Can someone help me. I am quite stuck. I have spend hours trying
various combinations in order to get an 3.9 box bring up a tunnel to
a NetScreen 25.
Below is all the information. I have full control over both boxes and
I am willing to try anything at this point.
--------------------------------------------------------
isakmpd.conf
--------------------------------------------------------
# Filter incoming phase 1 negotiations so they are only
# valid if negotiating with this local address.
[General]
Listen-On=1.1.1.1
[Phase 1]
2.2.2.2=peer-machineB
# 'Phase 2' defines which connections the daemon
# should establish. These connections contain the actual
# "IPsec VPN" information.
[Phase 2]
Connections=VPN-A-B
# ISAKMP phase 1 peers (from [Phase 1])
[peer-machineB]
Phase=1
Address=2.2.2.2
Configuration=Default-main-mode
Authentication=bbb111aaaccceee
# IPSEC phase 2 connections (from [Phase 2])
[VPN-A-B]
Phase=2
ISAKMP-peer=peer-machineB
Configuration=Default-quick-mode
Local-ID=machineA-internal-network
Remote-ID=machineB-internal-network
# ID sections (as used in [VPN-A-B])
[machineA-internal-network]
ID-type=IPV4_ADDR_SUBNET
Network=192.168.22.0
Netmask=255.255.255.0
[machineB-internal-network]
ID-type=IPV4_ADDR_SUBNET
Network=192.168.0.0
Netmask=255.255.255.0
# Main and Quick Mode descriptions
# (as used by peers and connections).
[Default-main-mode]
EXCHANGE_TYPE=ID_PROT
Transforms=3DES-SHA
[Default-quick-mode]
EXCHANGE_TYPE=QUICK_MODE
Suites=QM-ESP-3DES-SHA-SUITE,QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-AES-SHA-
SUITE,QM-ESP-AES-SHA-PFS-SUITE
--------------------------------------------------------
isakmpd -d -DA=50
--------------------------------------------------------
112848.211558 Exch 40 exchange_run: exchange 0x87f0800 finished step
4, advancing...
112848.215852 Trpt 30 transport_send_messages: message 0xca10500
scheduled for retransmission 1 in 7 secs
112848.218940 Timr 10 timer_add_event: event message_send_expire
(0xca10500) added before connection_checker(0xedbbb50), expiration in 7s
112848.239296 Trpt 50 virtual_clone: old 0x8f1fc00 new 0x8f1fec0
(main is 0x8f1ff00)
112848.250291 Mesg 20 message_free: freeing 0xca10500
112848.253319 Timr 10 timer_remove_event: removing event
message_send_expire(0xca10500)
112848.258506 Cryp 30 crypto_decrypt: before decryption:
112848.263989 Cryp 30 9dcfbbfb c5bd637e 1e196cc2 97c4197a 82436396
041a5c1f 6275c4ad da0c8603
112848.268055 Cryp 30 4812bf92 d6b97324
112848.271155 Cryp 30 crypto_decrypt: after decryption:
112848.277117 Cryp 30 0800000c 011101f4 46a77a02 00000018 672a94d8
c987cd9a d13bcdaf d2a92907
112848.281844 Cryp 30 571a50c8 00000000
112848.284792 Mesg 50 message_parse_payloads: offset 28 payload ID
112848.288343 Mesg 50 message_parse_payloads: offset 40 payload HASH
112848.292996 Mesg 40 ipsec_validate_id_information: proto 17 port
500 type 1
112848.298106 Mesg 40 ipsec_validate_id_information: IPv4:
112848.301938 Mesg 40 46a77a02
112848.305061 Negt 40 ike_phase_1_recv_ID: IPV4_ADDR:
112848.308126 Negt 40 46a77a02
112848.311779 Mesg 20 message_free: freeing 0xca10580
112848.314755 Cryp 50 crypto_update_iv: updated IV:
112848.318059 Cryp 50 4812bf92 d6b97324
112848.320857 Exch 10 exchange_finalize: 0x87f0800 peer-machineB
Default-main-mode policy initiator phase 1 doi 1 exchange 2 step 5
112848.324038 Exch 10 exchange_finalize: icookie 98b3b8f4fc018b53
rcookie 9c95626f9832058e
112848.327607 Exch 10 exchange_finalize: msgid 00000000
112848.333350 Exch 10 exchange_finalize: phase 1 done: initiator id
4407b930: 1.1.1.1, responder id 46a77a02: 2.2.2.2, src: 1.1.1.1 dst:
2.2.2.2
112848.336551 Timr 10 timer_add_event: event sa_soft_expire
(0x87f0900) added last, expiration in 3178s
112848.339543 Timr 10 timer_add_event: event sa_hard_expire
(0x87f0900) added last, expiration in 3600s
112848.346428 Exch 20 exchange_establish_finalize: finalizing
exchange 0x87f0800 with arg 0xedbbca0 (VPN-A-B) & fail = 0
112848.349940 Timr 10 timer_add_event: event exchange_free_aux
(0x87f0a00) added before sa_soft_expire(0x87f0900), expiration in 120s
112848.353235 Exch 10 exchange_establish_p2: 0x87f0a00 VPN-A-B
Default-quick-mode policy initiator phase 2 doi 1 exchange 32 step 0
112848.356272 Exch 10 exchange_establish_p2: icookie 98b3b8f4fc018b53
rcookie 9c95626f9832058e
112848.359235 Exch 10 exchange_establish_p2: msgid 3acbaca5 sa_list
112848.365252 Sdep 50 pf_key_v2_get_spi: spi:
112848.368299 Sdep 50 d0a3b64d
112848.372465 Default initiator_send_HASH_SA_NONCE: differing group
descriptions in a proposal
112848.375508 Default exchange_run: doi->initiator (0xca10780) failed
112848.378298 Mesg 20 message_free: freeing 0xca10780
112848.381550 Timr 10 timer_remove_event: removing event
exchange_free_aux(0x87f0800)
112848.384455 Mesg 20 message_free: freeing 0xca10680
112942.151266 Timr 10 timer_handle_expirations: event
connection_checker(0xedbbb50)
112942.154427 Timr 10 timer_add_event: event connection_checker
(0xedbbb50) added before exchange_free_aux(0x87f0a00), expiration in 60s
112942.157636 Exch 40 exchange_establish: VPN-A-B exchange already
exists as 0x87f0a00
--------------------------------------------------------
Netscreen Side
--------------------------------------------------------
2006-08-23 11:28:46 info IKE<1.1.1.1>: Received initial contact
notification and removed Phase 1 SAs.
