ScreenOS Firewalls (NOT SRX)
Reply
Contributor
Danipaan
Posts: 32
Registered: ‎12-22-2008
0
Accepted Solution

VPN P1 fails

When trying to connect to SSG-5 the following message is shown in the log:
Rejected an IKE packet on ethernet0/0 from 10.10.10.123:500 to 10.10.10.4:500 with cookies 5bcee785abb14d17 and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway.

 

I read up to the issue and it should appear when the outgoing interface is incorrectly configured, however my Untrust interface is ethernet0/0.

 

The Ike debug detail log is as follows:
## 2009-02-19 17:31:45 : IKE<10.10.10.123> ****** Recv packet if <ethernet0/0> o
f vsys <Root> ******
## 2009-02-19 17:31:45 : IKE<10.10.10.123> Catcher: get 400 bytes. src port 500
## 2009-02-19 17:31:45 : IKE<0.0.0.0        >   ISAKMP msg: len 400, nxp 1[SA],
exch 4[AG], flag 00
## 2009-02-19 17:31:45 : IKE<10.10.10.123   > Recv : [SA] [KE] [NONCE] [ID] [VID
] [VID] [VID] [VID] [VID]
## 2009-02-19 17:31:45 : [VID]
## 2009-02-19 17:31:45 : valid id checking, id type:U-FQDN, len:24.
## 2009-02-19 17:31:45 : IKE<0.0.0.0        >     Validate (372): SA/48 KE/132 N
ONCE/36 ID/24 VID/48 VID/12 VID/20 VID/12 VID/20
## 2009-02-19 17:31:45 : IKE<10.10.10.123> Receive Id in AG mode, id-type=3, id=
vpn@customer.com, idlen = 16
## 2009-02-19 17:31:45 :   locate peer entry for (
3/vpn@customer.com), by identi
ty.
## 2009-02-19 17:31:45 :   Found identity<
vpn@customer.com> in group <2> user id
 <6>.
## 2009-02-19 17:31:45 : IKE<10.10.10.123> Found peer entry (VPN CLIENTS) from 1
0.10.10.123.
## 2009-02-19 17:31:45 : IKE<10.10.10.123> Peer(VPN CLIENTS) is in main mode(2)
but received packet mode is 4, packet discarded.
## 2009-02-19 17:31:45 : IKE<10.10.10.123> Rejected an initial Phase 1 packet fr
om an unrecognized peer gateway.

 

My config file is attached in .txt document.

 

Thanks in advance for any help offered.

 

Recognized Expert
traceoptions
Posts: 152
Registered: ‎04-29-2008
0

Re: VPN P1 fails

You are getting this message because you are using Main instead of Aggressive. 

 

Here is the Dial Up VPN Configuration Tree from Juniper.  It should steer you down how to properly configure a Dial Up VPN for your setup.

 

KB 8535 Dial Up VPN

JNCIE-ENT #424 JNCIP-SEC, JNCI @traceoptions

**If this worked for you please flag my post as an Accepted Solution so others can benefit.**
Contributor
Danipaan
Posts: 32
Registered: ‎12-22-2008
0

Re: VPN P1 fails

[ Edited ]

Thank you for your reply, it got me one step ahead. Unfortunately phase1 is still not succesfully connecting. See the IKE debug log:

 

