ScreenOS Firewalls (NOT SRX)
Reply
Visitor
j2man
Posts: 3
Registered: ‎07-17-2008
0

Netscreen 5GT / MS XP VPN Client / Auth fails in Phase 2 / proxy-ID?

Hi,

 

I have this problem with a 5GT. I'm trying to get a L2TP/IPSec Dialup VPN running with XP included L2TP/IPSEC clients. Set this up using certificates and authentication is working fine for phase 1. However during phase 2 the netscreen drops out claiming that the "peer did not send a proxy id".

When I connect a peer directly to the untrusted port of the firewall the tunnel comes up. When I come through the internet the error comes up. In the AutoKey IKE Options "Proxy-ID" is unchecked.

 

Any hints from the wizards?

 

Cheers!

New User
Hadi
Posts: 2
Registered: ‎07-17-2008
0

Re: Netscreen 5GT / MS XP VPN Client / Auth fails in Phase 2 / proxy-ID?

Hi

can you pls post your configuration?

 

 

regards,

 

Visitor
j2man
Posts: 3
Registered: ‎07-17-2008
0

Re: Netscreen 5GT / MS XP VPN Client / Auth fails in Phase 2 / proxy-ID?

it's kinda fresh. here's what I can give u...

 

set clock ntp
set clock timezone X
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "xxx"
set admin password "xxx"
set admin http redirect
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 4.68.95.3/24
set interface trust nat
set interface untrust ip xxx.xxx.xxx.xxx/29
set interface untrust route
set interface untrust mtu 1500
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface trust manage mtrace
set interface untrust manage ping
set interface untrust manage ssh
set interface untrust manage telnet
set interface untrust manage snmp
set interface untrust manage ssl
set interface untrust manage web
set flow tcp-mss
unset flow tcp-syn-check
set domain xx.xx.xxx.xx
set hostname fw-remote
set dns host dns1 4.68.95.1
set address "Trust" "yy-DMZ" 4.68.95.0 255.255.255.0
set ippool "IPPool-yy-remote" 4.68.22.1 4.68.22.239
set user "aaa.bbb" uid 3
set user "aaa.bbb" ike-id asn1-dn wildcard "CN=ob,OU=,O=,L=,ST=,C=,E=aa@bbb.cc" share-limit 1
set user "aaa.bbb" type  auth ike l2tp
set user "aaa.bbb" remote ippool "IPPool-yy-remote"
set user "aaa.bbb" password "xxx"
set user "aaa.bbb" "enable"
set user-group "yy VPN User" id 1
set user-group "yy VPN User" user "aaa.bbb"
set ike gateway "GW-yy-remote" dialup "yy VPN User" Main outgoing-interface "untrust"  proposal "rsa-g2-des-md5" "rsa-g2-3des-md5" "rsa-g2-des-sha" "rsa-g2-3des-sha"
set ike gateway "GW-yy-remote" cert peer-ca all
unset ike gateway "GW-yy-remote" nat-traversal udp-checksum
set ike gateway "GW-yy-remote" nat-traversal keepalive-frequency 5
set ike respond-bad-spi 1
set vpn "IKE-yy" gateway "GW-yy-remote" no-replay transport idletime 0 sec-level compatible
set l2tp default dns1 7.68.95.11
set l2tp default ippool "IPPool-yy-remote"
set l2tp "Tunnel-yy-remote" id 5 outgoing-interface untrust keepalive 60
set l2tp "Tunnel-yy-remote" remote-setting ippool "IPPool-yy-remote"
set l2tp "Tunnel-yy-remote" auth server "Local"
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set pki x509 dn org-name "xxx"
set pki x509 dn name "xxx"
set pki x509 cert-fqdn xxx.xxx
set url protocol sc-cpa
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" deny log
set policy id 1
exit
set policy id 3 name "Pol-yy-remote" from "Untrust" to "Trust"  "Dial-Up VPN" "yy-DMZ" "ANY" tunnel vpn "IKE-yy" id 1 l2tp "Tunnel-yy-remote"
set policy id 3
exit
set policy id 2 name "Block" from "Untrust" to "Trust"  "Any" "Any" "ANY" deny log
set policy id 2
exit
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set dl-buf size 7340032
set ntp server "xxx.xxx.xxx"
set ntp server src-interface "untrust"
set ntp server backup1 "xxx.xxx.xxx"
set ntp server backup1 src-interface "untrust"
set ntp server backup2 "0.0.0.0"
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route  7.68.95.0/24 interface trust gateway 4.68.95.2 preference 20
set route  0.0.0.0/0 interface untrust gateway xxx.xxx.xxx.xxx preference 20
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: Netscreen 5GT / MS XP VPN Client / Auth fails in Phase 2 / proxy-ID?

I don't see a problem with the configs per se. Try enabling 'debug ike detail' and post output of phase 2 negotiations.

 

-Richard

Visitor
j2man
Posts: 3
Registered: ‎07-17-2008
0

Re: Netscreen 5GT / MS XP VPN Client / Auth fails in Phase 2 / proxy-ID?

here it comes... thanks!

