ScreenOS Firewalls (NOT SRX)
Reply
DPA
Visitor
DPA
Posts: 2
Registered: ‎12-24-2008
0
Accepted Solution

tunnel between nortel contivity and ssg5

Hi forum,

first of all, i hope this is the correct forum for this matter. Now,

 

I'm trying to configure a vpn between a juniper ssg5 (public dynamic ip address) and a nortel contivity (public static ip address) through internet.

I have created both lan objects, configured all ip physical interfaces, remote gateway and the firewall policy (action = tunnel, selecting the created tunnel) and default route. I have chosen pre-g2-3des-md5 for phase 1 (vpns>autokey advanced >gateway>advanced>Phase1 proposal), and "compatible" for phase2 (vpns>autoike>tunnel_name>advanced>Phase2proposal.

 

In the other peer (nortel) i have configured a "responder" tunnel with 3des-md5-g2 ipsec parameters.

 

 

Tunnel is not going up. Logs are showing the following message.

 

SSG5: 'information:' 'IKE x.y.z.t Phase1: Retransmission limit has been reached (being x.y.z.t the remote gateway)'

Nortel: 'No proposal chosen. Diffie-hellman group mismatch in message from a.b.c.d'

 

It looks quite clear that the problem is the DH Group Phase1 misconfiguration in both peers, but ¡I have configured DH2 in both peers!

 

I have also tried to configure DH1 group and Routing Based Policy vpn configuration, but i get the same error.

 

Thanks in advance for your colaboration.

Regards, forum.

Trusted Contributor
Jickfoo
Posts: 397
Registered: ‎11-06-2007
0

Re: tunnel between nortel contivity and ssg5

I have a similar tunnel, for  both P1 and P2 proposals I use

 

user defined - pre-g2-3des-sha
user defined - pre-g2-3des-md5

Do you have proxy id's enabled with matching subnets on both ends ?

 

Good Luck

Super Contributor
mehdi
Posts: 240
Registered: ‎08-19-2008
0

Re: tunnel between nortel contivity and ssg5

Hi PDA

 

are you select dynamic IP on your firewall  phase 1 advenced > Nat traversal and agressive mode ? if no, could you please try it ?

Best Regard  

**If this reply solved your problem click on Kudos **
Kind Regard
http://www.linkedin.com/in/mkhitmane
personal mail: mehdi.khitmane@gmail.com
Recognized Expert
PentinProcessor
Posts: 258
Registered: ‎11-06-2007
0

Re: tunnel between nortel contivity and ssg5

DPA,

 

These two KB articles should help you with those errors.  It sounds like the preshared keys are not matching. 

 

KB9238 - How to Analyze IKE Phase 1 Messages in the Event Logs
KB5428 - IKE Negotiation Fails: Phase 1 SA Not Acceptable, No Proposal Chosen


These articles can be found in the VPN Resolution Guide.

 


Once you get past the Phase 1 error, here's a compatibility issue to watch out for:

KB12238 - IKE phase 2 negotiation fails when configuring IPSec VPN to Nortel Contivity; debug report...

 

 

Let us know how it goes.

--Josine

DPA
Visitor
DPA
Posts: 2
Registered: ‎12-24-2008
0

Re: tunnel between nortel contivity and ssg5

Thank's for your answers

Jickfoo: I have checked and defined proxy id's.

Medhi: I'm gonna check that, i can't remember that setting configuration now.

PentinProcessor: I already read KB12238 from the knowledge base. I'm gonna check those others.

 

ASAP i will give you a feedback.

 

Thanks in advance forum.

 

Super Contributor
mehdi
Posts: 240
Registered: ‎08-19-2008
0

Re: tunnel between nortel contivity and ssg5

Hi PDA

 

Dynamic Peers: 

Netscreen Firewall provide a solution for this through the use of local and Peer ID,

By configuring a local ID on the initiating device with dynamic IP address, the device presents this information ti the recipent device when attemting to estabilish phase 1 negotiation. The recipient device is configured to reconnise this through a peer ID and as a result, can accept the initiaors current IP address.

 

Note  : the pahse 1 mode of VPN with dynamic IP must be set to aggressive.

configuring site to site VPN with dynamic IP :

 

on the initiating dvice :

set ike gateway gw-name address remote-gw agressive local-id X.X.X.X outgoing-interface ethX preshare ******** proposal p1proposal

 

On the recipient device 

set ike gateway gw-name dynamic peer-id w agressive  outgoing-interface ethX preshare ******** proposal p1proposal

 

Netscreen JNCIS-FWV stady Guide V1.3-public.doc

 

**If this reply solved your problem click on Kudos **
Kind Regard
http://www.linkedin.com/in/mkhitmane
personal mail: mehdi.khitmane@gmail.com
Trusted Expert
AndyC
Posts: 441
Registered: ‎07-08-2008
0

Re: tunnel between nortel contivity and ssg5

[ Edited ]

Hi,

 

On the netscreen can you do a "debug ike detail" and try to establish the VPN.

 

Post the output of the debug, will give us and idea of what the nortel is sending.

 

Regards

 

Andy

Message Edited by AndyC on 12-30-2008 02:32 AM
JNCIS-FWV
JNCIA-WX
JNCIA-SSL
JNCIA-ER
Contributor
flow-mercury
Posts: 27
Registered: ‎12-30-2008
0

Re: tunnel between nortel contivity and ssg5

Passing, to learn about:smileyhappy:
New User
sdfasdf
Posts: 1
Registered: ‎12-30-2008
0

Re: tunnel between nortel contivity and ssg5

I tried to configure the local id with aggressive mode enabled, and the tunnel went up.

 

Thanks for your help.

Have a nice year!

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.