Screen OS

Hi friends,
 
I have a netscreen ISG 1000 , i i have configured a vpn between cisco behind a NAT device. in netscreen i have created a MIP in Untrust interface  that is 10.180.27.129/32 to inside ip that is 192.168.2.189/32.
 
created P1 and P2 proposals , gateway towerds remote gateway type (static) 202.46.211.45 and ike to the gateway
and created policy
 
Encryption  3DES  
Authentication  MD5  
Diffie-Helman Gp Group 2  
Preshared Key  ex:123456  
LifeTime (sec)  86400  
Mode   Main  
   
Type   ESP  
Encryption  3DES  
Authentication  MD5  
Compression  None  
LifeTime (sec)  28800 Sec  
PFS           Disable 
 
 
 
untrust to trust    source 192.168.40.124/32 dest MIP(10.180.27.129) action permit
trust to untrust source 192.168.2.189/32  Dest  MIP(10.180.27.129) action permit
 
 
when a packet is initiating from remote site am getting error logs
 
thats is 
 

Rejected an IKE packet on ethernet2/4 from 202.46.211.45:500 to 89.211.35.2:500 with cookies fa79bb8d84d89a63 and 72edf3c7138f8eed because the VPN does not have an application SA configured.
 
IKE<202.46.211.25> Phase 2: No policy exists for the proxy ID received: local ID (<10.180.27.129>/<255.255.255.255>, <0>, <0>) remote ID (<192.168.40.124>/<255.255.255.255>, <0>, <0>).
 
 
 
IKE<202.46.211.45> Phase 2 msg ID <80ca7f03>: Responded to the peer's first message.
 
 
 
 
IKE<202.46.211.45> Phase 2 msg ID <80ca7f03>: Negotiations have failed.
  
 
 
 
 
 
 
 
I am attaching the diagram also
 
thanks and regards
 
Rakesh Hari

Hi

 

are you created your tunel interface ??? are you beind your tunel interface with this tunel phase 2, are you fix you proxy id pahse 2

 

ethier you fix you proxy id on juniper   or you shold to implementing the same rules between  both side cisco area and juniper area

 

REgard 

I have created the tunnel interface and integarted with with gateway but didnt work am enclosing the screen shoot

Hi
Are you using route-based VPN? In your screenshot, it looks like the tunnel interface has not been tied to the VPN?

 

I think you need to set the proxy ID as that is not correctly looking at the screenshot. Proxy ID can be set under the
VPN-> AutoKey IKE->

You need the proxy ID to be:
Local ID: 10.180.27.129/32 Remote: 192.168.40.124/32

 

If you can post the configuration with:
get conf | i ike
get conf | i vpn

get event

I am using policy based vpn . when i reach office i will send the Conf. do i need to create the tunnel interface  ? i dont have enough time for trial, am under pressure, i need to finish this tomorow  . if u have the documentation  please send to me 

Try this KB for policy based VPN:

http://kb.juniper.net/KB4757

 

(1) You dont need a tunnel interface for this

 

(2) Policy needs to be tied to the VPN (the policy should take care of the proxy ID)

HI    thanks for your help,

 

 Igot some more information form juniper support. I added this command set flow vpn-untrust-mip Created bidirectional policy,

 

 

From Untrust to trust (192.168.40.124/32 source MIP(10.180.27.129/32) Integrated "action Tunnel and integrated to tunnel and it is working fine.....

 

 

Once again thanking you for ypur support.....