Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Netscreen to Pix VPN

I am trying to set up a Netscreen to Pix 506 (ver 6.3.5) VPN. The Netscreen has a static public IP and the Pix has a dynamic public IP. If I set the tunnel up as static IP's on both end it works fine but fails when I go back to dynamic on the Pix. Dynamic is the way the majority of the remote pix sites will be.

The Netscreen is looking to point to a FQDN on any far end VPN device along with the pre-shared key to establish the tunnel. I have configured the remote "peer" on the netscreen to the pix hostname and also tried the pix hostname plus the domain name. Both failed. On Cisco debugs it shows the local identity as the IP address. I have the command "isakmp identity hostname" configured on the pix. I am thinking until I see a true FQDN in the debugs this will not work. The debugs I ran were debug isakmp sa and debug ipsec sa.

I get the following info from the Netscreen event log:

Rejected an IKE packet on untrust from 76.13.217.240:500 to 18.88.17.23:500 with cookies e032996ad3aa1bc5 and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway

I get this on Pix debug:

homenet# ping inside 10.10.100.99

ISAKMP (0): beginning Main Mode exchange 10.10.100.99 NO response receive

d -- 1000ms

10.10.100.99 NO response received -- 1000ms

10.10.100.99 NO response received -- 1000ms

homenet#

ISAKMP (0): retransmitting phase 1 (0)...

ISAKMP (0): retransmitting phase 1 (1)...

ISAKMP (0): retransmitting phase 1 (2)...

ISAKMP (0): retransmitting phase 1 (3)...

ISAKMP (0): retransmitting phase 1 (4)...IPSEC(key_engine): request timer fired:

count = 1,

(identity) local= 76.13.217.240, remote= 18.88.17.23,

local_proxy= 10.220.220.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.10.100.0/255.255.254.0/0/0 (type=4)

ISAKMP (0): deleting SA: src 76.13.217.240, dst 18.88.17.23

ISADB: reaper checking SA 0xf20944, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 18.88.17.23/500 not found - peers:0

IPSEC(key_engine): request timer fired: count = 2,

(identity) local= 76.13.217.240, remote= 18.88.17.23,

local_proxy= 10.220.220.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.10.100.0/255.255.254.0/0/0 (type=4)

2 REPLIES
Bronze
New Member

Re: Netscreen to Pix VPN

Thanks for the link but I had found this link and it does work, but this is not the scenario I was trying to implement. This doc uses static IP's on both the pix and the Netscreen. I need to have a dynamic IP on the Pix, which rules out the attached web link. I have found out since I posted this link that the scenario I am trying to implement will not work between a Netscreen with static public and a Pix with a Dynamic public with pre-shared keys. The Netscreen is looking for a FQDN and the pix does not put out a FQDN. Only potential way of doing this is with RSA certificates. I am choosing a different path. Thanks again for the reply.

527
Views
0
Helpful
2
Replies