[VPN] VPN tunnel between Sidewinder 5.2.1.0.7 and Netscreen 5 XP
David Klein
dklein at netscreen.com
Wed Apr 2 13:33:56 EST 2003
On the Netscreen does "get log event" show the reason for the IKE failure?
You could also do a "debug ike basic" to find the problem.
A couple of things to look for based on your information below:
1) "Aggressive"
Do you have aggressive mode setup on the Sidewinder? Either change
Sidewinder to Aggressive mode or Netscreen to Main mode for P1.
2) Source, JAMACA (172.20.100.0)
Destination, BLM.Corp (10.10.0.0)
Are the subnet masks correct on these? /24 and /16 respectively.
Mismatched IP address and subnets will case IKE P2 proxy-id checks to fail.
3) Phase2 proposal = 3DES, SHA1, DH2, (nopfs-esp-3des-sha)
This doesn't make sense. You've selected "nopfs" yet you mention DH2 which
means you want to do PFS. Make sure these match between the two boxes.
Dave Klein
Netscreen Systems Engineer
-----Original Message-----
From: Kokes, Tim [mailto:Tim.Kokes at AugustTech.com]
Sent: Wednesday, April 02, 2003 9:13 AM
To: vpn at lists.shmoo.com
Subject: [VPN] VPN tunnel between Sidewinder 5.2.1.0.7 and Netscreen 5XP
Has anyone configured a Site to Site VPN tunnel between a Sidewinder
5.2.1.0.7 and Netscreen 5XP? I've setup both peers and the SA does not like
the way netscreen is formatted the VPN communication.
Setup taken:
NETSCREEN:
VPN Tunnel:
Gateway = YYY.YYY.YYY.YYY
Static IP: XXX.XXX.XXX.XXX
"Aggressive"
Phase1 proposal = 3DES, SHA1, DH2
(pre-g2-3des-sha)
pre-share = XXXXXX
AutoIKE:
Name = NT1-FW2
Remote gateway = FW2
Phase2 proposal = 3DES, SHA1, DH2,
(nopfs-esp-3des-sha)
Policy:
NAME: NT1-FW2
Source, JAMACA (172.20.100.0)
Destination, BLM.Corp (10.10.0.0)
Service, ANY
NAT, OFF
Action, Tunnel
"Check modify incoming VPN policy"
Sidwinder:
SA Netscreen-DSL-PRESHARE
Local subnet = 10.10.0.0 /16
Remote = 172.20.100.0 /24
VPN Tunnel:
Pre-Share Secret = XXXXXXX
Accept = 3DES - SHA1
Phase1 = 28800 TTL 3DES, SHA1, DH2
Phase2 = 3600 TTL 3DES, SHA1,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030402/5b3d990c/attachment.htm
More information about the VPN
mailing list