[strongSwan] phase 2 failing - Juniper Netscreen ISG 2000

Roland RoLaNd r_o_l_a_n_d at hotmail.com
Mon May 19 16:36:41 CEST 2014 

All,
this is my first time configuring openswan with juniper, all my other configs were with cisco (which are currently working)something wrong with configuration which is preventing me from establishing the tunnel.If anyone can give me a hint on what might be wrong, so i troubleshoot the issue i would appreciate it.Note: enabling plutodebug = all &/or content shows pluto information on all my other tunnels as well which makes things confusing 
please find below my config:
/etc/ipsec.d/some_dst.confconn some_dst	type=tunnel	authby=secret	left=%defaultroute	leftid=$MyNattedPublicIp	#leftnexthop=%defaultroute	leftsubnet=10.0.0.5/32	right=$JuniperSidePublicIp	rightsubnet=10.100.240.58/32	#rightsubnets={10.100.240.58/32,10.100.241.50/32}	esp=3des-md5	keyexchange=ike	ike=3des-md5-modp1024	salifetime=3600s	#keylife=86400s	ikelifetime=86400s	pfs=no	auto=start	dpdaction=restart
/etc/ipsec.d/some_dst.secret10.0.0.5 $MyNattedPublicIp 10.100.240.58  $JuniperSidePublicIp: PSK "SomeKey"


Relevant configuration given to me by network engineer who is administering the juniper device:
Juniper Netscreen ISG 2000
10.100.240.58/32 (SMSC) &  10.100.241.50/32 (SDP)

Phase 1 (IKE) Parameters	Authentication	Pre Shared KeyEncryption 	3 DESHash	MD5Diffie-Helman Group	Group 2Lifetime	86400or Transform-Set	(e.g. pre-g2-3des-sha)		Phase 2 (IPSEC) Parameters	Authentication	ESPEncryption 	3 DESPFS (Diffie-Helman Group)	Group 2SA Lifetime (In Time or In Kbytes)	3600 secondsor Transform-Set	esp-3des esp-sha-hmac	

ipsec auto --up some_dst outputs the following:

000 initiating all conns with alias='some_dst' 104 "some_dst/0x2" #19: STATE_MAIN_I1: initiate003 "some_dst/0x2" #19: ignoring unknown Vendor ID payload [382b5e05rg4444ea5df268b8588f4cc5f580000000d0000061e]003 "some_dst/0x2" #19: received Vendor ID payload [Dead Peer Detection]003 "some_dst/0x2" #19: ignoring Vendor ID payload [HeartBeat Notify 386b0100]106 "some_dst/0x2" #19: STATE_MAIN_I2: sent MI2, expecting MR2108 "some_dst/0x2" #19: STATE_MAIN_I3: sent MI3, expecting MR3004 "some_dst/0x2" #19: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}117 "some_dst/0x1" #20: STATE_QUICK_I1: initiate117 "some_dst/0x2" #21: STATE_QUICK_I1: initiate010 "some_dst/0x2" #21: STATE_QUICK_I1: retransmission; will wait 20s for response010 "some_dst/0x1" #20: STATE_QUICK_I1: retransmission; will wait 20s for response




Juniper side (but policy is there ..):
2014-05-19 16:48:40 system info  00536 IKE $MyNattedPublicIp Phase 2 msg ID                                       6f4e415f: Negotiations have failed.2014-05-19 16:48:40 system info  00536 IKE $MyNattedPublicIp Phase 2: No policy                                       exists for the proxy ID received:                                       local ID (10.100.241.50/                                      255.255.255.255, 0, 0) remote ID                                       ($MyNattedPublicIp/255.255.255.255, 0,                                       0).2014-05-19 16:48:40 system info  00536 IKE $MyNattedPublicIp Phase 2 msg ID                                       6f4e415f: Responded to the peer's                                       first message.2014-05-19 16:48:40 system info  00536 IKE $MyNattedPublicIp Phase 2 msg ID                                       6b66d5c9: Negotiations have failed.2014-05-19 16:48:40 system info  00536 IKE $MyNattedPublicIp Phase 2 msg ID                                       6b66d5c9: Responded to the peer's                                       first message.3:48 PM

 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140519/e2d6f711/attachment.html>

More information about the Users mailing list