04-07-2010 03:58 PM
Have been tasked with proving that Juniper SSG device can meet our needs as we move from colo based production environment to cloud hosted based environment. So have to have linux client vpn connect to SSG20 or 320.
Am attempting ipsec network to network vpn, using raccoon and not using freeswan or openvpn
Currently just trying policy based VPN so don't have to fiddle with xauth.
Getting as far as phase2 negotiations, but those consistently fail, even though client and SSG are both set to use the same protocols. I've worked with juniper tech support to configure the proposals to comply with what has been found to work in the past. I have changed up the protocols (for testing), and it still consistently fails no matter what the settings.
Any recommendations, and/or suggestions. I can provide example config files if anyone has any background in this area.
04-09-2010 10:44 AM
|2010-04-09 10:44:59||info||IKE 220.127.116.11 Phase 2 msg ID 976e1ac3: Negotiations have failed.|
|2010-04-09 10:44:59||info||IKE 18.104.22.168 Phase 2 msg ID 976e1ac3: Responded to the peer's first message.|
|2010-04-09 10:44:39||info||IKE 22.214.171.124 Phase 2 msg ID 976e1ac3: Negotiations have failed.|
|2010-04-09 10:44:39||info||IKE 126.96.36.199 Phase 2 msg ID 976e1ac3: Responded to the peer's first message.|
|2010-04-09 10:44:38||info||IKE 188.8.131.52 Phase 1: Completed Aggressive mode negotiations with a 28800-second lifetime.|
|2010-04-09 10:44:38||info||IKE 184.108.40.206 phase 1:The symmetric crypto key has been generated successfully.|
|2010-04-09 10:44:38||info||IKE 220.127.116.11 Phase 1: Responder starts AGGRESSIVE mode negotiations.|
04-10-2010 02:48 AM
Can you paste VPN config of both sites ?
Can you run the following debug :
debug ike detail
...now let the vpn negotiates till it fails
get db st .... get that output