<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<TITLE>Message</TITLE>
<META content="MSHTML 6.00.2800.1141" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=450183218-02042003><FONT face=Arial color=#0000ff size=2>On the
Netscreen does "get log event" show the reason for the IKE
failure?</FONT></SPAN></DIV>
<DIV><SPAN class=450183218-02042003><FONT face=Arial color=#0000ff size=2>You
could also do a "debug ike basic" to find the problem.</FONT></SPAN></DIV>
<DIV><SPAN class=450183218-02042003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=450183218-02042003><FONT face=Arial color=#0000ff size=2>A
couple of things to look for based on your information
below:</FONT></SPAN></DIV>
<DIV><SPAN class=450183218-02042003><FONT face=Arial color=#0000ff
size=2>1)</FONT></SPAN><SPAN class=450183218-02042003><FONT face=Arial
size=2> "Aggressive"</FONT></SPAN></DIV>
<DIV><SPAN class=450183218-02042003><FONT face=Arial color=#0000ff size=2>Do you
have aggressive mode setup on the Sidewinder? Either change Sidewinder to
Aggressive mode or Netscreen to Main mode for P1.</FONT></SPAN></DIV>
<DIV><SPAN class=450183218-02042003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=450183218-02042003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=450183218-02042003><FONT face=Arial color=#0000ff
size=2>2) </FONT></SPAN><SPAN class=450183218-02042003><FONT face=Arial
size=2>
Source, JAMACA (172.20.100.0) </FONT></DIV>
<DIV>
<P align=left><FONT face=Arial
size=2>
Destination, BLM.Corp (10.10.0.0)</FONT></P></SPAN></DIV>
<DIV><SPAN class=450183218-02042003><FONT face=Arial color=#0000ff size=2>Are
the subnet masks correct on these? /24 and /16 respectively.
Mismatched IP address and subnets will case IKE P2 proxy-id checks to
fail.</FONT></SPAN></DIV>
<DIV><SPAN class=450183218-02042003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=450183218-02042003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=450183218-02042003><FONT face=Arial color=#0000ff size=2>3)
<FONT color=#000000>Phase2 proposal = 3DES, SHA1, DH2,
(nopfs-esp-3des-sha)</FONT></FONT></SPAN></DIV>
<DIV><SPAN class=450183218-02042003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=450183218-02042003><FONT face=Arial color=#0000ff size=2>This
doesn't make sense. You've selected "nopfs" yet you mention DH2 which
means you want to do PFS. Make sure these match between the two
boxes.</FONT></SPAN></DIV>
<DIV><SPAN class=450183218-02042003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=450183218-02042003></SPAN> </DIV>
<DIV><SPAN class=450183218-02042003><FONT face=Arial color=#0000ff size=2>Dave
Klein</FONT></SPAN></DIV>
<DIV><SPAN class=450183218-02042003><FONT face=Arial color=#0000ff
size=2>Netscreen Systems Engineer</FONT></SPAN></DIV>
<DIV><SPAN class=450183218-02042003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left><FONT
face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Kokes, Tim
[mailto:Tim.Kokes@AugustTech.com] <BR><B>Sent:</B> Wednesday, April 02, 2003
9:13 AM<BR><B>To:</B> vpn@lists.shmoo.com<BR><B>Subject:</B> [VPN] VPN tunnel
