IPSEC Tunnel between Juniper ssg 140 and Watchguard



  • Hi,

    Phase one will not be initiated. My SSG 140 Device is located behind a fuirewall with nat-t enabled. When I do a ping to the remote proxy ip I got the following ike detail debug. Any idea what the message  <invalid-exchange-type>does  mean? Thanks in advance for helping me to solve the issue:-)
    IPSEC-VPN:FW-VPN-PRZ(M)-> get db str

    2013-05-06 13:47:24 : IKE<0.0.0.0        >  I got hit by mail. 1

    2013-05-06 13:47:24 : IKE<62.159.65.138> update_sa->

    2013-05-06 13:47:24 : IKE<62.159.65.138> update_sa_ipsec->

    2013-05-06 13:47:24 : IKE<62.159.65.138> update_sa_ipsec: phase 2 idle time <0>.

    2013-05-06 13:47:24 : IKE<62.159.65.138> update_sa_ipsec exit

    2013-05-06 13:47:24 : IKE<62.159.65.138> update_sa_ipsec->

    2013-05-06 13:47:24 : IKE<62.159.65.138> update_sa_ipsec: phase 2 idle time <0>.

    2013-05-06 13:47:24 : IKE<62.159.65.138> update_sa_ipsec exit

    2013-05-06 13:47:24 : IKE<62.159.65.138> update_sa exit

    2013-05-06 13:47:24 : IKE<62.159.65.138> vpn.c 6306. Found tunnel local IP 192.168.4.249.

    2013-05-06 13:47:24 : IKE<62.159.65.138> key_add->

    2013-05-06 13:47:24 : IKE<62.159.65.138> s vpn/sa: 1/2, d vpn/sa: 0/0 sw key vpn tunnel basic: 500, all: 500

    2013-05-06 13:47:24 : IKE<62.159.65.138> key_add: allocated tunnel id:0x9

    2013-05-06 13:47:24 : IKE<62.159.65.138>

    crypto_ctx 22, 8, 24, 8, 0, 0, 16, 0, 12, 48

    2013-05-06 13:47:24 : nsp tunnel local_untrust_if_ip is 192.168.4.249.

    2013-05-06 13:47:24 : IKE<62.159.65.138> i = 1. sa->type_p2_sa = 2. sa->spi = 00000000. local_untrust_if_ip = 192.168.4.249.

    2013-05-06 13:47:24 : IKE<0.0.0.0        >  SPI = 0, do not insert

    2013-05-06 13:47:24 : IKE<0.0.0.0        >  SPI = 0, do not insert

    2013-05-06 13:47:24 : IKE<62.159.65.138> update acvpn flags for sa 1

    2013-05-06 13:47:24 : IKE<62.159.65.138> update acvpn flags for sa 1 - 0x20

    2013-05-06 13:47:24 : IKE<62.159.65.138> key_add: origin<0>.

    2013-05-06 13:47:24 : IKE<62.159.65.138> update auto NHTB status for sa 1

    2013-05-06 13:47:24 : IKE<62.159.65.138> key_add exit

    2013-05-06 13:47:24 : IKE<62.159.65.138> new_vpn_sa_index exit 1

    2013-05-06 13:47:24 : IKE<62.159.65.138> turning off monitor on the vpn.

    2013-05-06 13:47:24 : IKE<62.159.65.138> ****** Recv kernel msg IDX-1, TYPE-5 ******

    2013-05-06 13:47:24 : IKE<62.159.65.138> ****** Recv kernel msg IDX-1, TYPE-5 ******

    2013-05-06 13:47:24 : IKE<62.159.65.138> sa orig index<1>, peer_id<1>.

    2013-05-06 13:47:24 : IKE<62.159.65.138> isadb_get_entry_by_peer_and_local_if_port_p2sa isadb get entry by peer/local ip and port

    2013-05-06 13:47:24 : IKE<62.159.65.138>  create sa: 192.168.4.249->62.159.65.138

    2013-05-06 13:47:24 : getProfileFromP1Proposal->

    2013-05-06 13:47:24 : find profile[0]=<00000005 00000002 00000001 00000002> for p1 proposal (id 5), xauth(0)

    2013-05-06 13:47:24 : init p1sa, pidt = 0x0

    2013-05-06 13:47:24 : change peer identity for p1 sa, pidt = 0x0

    2013-05-06 13:47:24 : IKE<0.0.0.0        >  peer_identity_create_with_uid: uid<0>

    2013-05-06 13:47:24 : IKE<0.0.0.0        >  create peer identity 0x3e8a5c0

    2013-05-06 13:47:24 : IKE<0.0.0.0        >  peer_identity_add_to_peer: num entry before add <1>

    2013-05-06 13:47:24 : IKE<0.0.0.0        >  peer_identity_add_to_peer: num entry after add <2>

    2013-05-06 13:47:24 : peer identity 3e8a5c0 created.

    2013-05-06 13:47:24 : IKE<0.0.0.0        >  EDIPI disabled

    2013-05-06 13:47:24 : IKE<62.159.65.138> Phase 1: Initiated negotiation in main mode. <192.168.4.249 => 62.159.65.138>

    2013-05-06 13:47:24 : IKE<62.159.65.138> Construct ISAKMP header.

