Netscreen ISG : traffic required to trigger tunnel



  • We are configuring VPN with a (right side) Netscreen ISG 1000 device; our left side is natted. Once the handshake floats the port from 500-> 4500, the Netscreen device does not appear to respond. Only initiating a traceroute from Netscreen side causes traffic to return through port 4500, and a complete tunnel negotiation.

    us (natted) <–> Netscreen

    Is  this indicative of the right side needing to modify their "establish-tunnels (immediately | on-traffic) " setting, where in the menu could they change this?

    Could something else cause this behavior?

    Trace of logs (data masked):

    “myConnection” #2: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
    | inserting event EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
    | event added at head of queue

    “myConnection” #3: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
    | deleting event for #3
    | NAT-T: floating to port 4500
    | NAT-T connection has wrong interface definition 173.0.0.224:4500 vs 173.0.0.224:500
    | NAT-T: using interface eth0:4500
    | sending reply packet to right_side_ip:4500 (from port 4500)

    // this retries a few times and eventually stays in waiting for pending DDNS
    | next event EVENT_PENDING_DDNS in 0 seconds
    | *time to handle event
    | handling event EVENT_PENDING_DDNS
    | event after this is EVENT_PENDING_PHASE2 in 60 seconds
    | inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
    | event added at head of queue
    | next event EVENT_PENDING_DDNS in 60 seconds


    // finally then they run traceroute, traffic comes through and the tunnel is negotiated

    | *received 200 bytes from right_side_ip:4500 on eth0 (port=4500)

    packet from right_side_ip:4500: ignoring unknown Vendor ID payload [….0000000000000000]
    packet from right_side_ip:4500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
    packet from right_side_ip:4500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
    packet from right_side_ip:4500: received Vendor ID payload [Dead Peer Detection]
    packet from right_side_ip:4500: ignoring Vendor ID payload [HeartBeat Notify 386b0100]

    “myConnection” #4: responding to Main Mode

    Thanks!


 

33
Online

38.4k
Users

12.7k
Topics

44.5k
Posts