<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'><div><div><span style="font-size: 12pt;">All,</span></div><div><br></div><div>this is my first time configuring openswan with juniper, all my other configs were with cisco (which are currently working)</div><div>something wrong with configuration which is preventing me from establishing the tunnel.</div><div>If anyone can give me a hint on what might be wrong, so i troubleshoot the issue i would appreciate it.</div><div>Note: enabling plutodebug = all &/or content shows pluto information on all my other tunnels as well which makes things confusing </div><div><br></div><div>please find below my config:</div><div><br></div><div>/etc/ipsec.d/some_dst.conf</div><div>conn some_dst</div><div><span class="Apple-tab-span" style="white-space:pre">      </span>type=tunnel</div><div><span class="Apple-tab-span" style="white-space:pre">  </span>authby=secret</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>left=%defaultroute</div><div><span class="Apple-tab-span" style="white-space:pre">   </span>leftid=$MyNattedPublicIp</div><div><span class="Apple-tab-span" style="white-space:pre">     </span>#leftnexthop=%defaultroute</div><div><span class="Apple-tab-span" style="white-space:pre">   </span>leftsubnet=10.0.0.5/32</div><div><span class="Apple-tab-span" style="white-space:pre">       </span>right=$JuniperSidePublicIp</div><div><span class="Apple-tab-span" style="white-space:pre">   </span>rightsubnet=10.100.240.58/32</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#rightsubnets={10.100.240.58/32,10.100.241.50/32}</div><div><span class="Apple-tab-span" style="white-space:pre">    </span>esp=3des-md5</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>keyexchange=ike</div><div><span class="Apple-tab-span" style="white-space:pre">      </span>ike=3des-md5-modp1024</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>salifetime=3600s</div><div><span class="Apple-tab-span" style="white-space:pre">     </span>#keylife=86400s</div><div><span class="Apple-tab-span" style="white-space:pre">      </span>ikelifetime=86400s</div><div><span class="Apple-tab-span" style="white-space:pre">   </span>pfs=no</div><div><span class="Apple-tab-span" style="white-space:pre">       </span>auto=start</div><div><span class="Apple-tab-span" style="white-space:pre">   </span>dpdaction=restart</div><div><br></div><div>/etc/ipsec.d/some_dst.secret</div><div>10.0.0.5 $MyNattedPublicIp 10.100.240.58  $JuniperSidePublicIp: PSK "SomeKey"</div><div><br></div><div><br></div><div><br></div><div>Relevant configuration given to me by network engineer who is administering the juniper device:</div><div><br></div><div>Juniper Netscreen ISG 2000</div><div><br></div><div>10.100.240.58/32 (SMSC) &  10.100.241.50/32 (SDP)</div><div><br></div><div><br></div><div>Phase 1 (IKE) Parameters<span class="Apple-tab-span" style="white-space:pre">      </span></div><div>Authentication<span class="Apple-tab-span" style="white-space:pre">       </span>Pre Shared Key</div><div>Encryption <span class="Apple-tab-span" style="white-space:pre">    </span>3 DES</div><div>Hash<span class="Apple-tab-span" style="white-space:pre">    </span>MD5</div><div>Diffie-Helman Group<span class="Apple-tab-span" style="white-space:pre">       </span>Group 2</div><div>Lifetime<span class="Apple-tab-span" style="white-space:pre">      </span>86400</div><div>or Transform-Set<span class="Apple-tab-span" style="white-space:pre">        </span></div><div>(e.g. pre-g2-3des-sha)<span class="Apple-tab-span" style="white-space:pre">       </span></div><div><span class="Apple-tab-span" style="white-space:pre">     </span></div><div>Phase 2 (IPSEC) Parameters<span class="Apple-tab-span" style="white-space:pre">   </span></div><div>Authentication<span class="Apple-tab-span" style="white-space:pre">       </span>ESP</div><div>Encryption <span class="Apple-tab-span" style="white-space:pre">       </span>3 DES</div><div>PFS (Diffie-Helman Group)<span class="Apple-tab-span" style="white-space:pre">       </span>Group 2</div><div>SA Lifetime (In Time or In Kbytes)<span class="Apple-tab-span" style="white-space:pre">    </span>3600 seconds</div><div>or Transform-Set<span class="Apple-tab-span" style="white-space:pre"> </span></div><div>esp-3des esp-sha-hmac<span class="Apple-tab-span" style="white-space:pre">        </span></div><div><br></div><div><br></div><div>ipsec auto --up some_dst outputs the following:</div><div><br></div><div><br></div><div>000 initiating all conns with alias='some_dst' </div><div>104 "some_dst/0x2" #19: STATE_MAIN_I1: initiate</div><div>003 "some_dst/0x2" #19: ignoring unknown Vendor ID payload [382b5e05rg4444ea5df268b8588f4cc5f580000000d0000061e]</div><div>003 "some_dst/0x2" #19: received Vendor ID payload [Dead Peer Detection]</div><div>003 "some_dst/0x2" #19: ignoring Vendor ID payload [HeartBeat Notify 386b0100]</div><div>106 "some_dst/0x2" #19: STATE_MAIN_I2: sent MI2, expecting MR2</div><div>108 "some_dst/0x2" #19: STATE_MAIN_I3: sent MI3, expecting MR3</div><div>004 "some_dst/0x2" #19: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}</div><div>117 "some_dst/0x1" #20: STATE_QUICK_I1: initiate</div><div>117 "some_dst/0x2" #21: STATE_QUICK_I1: initiate</div><div>010 "some_dst/0x2" #21: STATE_QUICK_I1: retransmission; will wait 20s for response</div><div>010 "some_dst/0x1" #20: STATE_QUICK_I1: retransmission; will wait 20s for response</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div>Juniper side (but policy is there ..):</div><div><br></div><div>2014-05-19 16:48:40 system info  00536 IKE $MyNattedPublicIp Phase 2 msg ID </div><div>                                      6f4e415f: Negotiations have failed.</div><div>2014-05-19 16:48:40 system info  00536 IKE $MyNattedPublicIp Phase 2: No policy </div><div>                                      exists for the proxy ID received: </div><div>                                      local ID (10.100.241.50/</div><div>                                      255.255.255.255, 0, 0) remote ID </div><div>                                      ($MyNattedPublicIp/255.255.255.255, 0, </div><div>                                      0).</div><div>2014-05-19 16:48:40 system info  00536 IKE $MyNattedPublicIp Phase 2 msg ID </div><div>                                      6f4e415f: Responded to the peer's </div><div>                                      first message.</div><div>2014-05-19 16:48:40 system info  00536 IKE $MyNattedPublicIp Phase 2 msg ID </div><div>                                      6b66d5c9: Negotiations have failed.</div><div>2014-05-19 16:48:40 system info  00536 IKE $MyNattedPublicIp Phase 2 msg ID </div><div>                                      6b66d5c9: Responded to the peer's </div><div>                                      first message.3:48 PM</div><div><br></div><div><br></div></div>                                      </div></body>
</html>