ScreenOS Firewalls (NOT SRX)
Reply
Visitor
info
Posts: 5
Registered: ‎09-28-2008
0

Problem With IPSec

Hi,

 

I have configured IPSec in SSG20 with other brand firewall. I configured tunnel, policy, gateway,AutoIKE, Static route everything and also match cetificate as well. But my tunnel doen't come up and I got below message in my event log.

"Phase 1: Retransmission limit has been reached"

 

I can't find this proble. Please help me out.

 

Thanks,

 

Super Contributor
Moerkholt
Posts: 169
Registered: ‎11-05-2007
0

Re: Problem With IPSec

Hi

 

The message You get can cover more issues(Preshared key, Proxy ID and more).

 

Have You tried doing a "debug ike detail" it can give a better picture of what exactly is the problem.

 

The following is a link to a knowledgebase article which is a great help in configuring and troubleshooting VPN.

 

http://kb.juniper.net/kb/documents/public/resolution_path/J_FW_VPN_Config_or_Trblsh.htm

 

 

Regards

Hans

Regards

Hans
JNCIS-FWV

If this worked for you then please flag my post as an "Accepted Solution" so others can benefit from it. A kudo would be nice if you think I earned it
Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: Problem With IPSec

Definitely check out the Juniper VPN Resolution Guide.

 

Retransmission limit reached implies that you are sending out UDP 500 packets, but not getting a reply. Can you confirm on the remote peer whether or not you are seeing IKE packets received? If not then check for any other routers/NAT devices/firewalls between your SSG20 and the remote peer.

 

-Richard

Contributor
Fahad_khan
Posts: 152
Registered: ‎10-21-2008
0

Re: Problem With IPSec

your tunnel interface must be in the state of "ready" , double check whether you have enabled "vpn monitor", disable that one. Also check the remote peer's configurations. Further more verify the pre-shared key, Proxy ID, and proposals, that all must be same on both sides.

 

best regards,

 

Fahad Khan

Premier Systems

Pakistan 

Muhammad Fahad Khan
JNCIE-M/T # 756
Network Consultant
IBM Pakistan
+92-301-8247638 begin_of_the_skype_highlighting              +92-301-8247638      end_of_the_skype_highlighting
+92-321-2370510 begin_of_the_skype_highlighting              +92-321-2370510      end_of_the_skype_highlighting
Trusted Contributor
Munpe_Q
Posts: 192
Registered: ‎10-02-2008
0

Re: Problem With IPSec

So you didn't mention what other firewall you are trying to use.  Interoperability shouldn't be an issue, but depending on the peer would depend on how to configure the SSG.  Sounds like you are doing a route based tunnel, and if so, then the problem could be that you need to apply some proxy-id's to the tunnel's configuration.  It's also possible, like say it's a PIX/ASA, that it simply won't work with a route based at all, so you would have to move it to a policy based tunnel.  Been there, done that.  Give some more info on the remote peer.
-=Q
Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: Problem With IPSec

Proxy ID may definitely come into play at some point. But since phase 1 is not even able to complete we are not there yet. Pre-shared keys hasn't really come into play yet either as based on retransmission messages, it is clear that we are not seeing any IKE packets returning hence the retransmission.

 

My advice is to troubleshoot the ability to send/receive UDP 500 packets between your two peers. That means you may also have to check the remote peer side to determine if there is another device between the two peers that is blocking UDP 500 traffic. Perhaps another firewall or a router with ACL configured?

 

-Richard

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.