Re: Issue configuring site2-site with netscreen-25 and 3030

rbacct123 · ‎06-22-2005

I keep getting this error:

Rejected an IKE packet on ethernet3 from x.x.x.x:500 to x.x.x.x:500 with cookies d6bc86ee51809a80 and ad4ca32050996236 because there were no acceptable Phase 2 proposals.

I have tried every combination possible but no success. Has anyone had any success setting this up?

Thanks in advance.

m.singer · ‎06-28-2005

What is the PFS group set on both the devices? If there is a mismatch configure the same on both devices.

pat.gorsuch · ‎08-11-2005

Verify that the Proxy IDs on the NetScreen match the local and remote setting on the Cisco. If you're doing route-based VPN on the NS, this is in the "AutoKey IKE" section. If it's a policy-based VPN, make sure that the address entries match the local/remote of the Cisco (and DON'T USE ADDRESS GROUPS!).

For troubelshooting purposes, on the NS, use the command "set ike accept-all-proposals". This will allow the connection to be made and thus you'll see what the Cisco thinks you should be using. Adjust appropriately and then issue the command "unset ike accept-all-proposals" since that's a little too open for most environments (read: security risk).

fherbertnz · ‎08-15-2005

Hi

I am trying to setup an VPN between a NetScreen 25 and Cisco 837. We are unable to get past Phase one, the logs from the cisco box tells me that policies match, then it doesn't get past exchanging the key. I have tried the "set ike accept-all-proposal" but this has made no difference. Are you able to let me know how you configured your netscreen??

I'm sure the problem is the config of the netscreen but am not sure how the netscreen should be setup to work with an incoming vpn from the cisco box.

Thanks