Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


RE: [VPN] VPN tunnel between Sidewinder 5.2.1.0.7 and Netscreen 5 XP
.

  • To: "'Kokes, Tim'" <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
  • Subject: RE: [VPN] VPN tunnel between Sidewinder 5.2.1.0.7 and Netscreen 5 XP
  • From: David Klein <[EMAIL PROTECTED]>
  • Date: Wed, 2 Apr 2003 10:33:56 -0800
  • Sender: [EMAIL PROTECTED]
.
 
Title: Message
On the Netscreen does "get log event" show the reason for the IKE failure?
You could also do a "debug ike basic" to find the problem.
 
A couple of things to look for based on your information below:
1)     "Aggressive"
Do you have aggressive mode setup on the Sidewinder?  Either change Sidewinder to Aggressive mode or Netscreen to Main mode for P1.
 
 
2)                     Source, JAMACA (172.20.100.0)

                         Destination, BLM.Corp (10.10.0.0)

Are the subnet masks correct on these?  /24 and /16 respectively.  Mismatched IP address and subnets will case IKE P2 proxy-id checks to fail.
 
 
3) Phase2 proposal = 3DES, SHA1, DH2, (nopfs-esp-3des-sha)
 
This doesn't make sense.  You've selected "nopfs" yet you mention DH2 which means you want to do PFS.  Make sure these match between the two boxes.
 
 
Dave Klein
Netscreen Systems Engineer
 
-----Original Message-----
From: Kokes, Tim [mailto:[EMAIL PROTECTED]
Sent: Wednesday, April 02, 2003 9:13 AM
To: [EMAIL PROTECTED]
Subject: [VPN] VPN tunnel between Sidewinder 5.2.1.0.7 and Netscreen 5XP

Has anyone configured a Site to Site VPN tunnel between a Sidewinder 5.2.1.0.7 and Netscreen 5XP? I've setup both peers and the SA does not like the way netscreen is formatted the VPN communication.

Setup taken:

NETSCREEN:

      VPN Tunnel:

               Gateway = YYY.YYY.YYY.YYY

                Static IP: XXX.XXX.XXX.XXX

                            "Aggressive"

                            Phase1 proposal = 3DES, SHA1, DH2  (pre-g2-3des-sha)

                    pre-share = XXXXXX

                AutoIKE:

                        Name = NT1-FW2

                        Remote gateway = FW2                         

                        Phase2 proposal = 3DES, SHA1, DH2, (nopfs-esp-3des-sha)

            Policy:

                         NAME: NT1-FW2

                         Source, JAMACA (172.20.100.0)

                         Destination, BLM.Corp (10.10.0.0)

                         Service, ANY

                         NAT, OFF

                         Action, Tunnel

                                   "Check modify incoming VPN policy"

                     

Sidwinder:

      SA Netscreen-DSL-PRESHARE

        Local subnet = 10.10.0.0 /16

            Remote = 172.20.100.0 /24      

     

      VPN Tunnel:

                Pre-Share Secret = XXXXXXX

                Accept = 3DES - SHA1

                Phase1 = 28800 TTL 3DES, SHA1, DH2

                Phase2 = 3600 TTL 3DES, SHA1,

 

 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.