[VPN] ISA 2004 to Netscreen
David Klein
dklein at juniper.net
Thu Jul 8 13:32:53 EDT 2004
Possible IKE phase 2 proxy-id error. Run "debug ike detail" on the
Netscreen and it will show you what it thinks the local/remote IKE p2
proxy-id's should be and what it is getting offered from the ISA 2004
system. You'll get better debugging on the Netscreen if you make it the
IKE responder and have the ISA 2004 be the IKE initiator.
Dave Klein
dklein at netscreen.com
________________________________
From: vpn-bounces+dklein=juniper.net at lists.shmoo.com
[mailto:vpn-bounces+dklein=juniper.net at lists.shmoo.com] On Behalf Of
Dante Mercurio
Sent: Thursday, July 08, 2004 11:11 AM
To: vpn at lists.shmoo.com
Subject: [VPN] ISA 2004 to Netscreen
I am trying to connect an ISA 2004 system to a Netscreen,
site-to-site using tunnel mode and a pre-shared key.
Phase 1 goes fine, but phase 2 fails with the following error:
2004-07-08 12:05:18 info IKE<65.X.X.X> Received notify message
for DOI <1> <18> <INVALID_ID_INFO>.
2004-07-08 12:05:17 info IKE<65.X.X.X> Phase 2: Initiated
negotiation.
2004-07-08 12:05:17 info IKE<65.X.X.X> Phase 1: Completed Main
mode negotiations with a <28800>-second lifetime.
2004-07-08 12:05:17 info IKE<68.X.X.X> >> <65.X.X.X> Phase 1:
Initiated negotiations in main mode.
Thanks,
M. Dante Mercurio, CISSP, CWNA, Security+
dante(at)webcti.com
Consulting Group Manager
Continental Technologies, Inc.
www.webcti.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20040708/64534bc8/attachment.htm
More information about the VPN
mailing list