2006-08-23 11:28:46 info IKE<1.1.1.1> Phase 1: Completed Main mode
negotiations with a <28800>-second lifetime.
2006-08-23 11:28:46 info IKE<1.1.1.1>: Received initial contact
notification and removed Phase 2 SAs.
2006-08-23 11:28:46 info IKE<1.1.1.1>: Received a notification
message for DOI <1> <24578> <INITIAL-CONTACT>.
2006-08-23 11:28:40 info IKE<1.1.1.1> Phase 1: Responder starts MAIN
mode negotiations.
--------------------------------------------------------
Netscreen Phase 1 setting
--------------------------------------------------------
pre-g2-3des-sha
--------------------------------------------------------
Netscreen Phase 2 setting
--------------------------------------------------------
g2-esp-3des-sha
g2-esp-aes128-sha
--------------------------------------------------------
Phase 2 You can configure on the netscreen
--------------------------------------------------------
nopfs-esp-des-md5 No PFS ESP DES/MD5 3600 0
nopfs-esp-des-sha No PFS ESP DES/SHA 3600 0
nopfs-esp-3des-md5 No PFS ESP 3DES/MD5 3600 0
nopfs-esp-3des-sha No PFS ESP 3DES/SHA 3600 0
nopfs-esp-aes128-md5 No PFS ESP AES128/MD5 3600 0
nopfs-esp-aes128-sha No PFS ESP AES128/SHA 3600 0
g2-esp-des-md5 DH Group 2 ESP DES/MD5 3600 0
g2-esp-des-sha DH Group 2 ESP DES/SHA 3600 0
g2-esp-3des-md5 DH Group 2 ESP 3DES/MD5 3600 0
g2-esp-3des-sha DH Group 2 ESP 3DES/SHA 3600 0
g2-esp-aes128-md5 DH Group 2 ESP AES128/MD5 3600 0
g2-esp-aes128-sha DH Group 2 ESP AES128/SHA 3600
--------------------------------------------------------
Phase 1 you can configure on the netscreen
--------------------------------------------------------
pre-g1-des-md5 Preshare 1 DES/MD5 28800
pre-g1-des-sha Preshare 1 DES/SHA 28800
pre-g2-des-md5 Preshare 2 DES/MD5 28800
pre-g2-des-sha Preshare 2 DES/SHA 28800
pre-g2-3des-md5 Preshare 2 3DES/MD5 28800
pre-g2-3des-sha Preshare 2 3DES/SHA 28800
pre-g2-aes128-md5 Preshare 2 AES128/MD5 28800
pre-g2-aes128-sha Preshare 2 AES128/SHA 28800
rsa-g2-des-md5 RSA-sig 2 DES/MD5 28800
rsa-g2-des-sha RSA-sig 2 DES/SHA 28800
rsa-g2-3des-md5 RSA-sig 2 3DES/MD5 28800
rsa-g2-3des-sha RSA-sig 2 3DES/SHA 28800
rsa-g2-aes128-md5 RSA-sig 2 AES128/MD5 28800
rsa-g2-aes128-sha RSA-sig 2 AES128/SHA 28800
dsa-g2-des-md5 DSA-sig 2 DES/MD5 28800
dsa-g2-des-sha DSA-sig 2 DES/SHA 28800
dsa-g2-3des-md5 DSA-sig 2 3DES/MD5 28800
dsa-g2-3des-sha DSA-sig 2 3DES/SHA 28800
dsa-g2-aes128-md5 DSA-sig 2 AES128/MD5 28800
dsa-g2-aes128-sha DSA-sig 2 AES128/SHA 28800
