[VPN] VPN tunnel between Sidewinder 5.2.1.0.7 and Netscreen 5 XP

David Klein dklein at netscreen.com
Wed Apr 2 13:33:56 EST 2003


On the Netscreen does "get log event" show the reason for the IKE failure?
You could also do a "debug ike basic" to find the problem.
 
A couple of things to look for based on your information below:
1)     "Aggressive"
Do you have aggressive mode setup on the Sidewinder?  Either change
Sidewinder to Aggressive mode or Netscreen to Main mode for P1.
 
 
2)                     Source, JAMACA (172.20.100.0) 

                         Destination, BLM.Corp (10.10.0.0)

Are the subnet masks correct on these?  /24 and /16 respectively.
Mismatched IP address and subnets will case IKE P2 proxy-id checks to fail.
 
 
3) Phase2 proposal = 3DES, SHA1, DH2, (nopfs-esp-3des-sha)
 
This doesn't make sense.  You've selected "nopfs" yet you mention DH2 which
means you want to do PFS.  Make sure these match between the two boxes.
 
 
Dave Klein
Netscreen Systems Engineer
 

-----Original Message-----
From: Kokes, Tim [mailto:Tim.Kokes at AugustTech.com] 
Sent: Wednesday, April 02, 2003 9:13 AM
To: vpn at lists.shmoo.com
Subject: [VPN] VPN tunnel between Sidewinder 5.2.1.0.7 and Netscreen 5XP



Has anyone configured a Site to Site VPN tunnel between a Sidewinder
5.2.1.0.7 and Netscreen 5XP? I've setup both peers and the SA does not like
the way netscreen is formatted the VPN communication.

Setup taken:

NETSCREEN:

      VPN Tunnel: 

               Gateway = YYY.YYY.YYY.YYY 

                Static IP: XXX.XXX.XXX.XXX

                            "Aggressive"

                            Phase1 proposal = 3DES, SHA1, DH2
(pre-g2-3des-sha)

                    pre-share = XXXXXX

                AutoIKE: 

                        Name = NT1-FW2

                        Remote gateway = FW2                          

                        Phase2 proposal = 3DES, SHA1, DH2,
(nopfs-esp-3des-sha)

            Policy:

                         NAME: NT1-FW2

                         Source, JAMACA (172.20.100.0) 

                         Destination, BLM.Corp (10.10.0.0)

                         Service, ANY

                         NAT, OFF

                         Action, Tunnel

                                   "Check modify incoming VPN policy" 

                      

Sidwinder:

      SA Netscreen-DSL-PRESHARE

        Local subnet = 10.10.0.0 /16

            Remote = 172.20.100.0 /24       

      

      VPN Tunnel:

                Pre-Share Secret = XXXXXXX

                Accept = 3DES - SHA1

                Phase1 = 28800 TTL 3DES, SHA1, DH2

                Phase2 = 3600 TTL 3DES, SHA1, 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030402/5b3d990c/attachment.htm 


More information about the VPN mailing list