 

## 09:22:34 : IKE<0.0.0.0        >   Start DH BG gen for group 2
## 09:22:34 : IKE<0.0.0.0        >     dh group 2
## 09:22:34 : IKE<0.0.0.0        >   I got hit by mail. 1
## 09:22:34 : IKE<12.201.28.1    >   from FLOAT port.
## 09:22:34 : IKE<12.201.28.1    >   ike packet, len 2156, action 0
## 09:22:34 : IKE<0.0.0.0        >   coach. sock 65
## 09:22:34 : IKE<12.201.28.1    > ****** Recv packet if <untrust> of vsys <Root> ******
## 09:22:34 : IKE<12.201.28.1    >   Catcher: get 2128 bytes. src port 1260
## 09:22:34 : IKE<12.201.28.1    >   SA: (Root, local 102.1.142.100, state 3/17113f +, r):
## 09:22:34 : IKE<12.201.28.1    >   ISAKMP msg: len 2124, nxp 5[ID], exch 2[MM], flag 01  E
## 09:22:34 : IKE<12.201.28.1    >   Receive re-transmit IKE packet phase 1 SA(12.201.28.1) exchg(2) len(2124)
## 09:22:34 : IKE<12.201.28.1    >   send_request to peer
## 09:22:34 : IKE<12.201.28.1    >   Send Phase 1 packet (len=1572)
## 09:22:34 : IKE<12.201.28.1    >   from FLOAT port.
## 09:22:34 : IKE<12.201.28.1    >   ike packet, len 364, action 1
## 09:22:34 : IKE<0.0.0.0        >   coach. sock 67
## 09:22:34 : IKE<12.201.28.1    > ****** Recv packet if <untrust> of vsys <Root> ******
## 09:22:34 : IKE<12.201.28.1    >   Catcher: get 336 bytes. src port 1260
## 09:22:34 : IKE<12.201.28.1    >   SA: (Root, local 102.1.142.100, state 3/17113f +, r):
## 09:22:34 : IKE<12.201.28.1    >   ISAKMP msg: len 332, nxp 8[HASH], exch 32[QM], flag 01  E
## 09:22:34 : IKE<12.201.28.1    >   Create conn entry...
## 09:22:34 : IKE<12.201.28.1    >     ...done(new c8e25035)
## 09:22:34 : IKE<12.201.28.1    >   Phase 2 msg-id <c8e25035>: Responded to the first peer message.
## 09:22:34 : IKE<12.201.28.1    >   Decrypting payload (length 304)
## 09:22:34 : IKE<12.201.28.1    > Recv*: [HASH] [SA] [NONCE] [ID] [ID] [NAT_OA]
## 09:22:34 : IKE<12.201.28.1    >   extract payload (304):
## 09:22:34 : IKE<12.201.28.1    >   QM in state OAK_QM_SA_ACCEPT.
## 09:22:34 : IKE<12.201.28.1    > ERROR: Cannot handle this id type, 2!
## 09:22:34 : IKE<0.0.0.0        > Initiator ID Payload processing failed!!
## 09:22:34 : IKE<12.201.28.1    > Error: No phase 2 proxy id from peer, message_id<c8e25035>.
## 09:22:34 : IKE<12.201.28.1    >   oakley_process_quick_mode():exit
## 09:22:34 : IKE<12.201.28.1    > Phase 2 msg-id <c8e25035>: Negotiations have failed.
## 09:22:34 : IKE<12.201.28.1    >     Delete conn entry...
## 09:22:34 : IKE<12.201.28.1    >     ...found(c8e25035)
## 09:22:34 : IKE<12.201.28.1    >   IKE msg done: PKI state<0> IKE state<3/17113f>
## 09:22:35 : IKE<12.201.28.1    >   from FLOAT port.
## 09:22:35 : IKE<12.201.28.1    >   ike packet, len 364, action 1
## 09:22:35 : IKE<0.0.0.0        >   coach. sock 67

Visitor
boricua
Posts: 9
Registered: ‎07-28-2008
0

Re: Netscreen 5GT / MS XP VPN Client / Auth fails in Phase 2 / proxy-ID?

Did you get this error resolved?  I got the same exact error.

 

Thanks,

 

Rick

Trusted Expert
marsteel
Posts: 3
Registered: ‎10-16-2008
0

Re: Netscreen 5GT / MS XP VPN Client / Auth fails in Phase 2 / proxy-ID?

try disable nat-traversal
Contributor
DerMike
Posts: 15
Registered: ‎03-30-2008

Re: Netscreen 5GT / MS XP VPN Client / Auth fails in Phase 2 / proxy-ID?

An explanation can be found here ... as always :smileyhappy:

 

DerMike

Trusted Expert
sarab
Posts: 373
Registered: ‎05-12-2012
0

Re: Netscreen 5GT / MS XP VPN Client / Auth fails in Phase 2 / proxy-ID?

Thanks Dermike , The link u mentioned resolved one of my issues.. :smileyhappy:

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.