between Sidewinder 5.2.1.0.7 and Netscreen 5XP<BR><BR></FONT></DIV>
<P align=left><FONT face=Arial size=2>Has anyone</FONT><FONT face=Arial
size=2></FONT> <FONT face=Arial size=2>configur</FONT><FONT face=Arial
size=2>ed</FONT><FONT face=Arial size=2> a Site to Site VPN tunnel between a
Sidewinder 5.2.1.0.7 and Netscreen 5XP?</FONT> <FONT face=Arial
size=2>I</FONT><FONT face=Arial size=2>'</FONT><FONT face=Arial size=2>ve
setup both peers and the SA does not like the way netscreen is</FONT> <FONT
face=Arial size=2>formatted</FONT><FONT face=Arial size=2> the VPN
communication.</FONT></P>
<P align=left><FONT face=Arial size=2>Setup</FONT><FONT face=Arial size=2>
taken</FONT><FONT face=Arial size=2>:</FONT></P>
<P align=left><B><FONT face=Arial size=2>NETSCREEN:</FONT></B></P>
<P align=left><FONT face=Arial size=2> VPN
Tunnel: </FONT></P>
<P align=left><FONT face=Arial
size=2>
Gateway =</FONT> <FONT face=Arial size=2>YYY.YYY.YYY.YYY</FONT><FONT
face=Arial size=2></FONT> </P>
<P align=left><FONT face=Arial
size=2>
Static IP:</FONT> <FONT face=Arial size=2>XXX.XXX.XXX.XXX</FONT></P>
<P align=left><FONT face=Arial
size=2>
"Aggressive"</FONT></P>
<P align=left><FONT face=Arial
size=2>
Phase1 proposal = 3DES, SHA1, DH2 (pre-g2-3des-sha)</FONT></P>
<P align=left>
<FONT face=Arial
size=2> pre-share =</FONT> <FONT face=Arial
size=2>XXXXXX</FONT></P>
<P align=left><FONT face=Arial
size=2>
AutoIKE: </FONT></P>
<P align=left><FONT face=Arial
size=2>
Name = NT1-FW2</FONT></P>
<P align=left><FONT face=Arial
size=2>
Remote gateway =
FW2
</FONT></P>
<P align=left><FONT face=Arial
size=2>
Phase2 proposal = 3DES, SHA1, DH2, (nopfs-esp-3des-sha)</FONT></P>
<P align=left> <FONT face=Arial
size=2> Policy:</FONT></P>
<P align=left><FONT face=Arial
size=2>
NAME: NT1-FW2</FONT></P>
<P align=left><FONT face=Arial
size=2>
Source, JAMACA (172.20.100.0) </FONT></P>
<P align=left><FONT face=Arial
size=2>
Destination, BLM.Corp (10.10.0.0)</FONT></P>
<P align=left><FONT face=Arial
size=2>
Service, ANY</FONT></P>
<P align=left><FONT face=Arial
size=2>
NAT, OFF</FONT></P>
<P align=left><FONT face=Arial
size=2>
Action, Tunnel</FONT></P>
<P align=left><FONT face=Arial
size=2>
"Check modify incoming VPN policy" </FONT></P>
<P align=left><FONT face=Arial
size=2>
</FONT></P>
<P align=left><B><FONT face=Arial size=2>Sidwinder:</FONT></B></P>
<P align=left><FONT face=Arial size=2> SA
Netscreen-DSL-PRESHARE</FONT></P>
<P align=left> <FONT face=Arial
size=2>Local subnet = 10.10.0.0 /16</FONT></P>
<P align=left><FONT face=Arial
size=2>
Remote = 172.20.100.0 /24 </FONT></P>
<P align=left><FONT face=Arial size=2>
</FONT></P>
<P align=left><FONT face=Arial size=2> VPN
Tunnel:</FONT></P>
<P align=left><FONT face=Arial
size=2>
Pre-Share Secret =</FONT> <FONT face=Arial size=2>XXXXXXX</FONT></P>
<P align=left><FONT face=Arial
size=2>
Accept = 3DES - SHA1</FONT></P>
<P align=left><FONT face=Arial
size=2>
Phase1 = 28800 TTL 3DES, SHA1, DH2</FONT></P>
<P align=left><FONT face=Arial
size=2>
Phase2 = 3600 TTL 3DES, SHA1, </FONT></P>
<P align=left><FONT face=Arial
size=2></FONT> </P></BLOCKQUOTE></BODY></HTML>