[vpn] Netscreen/Sonicwall Phase 1 failure

David Klein dklein at netscreen.com
Fri Jan 25 13:03:38 EST 2002 

Riccardo,

On the Netscreen, go into "debug ike" mode and have it be the IKE responder.
In the debug output you should be able to spot what the Sonicwall (as IKE
initiator) is proposing during phase 1 negotiations.

To go into debug mode on the Netscreen:

Connect to console or telnet into Netscreen;
"set console dbuf"
"clear dbuf"
"debug ike detail"  or on older versions of ScreenOS the command is "debug
ike 10";
have a client behind the Sonicwall initiate traffic to a system behind the
Netscreen;
wait a few seconds;
"undebug all"  or on older versions of ScreenOS the command is "debug ike
0";
"get dbuf stream" to see the debug output. 

To do over:
"clear ike all" on the Netscreen and do whatever on the Sonicwall to clear
it's SA's;
"clear dbuf"
"debug ike detail" or "debug ike 10";
initiate traffic and review with "get dbuf stream".

When done, don't forget to turn off all debugs otherwise the Netscreen will
be slow.  

Dave Klein
dklein at netscreen.com


> -----Original Message-----
> From: Riccardo Valente [mailto:riccardo at thevalentes.net]
> Sent: Friday, January 25, 2002 8:50 AM
> To: vpn at securityfocus.com
> Subject: [vpn] Netscreen/Sonicwall Phase 1 failure
> 
> 
> I'm trying to troubleshoot a failing pre-shared secret Phase 
> 1 negotiation
> between a Netscreen and a Sonicwall. I don't have access to 
> the latter, but
> I was assured it's using DH Group2, DES and MD5.
> 
> This is the log for Phase 1:
> 
> 01/25/2002 14:16:33 Give up phase 1 to x.x.x.x
> 01/25/2002 14:16:15 phase 2 sa task to x.x.x.x exist.
> 01/25/2002 14:16:03 Initialt Phase 1 session, peer<7>.
> 
> 
> and an extract of the debug information:
> 
> receive INFO pkt with message id before phase 1 auth is done. 
> Ignore the pkt
>     [retries timing out]
> Phase 1 SA(a.b.c.d) reported broken.
> delete sa(w.x.y.z - a.b.c.d), state (100f/2)
> 
> 
> I tend to think the problem is at the Sonicwall end, since 
> this Netscreen
> configuration has been used successfully with all sorts of  
> VPN gateways
> with no excessive grief. Any suggestions?
> 
> riccardo
> 
> 
> VPN is sponsored by SecurityFocus.com
> 

VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list