ssg5-serial-> get db stream
## 2009-02-20 13:49:55 : reap_db. deleting p1sa 256c560
## 2009-02-20 13:49:55 : terminate_SA: trying to delete SA cause: 0 cond: 2
## 2009-02-20 13:49:55 : IKE<10.10.10.134> xauth_cleanup()
## 2009-02-20 13:49:55 : IKE<10.10.10.134> Done cleaning up IKE Phase 1 SA
## 2009-02-20 13:49:55 : peer_identity_unregister_p1_sa.
## 2009-02-20 13:49:55 : IKE<0.0.0.0        >   delete peer identity 0x25cafb0
## 2009-02-20 13:49:55 : IKE<0.0.0.0        >   peer_identity_remove_from_peer:
num entry before remove <2>
## 2009-02-20 13:49:55 : peer_idt.c peer_identity_unregister_p1_sa 668: pidt del
eted.
## 2009-02-20 13:51:13 : IKE<10.10.10.134> ike packet, len 428, action 1
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Catcher: received 400 bytes from sock
et.
## 2009-02-20 13:51:13 : IKE<10.10.10.134> ****** Recv packet if <ethernet0/0> o
f vsys <Root> ******
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Catcher: get 400 bytes. src port 500
## 2009-02-20 13:51:13 : IKE<0.0.0.0        >   ISAKMP msg: len 400, nxp 1[SA],
exch 4[AG], flag 00
## 2009-02-20 13:51:13 : IKE<10.10.10.134   > Recv : [SA] [KE] [NONCE] [ID] [VID
] [VID] [VID] [VID] [VID]
## 2009-02-20 13:51:13 : [VID]
## 2009-02-20 13:51:13 : valid id checking, id type:U-FQDN, len:24.
## 2009-02-20 13:51:13 : IKE<0.0.0.0        >     Validate (372): SA/48 KE/132 N
ONCE/36 ID/24 VID/48 VID/12 VID/20 VID/12 VID/20
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Receive Id in AG mode, id-type=3, id=
vpn@customer.com, idlen = 16
## 2009-02-20 13:51:13 :   locate peer entry for (
3/vpn@customer.com), by identi
ty.
## 2009-02-20 13:51:13 :   Found identity<
vpn@customer.com> in group <2> user id
 <6>.
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Found peer entry (VPN CLIENTS) from 1
0.10.10.134.
## 2009-02-20 13:51:13 : responder create sa: 10.10.10.134->10.10.10.4
## 2009-02-20 13:51:13 : init p1sa, pidt = 0x0
## 2009-02-20 13:51:13 : change peer identity for p1 sa, pidt = 0x0
## 2009-02-20 13:51:13 : IKE<0.0.0.0        >   peer_identity_create_with_uid: u
id<0>
## 2009-02-20 13:51:13 : IKE<0.0.0.0        >   create peer identity 0x25cafb0
## 2009-02-20 13:51:13 : IKE<0.0.0.0        >   peer_identity_add_to_peer: num e
ntry before add <1>
## 2009-02-20 13:51:13 : IKE<0.0.0.0        >   peer_identity_add_to_peer: num e
ntry after add <2>
## 2009-02-20 13:51:13 : peer identity 25cafb0 created.
## 2009-02-20 13:51:13 : IKE<0.0.0.0        >   EDIPI disabled
## 2009-02-20 13:51:13 : IKE<10.10.10.134> getProfileFromP1Proposal->
## 2009-02-20 13:51:13 : IKE<10.10.10.134> find profile[0]=<00000007 00000002 00
000001 00000002> for p1 proposal (id 7), xauth(1)
## 2009-02-20 13:51:13 : IKE<10.10.10.134> responder create sa: 10.10.10.134->10
.10.10.4
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Phase 1: Responder starts AGGRESSIVE
mode negotiations.
## 2009-02-20 13:51:13 : IKE<10.10.10.134> AG in state OAK_AG_NOSTATE.
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Process [VID]:
## 2009-02-20 13:51:13 : IKE<10.10.10.134   >   Vendor ID:
## 2009-02-20 13:51:13 : 47 bb e7 c9 93 f1 fc 13  b4 e6 d0 db 56 5c 68 e5
## 2009-02-20 13:51:13 : 01 02 01 01 02 01 01 03  10 31 30 2e 38 2e 35 20
## 2009-02-20 13:51:13 : 28 42 75 69 6c 64 20 32  29 00 00 00
## 2009-02-20 13:51:13 : IKE<10.10.10.134> receive unknown vendor ID payload
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Process [VID]:
## 2009-02-20 13:51:13 : IKE<10.10.10.134   >   Vendor ID:
## 2009-02-20 13:51:13 : da 8e 93 78 80 01 00 00
## 2009-02-20 13:51:13 : IKE<10.10.10.134> receive unknown vendor ID payload
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Process [VID]:
## 2009-02-20 13:51:13 : IKE<10.10.10.134   >   Vendor ID:
## 2009-02-20 13:51:13 : af ca d7 13 68 a1 f1 c9  6b 86 96 fc 77 57 01 00
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Process [VID]:
## 2009-02-20 13:51:13 : IKE<10.10.10.134   >   Vendor ID:
## 2009-02-20 13:51:13 : 09 00 26 89 df d6 b7 12
## 2009-02-20 13:51:13 : IKE<10.10.10.134> rcv XAUTH v6.0 vid
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Process [VID]:
## 2009-02-20 13:51:13 : IKE<10.10.10.134   >   Vendor ID:
## 2009-02-20 13:51:13 : 44 85 15 2d 18 b6 bb cd  0b e8 a8 46 95 79 dd cc
## 2009-02-20 13:51:13 : IKE<10.10.10.134> rcv NAT-Traversal VID payload (draft-
ietf-ipsec-nat-t-ike-00).
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Process [VID]:
## 2009-02-20 13:51:13 : IKE<10.10.10.134   >   Vendor ID:
## 2009-02-20 13:51:13 : 90 cb 80 91 3e bb 69 6e  08 63 81 b5 ec 42 7b 1f
## 2009-02-20 13:51:13 : IKE<10.10.10.134> rcv NAT-Traversal VID payload (draft-
ietf-ipsec-nat-t-ike-02).
