ScreenOS Firewalls (NOT SRX)
Reply
Contributor
faycal
Posts: 50
Registered: ‎11-26-2007
0

Problem VPN between NS500 and Cisco 3845

Dears;

I try to establish a VPN between my NS-500 and Cisco 3845.

 

The problem is when the other site connect to my internal network, the VPN becoms UP, SA Active and the ping is Ok in the two side. 

 

But when I try to initiat the VPN from my side, the ping is not working and the SA is not active. the Phase1 is Ok but I see the error message related to phase2 : 

IKE<Peer IP Public >: Received a notification message for DOI <1> <14> <NO-PROPOSAL-CHOSEN>.

 

Can someone help me to undertand this strange case.thank you
Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 790
Registered: ‎07-26-2008
0

Re: Problem VPN between NS500 and Cisco 3845

Hi

I guess you are pinging from the NS500 side? It looks like the proposals do not match.

I believe in Cisco and the NS500, you need to create a custom proposal so that all the parameters will match.

Usually there is a mismatch due to the life-size as Cisco has one value and does not accept what the juniper sends.

 

If you could show us what is configured for the NS500 and Cisco side for the Phase 2 proposals, we can check Or you can try to set the NS500side to compatible.

 

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Contributor
faycal
Posts: 50
Registered: ‎11-26-2007
0

Re: Problem VPN between NS500 and Cisco 3845

Thanks for your replay;

 

The question is why the VPN becomes Up one the tunnel is initianted from the ciso side and note from the NS side ??

when the SA is active, the ping work from the NS and Cisco side.

 

We used : Nopfs,ESP, 3DES, MD5 for phase2 and when we enable PFS, the Tunnel will be down from the two side.

 

I have two question please :

1- what's the better valus to use for lifetime and lifesize fo this case?

2- is it possible that there is a problème Software or hadware with this Cisco3845 ?

 

thanks

Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 790
Registered: ‎07-26-2008
0

Re: Problem VPN between NS500 and Cisco 3845

Basically when you initiate from the Netscreen side, the Cisco side does not accept the proposal sent, which is why you are seeing the error msg in the "get event".

 

For the Netscreen side, the life-time is usually set  to:

FUSTELE16A(M)-> get ike p2-pro
Id Name                 Grp Protocol Enc_alg Auth_alg Lifetime   Lifesize
-- -------------------- --- -------- ------- -------- ---------- ----------
 0 nopfs-esp-des-md5      0 ESP      DES     MD5            3600          0
 1 nopfs-esp-des-sha      0 ESP      DES     SHA-1          3600          0
 2 g2-esp-des-md5         2 ESP      DES     MD5            3600          0
 3 g2-esp-des-sha         2 ESP      DES     SHA-1          3600          0

 

which is 3600 or 1 hr.

If you are working with another vendor then you will need to make sure both values match properly.

 

I guess the reason why when you enable PFS for Phase 2 on the FW it did not work may be because you did not configure the "group" settings on the Cisco side?

 

For the lifesize, I think Cisco has a larger value than the Netscreen in some cases, so that may cause the proposal not to be accepted during the negotiation. Its better to configure both sides manually.

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.