Screen OS

Hi forum,

first of all, i hope this is the correct forum for this matter. Now,

I'm trying to configure a vpn between a juniper ssg5 (public dynamic ip address) and a nortel contivity (public static ip address) through internet.

I have created both lan objects, configured all ip physical interfaces, remote gateway and the firewall policy (action = tunnel, selecting the created tunnel) and default route. I have chosen pre-g2-3des-md5 for phase 1 (vpns>autokey advanced >gateway>advanced>Phase1 proposal), and "compatible" for phase2 (vpns>autoike>tunnel_name>advanced>Phase2proposal.

In the other peer (nortel) i have configured a "responder" tunnel with 3des-md5-g2 ipsec parameters.

Tunnel is not going up. Logs are showing the following message.

SSG5: 'information:' 'IKE x.y.z.t Phase1: Retransmission limit has been reached (being x.y.z.t the remote gateway)'

Nortel: 'No proposal chosen. Diffie-hellman group mismatch in message from a.b.c.d'

It looks quite clear that the problem is the DH Group Phase1 misconfiguration in both peers, but ¡I have configured DH2 in both peers!

I have also tried to configure DH1 group and Routing Based Policy vpn configuration, but i get the same error.

Thanks in advance for your colaboration.

Regards, forum.

I have a similar tunnel, for  both P1 and P2 proposals I use

user defined - pre-g2-3des-sha
user defined - pre-g2-3des-md5

Do you have proxy id's enabled with matching subnets on both ends ?

Good Luck

Hi PDA

are you select dynamic IP on your firewall  phase 1 advenced > Nat traversal and agressive mode ? if no, could you please try it ?

Best Regard  

DPA,

These two KB articles should help you with those errors.  It sounds like the preshared keys are not matching. 

KB9238 - How to Analyze IKE Phase 1 Messages in the Event Logs
KB5428 - IKE Negotiation Fails: Phase 1 SA Not Acceptable, No Proposal Chosen


These articles can be found in the VPN Resolution Guide.

Once you get past the Phase 1 error, here's a compatibility issue to watch out for:

KB12238 - IKE phase 2 negotiation fails when configuring IPSec VPN to Nortel Contivity; debug reports "P2 attributes not supported"

Let us know how it goes.

--Josine

Thank's for your answers

Jickfoo: I have checked and defined proxy id's.

Medhi: I'm gonna check that, i can't remember that setting configuration now.

PentinProcessor: I already read KB12238 from the knowledge base. I'm gonna check those others.

ASAP i will give you a feedback.

Thanks in advance forum.

Hi PDA

Dynamic Peers: 

Netscreen Firewall provide a solution for this through the use of local and Peer ID,

By configuring a local ID on the initiating device with dynamic IP address, the device presents this information ti the recipent device when attemting to estabilish phase 1 negotiation. The recipient device is configured to reconnise this through a peer ID and as a result, can accept the initiaors current IP address.

Note  : the pahse 1 mode of VPN with dynamic IP must be set to aggressive.

configuring site to site VPN with dynamic IP :

on the initiating dvice :

set ike gateway gw-name address remote-gw agressive local-id X.X.X.X outgoing-interface ethX preshare ******** proposal p1proposal

On the recipient device 

set ike gateway gw-name dynamic peer-id w agressive  outgoing-interface ethX preshare ******** proposal p1proposal

Netscreen JNCIS-FWV stady Guide V1.3-public.doc

Hi,

On the netscreen can you do a "debug ike detail" and try to establish the VPN.

Post the output of the debug, will give us and idea of what the nortel is sending.

Regards

Andy

I tried to configure the local id with aggressive mode enabled, and the tunnel went up.

Thanks for your help.

Have a nice year!