Screen OS

Hello,

 

I configured a site to site vpn with my customer who has fortinet firewall.

 

We are running juniper netscreen with os 6.3.

 

This tunnel is running well for some days(say 4-5 days) and then we are facing problems with the reconnecting or rekeying and we have to clear the tunnel manually to make it running again otherwise it is not forwarding packets any longer.

 

We receive following messages on FW during this time.

 

 2012-02-23 15:59:37 system info  00536 IKE x.x.x.x Phase 2 msg ID
                                       c3b0d257: Completed negotiations with
                                       SPI 99fa83c0, tunnel ID 393283, and
                                       lifetime 86400 seconds/0 KB.
2012-02-23 15:59:37 system info  00536 IKE x.x.x.x phase 2:The
                                       symmetric crypto key has been
                                       generated successfully.
2012-02-23 15:59:37 system info  00536 IKE x.x.x.x Phase 2 msg ID
                                       c3b0d257: Responded to the peer's
                                       first message.
2012-02-23 15:59:02 system info  00536 IKE x.x.x.x Phase 2 msg ID
                                       ee09f563: Completed negotiations with
                                       SPI 99fa83be, tunnel ID 393282, and
                                       lifetime 86400 seconds/0 KB.
2012-02-23 15:59:02 system info  00536 IKE x.x.x.x phase 2:The
                                       symmetric crypto key has been
                                       generated successfully.
2012-02-23 15:59:02 system info  00536 IKE x.x.x.x Phase 2 msg ID
                                       ee09f563: Responded to the peer's
                                       first message.
2012-02-23 15:59:02 system notif 00017 VPN mt-ag-pironet-vpn with gateway
                                       mt-ag-pironet-x.x.x.x and P2
                                       proposal 3DES-MD5-ESP-86400 has been
                                       modified by coltadmin via web from
                                       host 172.27.3.3 to 172.27.1.193:443.
2012-02-23 14:10:47 system info  00536 IKE x.x.x.x Phase 2 msg ID
                                       0e8e570d: Completed negotiations with
                                       SPI 99fa826a, tunnel ID 393283, and
                                       lifetime 86400 seconds/0 KB.
2012-02-23 14:10:47 system info  00536 IKE x.x.x.x phase 2:The
                                       symmetric crypto key has been
                                       generated successfully.
2012-02-23 14:10:47 system info  00536 IKE x.x.x.x Phase 2 msg ID
                                       0e8e570d: Responded to the peer's
                                       first message.
2012-02-23 14:08:57 system info  00536 IKE x.x.x.x Phase 2 msg ID
                                       f457d2fb: Completed negotiations with
                                       SPI 99fa8264, tunnel ID 393282, and
                                       lifetime 86400 seconds/0 KB.
2012-02-23 14:08:57 system info  00536 IKE x.x.x.x phase 2:The
                                       symmetric crypto key has been
                                       generated successfully.
2012-02-23 14:08:57 system info  00536 IKE x.x.x.x Phase 2 msg ID
                                       f457d2fb: Responded to the peer's
                                       first message.
2012-02-23 14:00:31 system info  00536 IKE x.x.x.x Phase 1: Completed
                                       Main mode negotiations with a
                                       86400-second lifetime.
2012-02-23 14:00:31 system info  00536 IKE x.x.x.x phase 1:The
                                       symmetric crypto key has been
                                       generated successfully.
2012-02-23 14:00:31 system info  00536 IKE x.x.x.x Phase 1: Responder
                                       starts MAIN mode negotiations.
2012-02-22 19:34:03 system info  00536 IKE x.x.x.x Phase 2 msg ID
                                       818b301a: Completed negotiations with
                                       SPI 99fa749e, tunnel ID 393281, and
                                       lifetime 86400 seconds/0 KB.
2012-02-22 19:34:03 system info  00536 IKE x.x.x.x phase 2:The
                                       symmetric crypto key has been
                                       generated successfully.
2012-02-22 19:34:03 system info  00536 IKE x.x.x.x Phase 2 msg ID
                                       818b301a: Responded to the peer's
                                       first message.
Total entries matched = 19

 

I have attached the log files from Fortinet as well.

