VPN 3000 - netscreen 5xp lan to lan problem

sante.guzzo · ‎03-02-2006

Hello,

I'm trying to setup a vpn lan to lan.

the tunnel is up but not traffic.

Here is the log from the cisco side:

28 03/02/2006 17:03:39.020 SEV=7 IKEDBG/80 RPT=4578 212.34.x.x

Group [212.34.x.x]

Found Phase 1 Group (212.34.x.x)

31 03/02/2006 17:03:39.020 SEV=7 IKEDBG/28 RPT=4584 212.34.x.x

Group [212.34.x.x]

IKE SA Proposal # 1, Transform # 2 acceptable

Matches global IKE entry # 2 Proposal (IKE-3DES-MD5)

34 03/02/2006 17:03:39.150 SEV=3 IKE/134 RPT=287 212.34.x.x

Group [212.34.x.x]

Mismatch: Configured LAN-to-LAN proposal differs from negotiated proposal.

Verify local and remote LAN-to-LAN connection lists.

53 03/02/2006 17:03:39.220 SEV=4 IKE/119 RPT=4310 212.34.x.x

Group [212.34.x.x]

PHASE 1 COMPLETED

56 03/02/2006 17:03:39.220 SEV=7 IKEDBG/82 RPT=4310 212.34.x.x

Group [212.34.x.x]

Starting phase 1 rekey timer: 21600000 (ms)

57 03/02/2006 17:03:39.230 SEV=5 IKE/35 RPT=926 212.34.x.x

Group [212.34.x.x]

Received remote IP Proxy Subnet data in ID Payload:

Address 192.168.1.0, Mask 255.255.255.0, Protocol 0, Port 0

60 03/02/2006 17:03:39.230 SEV=5 IKE/34 RPT=5452 212.34.x.x

Group [212.34.x.x]

Received local IP Proxy Subnet data in ID Payload:

Address 10.10.0.0, Mask 255.255.224.0, Protocol 0, Port 0

63 03/02/2006 17:03:39.230 SEV=5 IKE/66 RPT=4901 212.34.x.x

Group [212.34.x.x]

IKE Remote Peer configured for SA: L2L: netscreenl2l

64 03/02/2006 17:03:39.230 SEV=7 IKEDBG/27 RPT=4567 212.34.x.x

Group [212.34.x.x]

IPSec SA Proposal # 1, Transform # 1 acceptable

Matches global IPSec SA entry # 11 Proposal (L2L: netscreenl2l)

67 03/02/2006 17:03:39.230 SEV=7 IKEDBG/85 RPT=4567 212.34.x.x

Group [212.34.x.x]

IKE: requesting SPI! (Protocol=ESP)

69 03/02/2006 17:03:39.240 SEV=5 IKE/75 RPT=4528 212.34.x.x

Group [212.34.x.x]

Overriding Initiator's IPSec rekeying duration from 28800 to 3600 seconds

71 03/02/2006 17:03:39.240 SEV=7 IKEDBG/91 RPT=6001 212.34.x.x

Group [212.34.x.x]

Transmitting Proxy Id:

Remote subnet: 192.168.1.0 Mask 255.255.255.0 Protocol 0 Port 0

Local subnet: 10.10.0.0 mask 255.255.240.0 Protocol 0 Port 0

75 03/02/2006 17:03:39.240 SEV=7 IKEDBG/92 RPT=4528 212.34.x.x

Group [212.34.x.x]

Sending RESPONDER LIFETIME notification to Initiator

76 03/02/2006 17:03:39.280 SEV=7 IKEDBG/93 RPT=5974 212.34.x.x

Group [212.34.x.x]

Loading subnet:

Dst: 10.10.0.0 mask: 255.255.240.0

Src: 192.168.1.0 mask: 255.255.255.0

79 03/02/2006 17:03:39.280 SEV=4 IKE/49 RPT=5974 212.34.x.x

Group [212.34.x.x]

Security negotiation complete for LAN-to-LAN Group (212.34.x.x)

Responder, Inbound SPI = 0x1a76b567, Outbound SPI = 0x6216debe

87 03/02/2006 17:03:39.290 SEV=4 IKE/120 RPT=5975 212.34.x.x

Group [212.34.x.x]

PHASE 2 COMPLETED (msgid=eca65ef4)

Any suggestions ?

Best Regards,

Sante Guzzo

morgsizun · ‎03-08-2006

Hi,

verify filters between the gateways and internet .

May be , you have to permit ESP between the VPN gateways.?

Hope this helps..

regards,

Morgan Sizun.