03-23-2009 08:08 AM
I try to establish a VPN between my NS-500 and Cisco 3845.
The problem is when the other site connect to my internal network, the VPN becoms UP, SA Active and the ping is Ok in the two side.
But when I try to initiat the VPN from my side, the ping is not working and the SA is not active. the Phase1 is Ok but I see the error message related to phase2 :
IKE<Peer IP Public >: Received a notification message for DOI <1> <14> <NO-PROPOSAL-CHOSEN>.
Can someone help me to undertand this strange case.thank you
03-23-2009 11:22 AM
I guess you are pinging from the NS500 side? It looks like the proposals do not match.
I believe in Cisco and the NS500, you need to create a custom proposal so that all the parameters will match.
Usually there is a mismatch due to the life-size as Cisco has one value and does not accept what the juniper sends.
If you could show us what is configured for the NS500 and Cisco side for the Phase 2 proposals, we can check Or you can try to set the NS500side to compatible.
03-24-2009 03:15 AM
Thanks for your replay;
The question is why the VPN becomes Up one the tunnel is initianted from the ciso side and note from the NS side ??
when the SA is active, the ping work from the NS and Cisco side.
We used : Nopfs,ESP, 3DES, MD5 for phase2 and when we enable PFS, the Tunnel will be down from the two side.
I have two question please :
1- what's the better valus to use for lifetime and lifesize fo this case?
2- is it possible that there is a problème Software or hadware with this Cisco3845 ?
03-24-2009 02:32 PM
Basically when you initiate from the Netscreen side, the Cisco side does not accept the proposal sent, which is why you are seeing the error msg in the "get event".
For the Netscreen side, the life-time is usually set to:
FUSTELE16A(M)-> get ike p2-pro
Id Name Grp Protocol Enc_alg Auth_alg Lifetime Lifesize
-- -------------------- --- -------- ------- -------- ---------- ----------
0 nopfs-esp-des-md5 0 ESP DES MD5 3600 0
1 nopfs-esp-des-sha 0 ESP DES SHA-1 3600 0
2 g2-esp-des-md5 2 ESP DES MD5 3600 0
3 g2-esp-des-sha 2 ESP DES SHA-1 3600 0
which is 3600 or 1 hr.
If you are working with another vendor then you will need to make sure both values match properly.
I guess the reason why when you enable PFS for Phase 2 on the FW it did not work may be because you did not configure the "group" settings on the Cisco side?
For the lifesize, I think Cisco has a larger value than the Netscreen in some cases, so that may cause the proposal not to be accepted during the negotiation. Its better to configure both sides manually.