 

 

X.X.X.X = our public IP address

Y.Y.Y.Y = customer Ip address

 

Following is what technician at our custoemr side observed:

 

2012-02-21 | 10:43 h:                                                    VPN Tunnel has disconnected on Fortinet side
 
                                                                                                              reason:                                 LifeTime (8h Intervall) has exceeded
                                                                                                              recommended action:      Tunnel has to rekey with new identifier
 
 
2012-02-21 | 10:43 h – 2012-02-21 | 13:48 h:       no entry in Log-File
 
 
2012-02-21 | 13:48 h - 2012-02-21 | 14:10 h:        Juniper tries to reconnect the tunnel with “old” identifier
 
 
2012-02-21 | 14:10 h:                                                    Juniper  forbids communication with peer
Tunnel (beide Phasen) down
 
 
2012-02-21 | 14:10 h:                                                    after manual reset the VPN tunnel comes up again and works fine

 

You have different timeouts on the Netscreen firewall compared to the Fortinet according to what you tells. These two logg entries tells that you have 24 hours timeouts on both phase 1 and phase 2:

 

2012-02-23 14:00:31 system info  00536 IKE x.x.x.x Phase 1: Completed
                                       Main mode negotiations with a
                                       86400-second lifetime.

2012-02-22 19:34:03 system info  00536 IKE x.x.x.x Phase 2 msg ID
                                       818b301a: Completed negotiations with
                                       SPI 99fa749e, tunnel ID 393281, and
                                       lifetime 86400 seconds/0 KB.

 

First it is allways smart to have less timeout on phase 2 than on phase 1.Second you write in your text that the Fortinet has 8 hours timeout:

 

2012-02-21 | 10:43 h:                                                

    VPN Tunnel has disconnected on Fortinet side
 
                                                                                                              reason:                                 LifeTime (8h Intervall) has exceeded

 

My guess is that thing will start working as expected if you change the timeout on phase 2 (Autokey IKE) on the Netscreen to 8 hours (28800 seconds). If this do not work go thru the complete setup and check that all settings is the same.

 

We had 8 hours lifetime earlier for juniper as well, but the VPN flapped after every 1 hour. so increased it to 24 hours.

 

Also, as I know, the VPN lifetime is negotiated on which ever is lower among two peers....

 

Hi,

 

If both Fortinet und SSG trust interface IPs belong to the VPN Proxy ID try to start VPN monitoring with the rekey option on the SSG. Use trust interface of the SSG as the source one and Fortinet's trust interface IP as a destination IP. Sure, a policy should be configured on Fortinet to allow these pings.

I am pretty sure there are no negotiating of timers unless you have created different proposals that are exact like except for the timers. Screenos has a limit of four proposals for each phase, so I do not think that is scaleable. My experience is that this kind of problems are because of different timers on the two sites. Be aware about that one should have shorter timers on phase two than on phase one and I guess one should have both phases timeout the same time. Two typical settings are one hour on phase two and eight on phase one or eight on phase two and 24 on phase one. Be aware that it is easy to mix up and have the longest timer on phase two, and this does not work well. Based on what you write it looks like the Fortigate has one hour on phase two and eight hours on phase one. Since you have 24 hours on both phases on the Netscreen side you are bound to have problems. Set the Netscreen timers exact the same as the Fortigate side, and I guess things gets better.

I know this is an old thread, but where do you set the timers at?

I too would like to know the CLI syntax for setting Phase 1 and Phase 2 timeouts.

"timers" for phase1 and phase2 are part of the custom proposal that are then applied to the vpn.

 

SSG-> set ike p1-proposal phase1-proposal esp 3des sha-1 ?
<return>
days                 Lifetime (day)
hours                Lifetime (hour)
minutes              Lifetime (min)
seconds              Lifetime (sec)
SSG->

 

SSG-> set ike p2-proposal phase2-proposal no-pfs esp 3des sha-1 ?
<return>
days                 Lifetime in (day)
hours                Lifetime in (hour)
kbyte                Lifesize in (K byte)
minutes              Lifetime in (min)
seconds              Lifetime in (sec)
SSG->

 

 

set ike gateway gw-1 address 1.1.1.1 main outgoing eth0/0 preshare xxxxxxx proposal phase1-proposal

set vpn vpn-1 gateway gw-1 proposal phase2-proposal

 

 

 

Regards,

Sam