[vpn] Phase2 problems with Netscreen 5XP

Thierry Blanchard Thierryb at bigdreamsnow.com
Wed Nov 21 18:00:08 EST 2001 

To avoid you being confused, here's some more details:

(My aim is to allow my users to access in a secure manner an NT4 server that
is located behind a NS5XP.
Clients are Win98 and Win2000 with Netscreen-Remote and each of them will be
using dynamic IP addresses.)

Here's how I configured the NS5XP box:

L2TP:
I've created a tunnel (L2TP tab) restricted to a specific group. PeerIP is
set to 0.0.0.0.  The HostName and Secret field are blank.

Gateway:
My gateway is created using DialUP user. I've set the P1 proposal to
pre-g2-3des-sha and created a Pre-Shared key. Mode is Aggressive.

AutoIKE config:
Replay Protection is on.
Enable Transport mode because I'll be using L2TP-o-IPSec.

I added a trusted address to my NT server (10.1.1.10).

Policies:
My outgoing policies allows everything.
My incoming policy for Dial-Up VPN restricts Destination Address to my NT
server (10.1.1.10)
NAT is off, Action, VPN Tunnel and L2TP are set correcly. Authentication is
unchecked.

Now on the Netscreen-Remote, the remote party is set to the IP address of my
NT server (10.1.1.10) and I specify I'll use a Security Gateway Tunnel with
the public IP address of the NS5XP box.

Enable PFS and Replay Detection are unchecked.
Proposals for Phase1 and Phase2 are set to match the proposals on the NS5XP.

When I think everything is setup correctly, I start my web browser and point
it to my NT server (10.1.1.10): http://10.1.1.10

My Netscreen-Remote log gives me this:
14:46:47.452  
14:46:47.452 NorCal - Initiating IKE Phase 1 (IP ADDR=66.119.27.226)
14:46:47.522 NorCal - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID,
VID)
14:46:47.633 NorCal - RECEIVED<<< ISAKMP OAK AG (SA, VID, KE, NON, ID, HASH)
14:46:47.663 NorCal - SENDING>>>> ISAKMP OAK AG *(HASH,
NOTIFY:STATUS_INITIAL_CONTACT)
14:46:47.663 NorCal - Established IKE SA
14:46:47.663    MY COOKIE fc 9a a1 72 67 4e 46 21
14:46:47.663    HIS COOKIE d0 ec f6 d9 c0 89 37 af
14:46:47.663 NorCal - Initiating IKE Phase 2 with Client IDs (message id:
B3CE5C40)
14:46:47.663   Initiator = IP ADDR=66.119.27.228, prot = 0 port = 0
14:46:47.663   Responder = IP ADDR=10.1.2.10, prot = 0 port = 0
14:46:47.663 NorCal - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID)
14:47:03.245 NorCal - QM re-keying timed out (message id: B3CE5C40). Retry
count: 1
14:47:03.245 NorCal - SENDING>>>> ISAKMP OAK QM *(Retransmission)
14:47:18.267 NorCal - QM re-keying timed out (message id: B3CE5C40). Retry
count: 2
14:47:18.267 NorCal - SENDING>>>> ISAKMP OAK QM *(Retransmission)
14:47:33.288 NorCal - QM re-keying timed out (message id: B3CE5C40). Retry
count: 3
14:47:33.288 NorCal - SENDING>>>> ISAKMP OAK QM *(Retransmission)
14:47:48.310 NorCal - Exceeded 3 re-keying attempts (message id: B3CE5C40)
14:47:48.310 NorCal - QM re-keying timed out (message id: B3CE5C40).
Discarding IPSec SA negotiation

On the NS5XP side, each retry gives:
No Phase 2 SA entry found using p2 proxy id. rcv
local_id(10.1.1.10/255.255.255.255/0/0)
remote_id(66.119.67.228/255.255.255.255/0/0
IKE: Quick Mode to 66.119.27.228 failed. message id.

Thanks again for your help on this. This is driving me crazy. PPTP was so
simple to put in place ....

Thierry.

 

VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list