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Process [SA]:
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Proposal received: xauthflag 1
## 2009-02-20 13:51:13 : IKE<10.10.10.134> auth(1)<PRESHRD>, encr(7)<AES>, hash(
2)<SHA>, group(2), keylen(128)
## 2009-02-20 13:51:13 : IKE<10.10.10.134> xauth attribute: initiator
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Phase 1 proposal [0] selected.
## 2009-02-20 13:51:13 : IKE<0.0.0.0        >     dh group 2
## 2009-02-20 13:51:13 : IKE<10.10.10.134> DH_BG_consume OK. p1 resp
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Process [KE]:
## 2009-02-20 13:51:13 : IKE<10.10.10.134> processing ISA_KE in phase 1.
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Process [NONCE]:
## 2009-02-20 13:51:13 : IKE<10.10.10.134> processing NONCE in phase 1.
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Process [ID]:
## 2009-02-20 13:51:13 : IKE<10.10.10.134> ID received: type=ID_USER_FQDN, USER
FQDN =
vpn@customer.com, port=500, protocol=17
## 2009-02-20 13:51:13 : IKE<10.10.10.134> process_id need to update peer entry,
 cur <VPN CLIENTS>.
## 2009-02-20 13:51:13 :   locate peer entry for (
3/vpn@customer.com), by identi
ty.
## 2009-02-20 13:51:13 :   Found identity<
vpn@customer.com> in group <2> user id
 <6>.
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Dynamic peer IP addr, search peer by
identity.
## 2009-02-20 13:51:13 : IKE<10.10.10.134> peer gateway entry has no peer id con
figured
## 2009-02-20 13:51:13 : IKE<10.10.10.134> ID processed. return 0. sa->p1_state
= 0.
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Phase 1 AG Responder constructing 2nd
 message.
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Construct ISAKMP header.
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Msg header built (next payload #1)
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Construct [SA] for ISAKMP
## 2009-02-20 13:51:13 : IKE<10.10.10.134> auth(1)<PRESHRD>, encr(7)<AES>, hash(
2)<SHA>, group(2), keylen(128)
## 2009-02-20 13:51:13 : IKE<10.10.10.134> xauth attribute: disabled
## 2009-02-20 13:51:13 : IKE<10.10.10.134> lifetime/lifesize (0/0)
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Construct NetScreen [VID]
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Construct custom [VID]
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Construct custom [VID]
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Construct custom [VID]
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Construct [KE] for ISAKMP
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Construct [NONCE]
## 2009-02-20 13:51:13 : IKE<10.10.10.134> gen_skeyid()
## 2009-02-20 13:51:13 : IKE<10.10.10.134> gen_skeyid: returning 0
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Construct [ID] for ISAKMP
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Construct [HASH]
## 2009-02-20 13:51:13 : IKE<10.10.10.134> ID, len=8, type=1, pro=17, port=500,
## 2009-02-20 13:51:13 : IKE<10.10.10.134> addr=10.10.10.4
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Construct NAT-T [VID]: draft 2
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Responder psk ag mode: natt vid const
ructed.
## 2009-02-20 13:51:13 : IKE<10.10.10.134> responder (psk) constructing remote N
AT-D
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Construct [NATD]
## 2009-02-20 13:51:13 : IKE<10.10.10.134> responder (psk) constructing local NA
T-D
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Construct [NATD]
## 2009-02-20 13:51:13 : IKE<10.10.10.134   > Xmit : [SA] [VID] [VID] [VID] [VID
] [KE] [NONCE] [ID] [HASH]
## 2009-02-20 13:51:13 : [VID] [NATD] [NATD]
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Responder sending IPv4 IP 10.10.10.13
4/port 500
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Send Phase 1 packet (len=424)
## 2009-02-20 13:51:13 : IKE<10.10.10.134> IKE msg done: PKI state<0> IKE state<
5/91180f>
## 2009-02-20 13:51:14 : IKE<10.10.10.134> ike packet, len 108, action 0
## 2009-02-20 13:51:14 : IKE<10.10.10.134> Catcher: received 80 bytes from socke
t.
## 2009-02-20 13:51:14 : IKE<10.10.10.134> ****** Recv packet if <ethernet0/0> o
f vsys <Root> ******
## 2009-02-20 13:51:14 : IKE<10.10.10.134> Catcher: get 80 bytes. src port 500
## 2009-02-20 13:51:14 : IKE<0.0.0.0        >   ISAKMP msg: len 80, nxp 8[HASH],
 exch 5[INFO], flag 00
## 2009-02-20 13:51:14 : IKE<10.10.10.134   > Recv : [HASH] [NOTIF]
## 2009-02-20 13:51:14 : IKE<10.10.10.134> receive pkt with mseeage id before ph
ase 1 auth is done.  Ingore the pkt

