cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1980
Views
0
Helpful
5
Replies

Site to Site VPN Between Netscreen 25 and Cisco 837

fherbertnz
Level 1
Level 1

I am having some difficulty setting us this vpn connection between our cisco 837 box and netscreen 25.

The netscreen is configure as per the Juniper instructions here: http://2550.support.juniper.safeharbor.com/knowbase/root/public/ns3828.htm?

and also here : http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801c4445.shtml

but have been unable to get the vpn working.

The Phase 1 proposals match and are accepted, then the cisco log seem to go round and round in circles trying the Exchange a Key???

Se below for copy of cisco debug crypto log: (a shortened version)

00:06:46: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy

00:06:46: ISAKMP: encryption 3DES-CBC

00:06:46: ISAKMP: hash SHA

00:06:46: ISAKMP: default group 2

00:06:46: ISAKMP: auth pre-share

00:06:46: ISAKMP: life type in seconds

00:06:46: ISAKMP: life duration (basic) of 28800

00:06:46: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0

00:06:47: ISAKMP:(0:2:HW:2):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

00:06:47: ISAKMP (0:268435458): ID payload

next-payload : 8

address : XXX.XXX.XXX.XXX

protocol : 17

port : 500

length : 12

00:06:47: ISAKMP:(0:2:HW:2):Total payload length: 12

00:06:47: CryptoEngine0: generate hmac context for conn id 2

00:06:47: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)

00:06:47: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT(hw)(ipsec)

00:06:47: ISAKMP:(0:2:HW:2): sending packet to XXX.XXX.XXX.XXX my_port 500 peer_port 500 (I) MM_KEY_EXCH

00:06:47: ISAKMP:(0:2:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

00:06:47: ISAKMP:(0:2:HW:2):Old State = IKE_I_MM4 New State = IKE_I_MM5

00:06:47: ISAKMP (0:268435458): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (I) MM_KEY_EXCH

00:06:47: ISAKMP: set new node 265976420 to QM_IDLE

00:06:47: ISAKMP (0:268435458): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (I) MM_KEY_EXCH

00:06:47: ISAKMP (0:268435458): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (I) MM_KEY_EXCH

00:06:47: ISAKMP (0:268435458): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (I) MM_KEY_EXCH

00:06:47: ISAKMP (0:268435458): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (I) MM_KEY_EXCH

00:06:47: ISAKMP: Info Notify message requeue retry counter exceeded sa request from XXX.XXX.XXX.XXX to XXX.XXX.XXX.XXX.

00:06:49: ISAKMP (0:268435457): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (I) MM_NO_STATE

00:06:51: ISAKMP (0:268435458): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (I) MM_KEY_EXCH

00:06:51: ISAKMP:(0:2:HW:2): phase 1 packet is a duplicate of a previous packet.

00:06:51: ISAKMP:(0:2:HW:2): retransmitting due to retransmit phase 1

00:06:51: ISAKMP:(0:2:HW:2): retransmitting phase 1 MM_KEY_EXCH...

00:07:11: ISAKMP:(0:2:HW:2):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer XXX.XXX.XXX.XXX)

5 Replies 5

rating_is_vital
Level 1
Level 1

Hi,

Have you check the pre-shared key? According to the log, several messages contain the key have been sent by the Netscreen but it was not accepted. I sugguest you to double check the pre-shared key on both devices.

I'm pretty sure the pre shared key is matching... this part of the log seems to confirm that:

01:57:35: ISAKMP: Looking for a matching key for XXX.XXX.XXX.XXX in default : success

01:57:35: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching XXX.XXX.XXX.XXX

01:57:35: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID

01:57:35: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID

01:57:35: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID

01:57:35: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

01:57:35: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1

01:57:35: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange

That all happens before the log section posted previously.. I will double check the keys though.

Thanks.

try to confirm , is nat-t configured on netscreen

bchoisser
Level 1
Level 1

This looks like exactly what I was doing. I connected a Netscreen 50 with a Cisco 1841. I opened a TAC case and got a Cisco tech that use to install Netscreen boxes. The documentation wants you to setup a route based VPN, we were only able to get this to work with a policy based VPN on the Netscreen box. Here is a snip of my config that worked.

crypto isakmp policy 1

encr 3des

authentication pre-share

lifetime 28800

crypto isakmp key address 6.15.18.25

crypto isakmp profile default

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

set peer 6.15.18.25

set security-association lifetime seconds 28800

set transform-set ESP-3DES-SHA

match address 102

!

