[VPN] ISA 2004 to Netscreen
dklein at juniper.net
Thu Jul 8 13:32:53 EDT 2004
Possible IKE phase 2 proxy-id error. Run "debug ike detail" on the
Netscreen and it will show you what it thinks the local/remote IKE p2
proxy-id's should be and what it is getting offered from the ISA 2004
system. You'll get better debugging on the Netscreen if you make it the
IKE responder and have the ISA 2004 be the IKE initiator.
dklein at netscreen.com
From: vpn-bounces+dklein=juniper.net at lists.shmoo.com
[mailto:vpn-bounces+dklein=juniper.net at lists.shmoo.com] On Behalf Of
Sent: Thursday, July 08, 2004 11:11 AM
To: vpn at lists.shmoo.com
Subject: [VPN] ISA 2004 to Netscreen
I am trying to connect an ISA 2004 system to a Netscreen,
site-to-site using tunnel mode and a pre-shared key.
Phase 1 goes fine, but phase 2 fails with the following error:
2004-07-08 12:05:18 info IKE<65.X.X.X> Received notify message
for DOI <1> <18> <INVALID_ID_INFO>.
2004-07-08 12:05:17 info IKE<65.X.X.X> Phase 2: Initiated
2004-07-08 12:05:17 info IKE<65.X.X.X> Phase 1: Completed Main
mode negotiations with a <28800>-second lifetime.
2004-07-08 12:05:17 info IKE<68.X.X.X> >> <65.X.X.X> Phase 1:
Initiated negotiations in main mode.
M. Dante Mercurio, CISSP, CWNA, Security+
Consulting Group Manager
Continental Technologies, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the VPN