## 2009-02-20 13:51:18 : IKE<10.10.10.134> re-trans timer expired, msg retry (0)
 (91180f/5)
## 2009-02-20 13:51:18 : IKE<10.10.10.134> Responder sending IPv4 IP 10.10.10.13
4/port 500
## 2009-02-20 13:51:18 : IKE<10.10.10.134> Send Phase 1 packet (len=424)
## 2009-02-20 13:51:19 : IKE<0.0.0.0        >     dh group 2
## 2009-02-20 13:51:22 : IKE<10.10.10.134> re-trans timer expired, msg retry (1)
 (91180f/5)
## 2009-02-20 13:51:22 : IKE<10.10.10.134> Responder sending IPv4 IP 10.10.10.13
4/port 500
## 2009-02-20 13:51:22 : IKE<10.10.10.134> Send Phase 1 packet (len=424)
## 2009-02-20 13:51:26 : IKE<10.10.10.134> re-trans timer expired, msg retry (2)
 (91180f/5)
## 2009-02-20 13:51:26 : IKE<10.10.10.134> Responder sending IPv4 IP 10.10.10.13
4/port 500
## 2009-02-20 13:51:26 : IKE<10.10.10.134> Send Phase 1 packet (len=424)
## 2009-02-20 13:51:30 : IKE<10.10.10.134> re-trans timer expired, msg retry (3)
 (91180f/5)
## 2009-02-20 13:51:30 : IKE<10.10.10.134> Responder sending IPv4 IP 10.10.10.13
4/port 500
## 2009-02-20 13:51:30 : IKE<10.10.10.134> Send Phase 1 packet (len=424)
## 2009-02-20 13:51:34 : IKE<10.10.10.134> re-trans timer expired, msg retry (4)
 (91180f/5)
## 2009-02-20 13:51:34 : IKE<10.10.10.134> Responder sending IPv4 IP 10.10.10.13
4/port 500
## 2009-02-20 13:51:34 : IKE<10.10.10.134> Send Phase 1 packet (len=424)

Message Edited by Danipaan on 02-20-2009 04:59 AM
Contributor
Danipaan
Posts: 32
Registered: ‎12-22-2008
0

Re: VPN P1 fails

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.