!

!

interface FastEthernet0/0

description Outside interface

ip address 20.16.11.26 255.255.255.252

ip access-group 104 in

ip verify unicast reverse-path

ip inspect DEFAULT100 in

ip nat outside

ip virtual-reassembly

ip route-cache flow

speed 100

full-duplex

crypto map SDM_CMAP_1

!

interface FastEthernet0/1

description Inside trusted network

ip address 192.168.141.254 255.255.255.0

ip access-group 100 in

ip inspect DEFAULT100 in

ip nat inside

ip virtual-reassembly

ip route-cache flow

speed 100

half-duplex

!

interface Serial0/0/0

no ip address

ip route-cache flow

shutdown

!

ip classless

ip route 0.0.0.0 0.0.0.0 20.16.11.25 permanent

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat pool mypool-P1 20.16.11.145 20.16.11.150 netmask 255.255.255.248

ip nat inside source list 110 pool mypool-P1 overload

!

access-list 100 deny ip 20.16.11.24 0.0.0.3 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 102 permit ip 192.168.141.0 0.0.0.255 172.16.19.0 0.0.0.255

access-list 102 permit ip 192.168.141.0 0.0.0.255 192.25.0.0 0.0.255.255

access-list 102 permit ip 192.168.141.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 102 permit ip 192.168.141.0 0.0.0.255 10.12.0.0 0.0.255.255

access-list 104 permit ahp host 6.15.18.25 host 20.16.11.26

access-list 104 permit esp host 6.15.18.25 host 20.16.11.26

access-list 104 permit udp host 6.15.18.25 host 20.16.11.26 eq isakmp

access-list 104 permit udp host 6.15.18.25 host 20.16.11.26 eq non500-isakmp

access-list 104 permit ip 172.16.19.0 0.0.0.255 192.168.141.0 0.0.0.255

access-list 104 permit ip 192.25.0.0 0.0.255.255 192.168.141.0 0.0.0.255

access-list 104 permit ip 192.168.0.0 0.0.255.255 192.168.141.0 0.0.0.255

access-list 104 permit ip 10.12.0.0 0.0.255.255 192.168.141.0 0.0.0.255

access-list 104 permit ip 192.168.141.0 0.0.0.255 any

access-list 104 permit icmp any host 20.16.11.26 echo-reply

access-list 104 permit icmp any host 20.16.11.26 time-exceeded

access-list 104 permit icmp any host 20.16.11.26 unreachable

access-list 104 deny ip 10.0.0.0 0.255.255.255 any

access-list 104 deny ip 172.16.0.0 0.15.255.255 any

access-list 104 deny ip 192.168.0.0 0.0.255.255 any

access-list 104 deny ip 127.0.0.0 0.255.255.255 any

access-list 104 deny ip host 255.255.255.255 any

access-list 104 deny ip host 0.0.0.0 any

access-list 104 deny ip any any log

access-list 110 deny ip 192.168.141.0 0.0.0.255 172.16.19.0 0.0.0.255

access-list 110 deny ip 192.168.141.0 0.0.0.255 192.25.0.0 0.0.255.255

access-list 110 deny ip 192.168.141.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 110 deny ip 192.168.141.0 0.0.0.255 10.12.0.0 0.0.255.255

access-list 110 permit ip 192.168.141.0 0.0.0.255 any

no cdp run

pgasparovic
Level 1
Level 1

Even though this is damn old topic that Google provided me a link to based on querying "

Info Notify message requeue retry counter exceeded sa" today.. I definitely needed to experiment with preshared keys even though they had been same on two Cisco devices, one Cisco 881 with 15.1(4)M3 (even latest 15.2(4)M1) versus Cisco 7200 with 12.4T, site2site config with IPSEC and ISAKMP profiles for IPSEC/GRE setup... and it was really the passwords !!

Half-day we could not run using DNE_CPE :))... then we started with easy lolo123 = OK!.. continued lolo123_ = OK! ... lolo_123 = OK! .. dnecpe = OK! ... DNECPE_ = OK! ... BACK TO DNE_CPE = OK !!

Yeah, a daytime nightmare.. Even router reload has not helped before starting to play with keys.. So f*** up this IKE Ph1 can be Have a nice X-mas time and Happy N.Y. 2013! :-D