    2013-05-06 13:47:24 : IKE<62.159.65.138> Msg header built (next payload #1)

    2013-05-06 13:47:24 : IKE<62.159.65.138> Construct [SA] for ISAKMP

    2013-05-06 13:47:24 : IKE<62.159.65.138> auth(1)<preshrd>, encr(5)<3DES>, hash(2)<sha>, group(2)

    2013-05-06 13:47:24 : IKE<62.159.65.138> xauth attribute: disabled

    2013-05-06 13:47:24 : IKE<62.159.65.138> lifetime/lifesize (28800/0)

    2013-05-06 13:47:24 : IKE<0.0.0.0        >  set_phase1_transform, dh_group(2).

    2013-05-06 13:47:24 : IKE<62.159.65.138> Construct NetScreen [VID]

    2013-05-06 13:47:24 : IKE<62.159.65.138> Construct NAT-T [VID]: draft 2

    2013-05-06 13:47:24 : IKE<62.159.65.138> Construct NAT-T [VID]: draft 1

    2013-05-06 13:47:24 : IKE<62.159.65.138> Construct custom [VID]

    2013-05-06 13:47:24 : IKE<62.159.65.138> Construct custom [VID]

    2013-05-06 13:47:24 : IKE<62.159.65.138  > Xmit : [SA] [VID] [VID] [VID] [VID] [VID]

    2013-05-06 13:47:24 : IKE<62.159.65.138> Initiator sending IPv4 IP 62.159.65.138/port 500

    2013-05-06 13:47:24 : IKE<62.159.65.138> Send Phase 1 packet (len=196)

    2013-05-06 13:47:24 : IKE<62.159.65.138> Phase 2 task added

    2013-05-06 13:47:24 : IKE<62.159.65.138> ike packet, len 84, action 0

    2013-05-06 13:47:24 : IKE<62.159.65.138> Catcher: received 56 bytes from socket.

    2013-05-06 13:47:24 : IKE<62.159.65.138> ****** Recv packet if <ethernet0 0="">of vsys <root>******

    2013-05-06 13:47:24 : IKE<62.159.65.138> Catcher: get 56 bytes. src port 500

    2013-05-06 13:47:24 : IKE<0.0.0.0        >  ISAKMP msg: len 56, nxp 11[NOTIF], exch 5[INFO], flag 00

    2013-05-06 13:47:24 : IKE<62.159.65.138  > Recv : [NOTIF]

    2013-05-06 13:47:24 : IKE<62.159.65.138> Received notify message for DOI <0> <7> <invalid-exchange-type>.

    2013-05-06 13:47:25 : IKE<62.159.65.138> nhtb_list_update_status: vpn VPN_DUESSHYP

    2013-05-06 13:47:25 : IKE<62.159.65.138>  ** link ready return 8

    2013-05-06 13:47:25 : IKE<62.159.65.138> sa_link_status_for_tunl_ifp: saidx 0, preliminary status 8

    2013-05-06 13:47:25 : IKE<62.159.65.138>  local_if is ethernet0/0

    2013-05-06 13:47:29 : IKE<62.159.65.138> re-trans timer expired, msg retry (0) (100001/0)

    2013-05-06 13:47:29 : IKE<62.159.65.138> Initiator sending IPv4 IP 62.159.65.138/port 500

    2013-05-06 13:47:29 : IKE<62.159.65.138> Send Phase 1 packet (len=196)

    2013-05-06 13:47:29 : IKE<62.159.65.138> ike packet, len 84, action 0

    2013-05-06 13:47:29 : IKE<62.159.65.138> Catcher: received 56 bytes from socket.

    2013-05-06 13:47:29 : IKE<62.159.65.138> ****** Recv packet if <ethernet0 0="">of vsys <root>******

    2013-05-06 13:47:29 : IKE<62.159.65.138> Catcher: get 56 bytes. src port 500

    2013-05-06 13:47:29 : IKE<0.0.0.0        >  ISAKMP msg: len 56, nxp 11[NOTIF], exch 5[INFO], flag 00

    2013-05-06 13:47:29 : IKE<62.159.65.138  > Recv : [NOTIF]

    2013-05-06 13:47:29 : IKE<62.159.65.138> Received notify message for DOI <0> <7> <invalid-exchange-type>.

    2013-05-06 13:47:33 : IKE<62.159.65.138> re-trans timer expired, msg retry (1) (100001/0)

    2013-05-06 13:47:33 : IKE<62.159.65.138> Initiator sending IPv4 IP 62.159.65.138/port 500

    2013-05-06 13:47:33 : IKE<62.159.65.138> Send Phase 1 packet (len=196)

    2013-05-06 13:47:33 : IKE<62.159.65.138> ike packet, len 84, action 0

    2013-05-06 13:47:33 : IKE<62.159.65.138> Catcher: received 56 bytes from socket.

    2013-05-06 13:47:33 : IKE<62.159.65.138> ****** Recv packet if <ethernet0 0="">of vsys <root>******

    2013-05-06 13:47:33 : IKE<62.159.65.138> Catcher: get 56 bytes. src port 500

    2013-05-06 13:47:33 : IKE<0.0.0.0        >  ISAKMP msg: len 56, nxp 11[NOTIF], exch 5[INFO], flag 00

    2013-05-06 13:47:33 : IKE<62.159.65.138  > Recv : [NOTIF]

    2013-05-06 13:47:33 : IKE<62.159.65.138> Received notify message for DOI <0> <7> <invalid-exchange-type>.

    IPSEC-VPN:FW-VPN-PRZ(M)-></invalid-exchange-type></root></ethernet0></invalid-exchange-type></root></ethernet0></invalid-exchange-type></root></ethernet0></sha></preshrd></invalid-exchange-type>


 

23
Online

38.5k
Users

12.7k
Topics

44.5k
Posts