01:44 PM - edited ‎02-21-2020 02:08 PM

I am having some trouble connecting to netscreen box to my concentrator. On the netscreen I am being told that phase 1 is successful but phase 2 is failing. I am wondering if someone could help me to figure out why this is failing on phase 2.

Labels:
0 Helpful
7 Replies 7

a-vazquez
Level 6
Level 6

‎12-06-2005 01:27 PM

The goal of this sample configuration is to connect a private network behind a Cisco PIX Firewall to a private network behind the Cisco VPN 3000 Concentrator. The devices on the networks know each other by their private addresses.

http://www.cisco.com/warp/public/471/ALTIGA_pix.html

0 Helpful

tkropp
Level 1
Level 1

‎12-06-2005 05:14 PM

I ran into a similar issue today when trying to synch a 2651XM -> Netscreen. Same problem. P1 okay, P2 no good. I'll pass info on if a resolution is found.

0 Helpful

tkropp
Level 1
Level 1
In response to tkropp

‎12-06-2005 05:16 PM

I can say that I'm leaning towards PFS parameter. We'll see.

ciscocsoc
Level 4
Level 4
In response to tkropp

‎12-06-2005 11:59 PM

Hi,

The following documents from Juniper might help (even if one is for a NetScreen-PIX tunnel)

http://200.support.juniper.safeharbor.com/knowbase/root/public/ns10121.htm?

http://200.support.juniper.safeharbor.com/knowbase/root/public/nskb6553.htm?

HTH

Cathy

0 Helpful

tkropp
Level 1
Level 1
In response to ciscocsoc

‎12-07-2005 06:09 AM

Good links.

more info (debugs - names and IP's changed):

Dec 6 17:21:14: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= x.x.x.x, remote= y.y.y.y,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

protocol= ESP, transform= esp-aes 256 esp-md5-hmac (Tunnel),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x22

Dec 6 17:21:14: CryptoEngine0: validate proposal request

Dec 6 17:21:14: IPSEC(kei_proxy): head = fe01, map->ivrf = , kei->ivrf =

Dec 6 17:21:14: IPSEC(validate_transform_proposal): proxy identities not supported

Dec 6 17:21:14: ISAKMP (0:1): IPSec policy invalidated proposal

Dec 6 17:21:14: ISAKMP (0:1): phase 2 SA policy not acceptable! (local x.x.x.x remote y.y.y.y)

Dec 6 17:21:14: ISAKMP: set new node -1873272454 to QM_IDLE

Dec 6 17:21:14: CryptoEngine0: generate hmac context for conn id 1

ROUTER#

ROUTER#

ROUTER#

Dec 6 17:21:14: ISAKMP (0:1): Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 2202668392, message ID = -1873272454

Dec 6 17:21:14: ISAKMP (0:1): sending packet to 66.54.243.171 my_port 500 peer_port 500 (R) QM_IDLE

Dec 6 17:21:14: ISAKMP (0:1): purging node -1873272454

Dec 6 17:21:14: ISAKMP (0:1): deleting node 1077236606 error TRUE reason "quick mode rejected"

Dec 6 17:21:14: ISAKMP (0:1): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH: for node 1077236606: state = IKE_QM_READY

Dec 6 17:21:14: ISAKMP (0:1): Node 1077236606, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

Dec 6 17:21:14: ISAKMP (0:1): Old State = IKE_QM_READY New State = IKE_QM_READY

0 Helpful

tkropp
Level 1
Level 1
In response to ciscocsoc

‎12-07-2005 06:20 AM

Following your links I also found this one:

Parameters required for VPN interoperability:

http://200.support.juniper.safeharbor.com/knowbase/root/public/nskb2082.htm?

0 Helpful

smolz
Level 4
Level 4
In response to tkropp

‎12-07-2005 06:06 AM

thanks it ended up being a mismatched PFS setting that was stopping the phase 2 completion

0 Helpful
Customers Also Viewed These Support Documents