Netscreen 5gt to netopia 3346N



  • Will a vpn from a 5gt work to a 3346N? And if so does anyone have a simple walkthrough?


  • Engineer

    Problem is the proxy ID.

    because some devices don’t check the proxy id. (thats why it works from netscreen to netopia)

    Netscreen does check this! if you look in the event log you should see some messages like (poroxy id X.X.X.X/X not found …)

    you need to change the proxy id to the same then the encryption domain on the netopia

    greetZ,
    Frac



  • I can ping the site T from site M, but not vise versa.  T is the netscreen and the M is the netopia.  What could cause this?


  • Engineer

    Hi,

    set console dbuff (means you send message to dbuf instead of term console)

    clear dbuff (means to clear the buffer (clear old debugs))
    debug ike detail (detail debug of ike)
    get dbuff stream (look at the message (debugs) in the dbuff)

    undebug all (unset the debug)

    Normaly you should get some nice info with this debug, and we can then see what could be the problem.

    GreetZ,
    Frac



  • Frac, I don’t understand what you mean when you put:
    set console db
    clear db
    debug ike detail
    get db str

    undebug all

    and give us that output

    I looked in junipers knowledge base on how to debug and the other documentation links but there are so many that I soon gave up. I think that when your putting db you mean debug but I cant find anything on how to.



  • I believe I had the phase 1and2 incorrect, P2 proposal nopfs-esp-des-md5. So I can ping from site M to T but not the other way, what could be wrong? I’m sorry for my ignorance I don’t know much about VPN’s.

    2006-03-17 12:11:52 info IKE <m>Phase 2 msg ID <af13c3ee>: Completed negotiations with SPI <16db0e02>, tunnel ID <4>, and lifetime <3600> seconds/<1228800> KB.
    2006-03-17 12:11:52 info IKE <m>Phase 2 msg ID <af13c3ee>: Responded to the peer’s first message.
    2006-03-17 12:11:50 info IKE<m>: Received initial contact notification and removed Phase 1 SAs.
    2006-03-17 12:11:50 info IKE<m>: Received initial contact notification and removed Phase 2 SAs.
    2006-03-17 12:11:50 info IKE<m>: Received a notification message for DOI <1> <24578> <notify_initial_contact>.
    2006-03-17 12:11:50 info IKE <m>Phase 1: Completed Main mode negotiations with a <28800>-second lifetime.
    2006-03-17 12:11:50 info IKE <m>Phase 1: Responder starts MAIN mode negotiations.
    2006-03-17 12:11:34 info System configuration saved by administrator via web from host 192.168.1.199 to 192.168.1.1:80 by administrator
    2006-03-17 12:11:34 notif VPN Site A VPN with gateway MtoT and P2 proposal nopfs-esp-des-md5 has been modified by administrator via web from host 192.168.1.199 to 192.168.1.1:80
    2006-03-17 12:11:34 notif Gateway MtoT at M in main mode with ID [default peer id] has been modified by administrator via web from host 192.168.1.199 to 192.168.1.1:80.
    2006-03-17 12:11:10 info Rejected an IKE packet on untrust from M:500 to T:500 with cookies 6d16dcc4f0864e8f and 28c88908878117a4 because there were no acceptable Phase 1 proposals.
    2006-03-17 12:11:10 info IKE <m>Phase 1: Responder starts MAIN mode negotiations.</m></m></m></notify_initial_contact></m></m></m></af13c3ee></m></af13c3ee></m>


  • Engineer

    Hi,

    you can’t change initiator and responder (because the first that send packet it the init)

    the problem can be 3 things:

    • presared key is wrong
    • outgoing interface is wrong
    • phase one proposal is wrong

    do this on the netscreen:

    set console db
    clear db
    debug ike detail
    get db str

    undebug all

    and give us that output

    greetZ,
    Frac



  • How do I change which one is the initiator and responder?

    If I setup the netscreen as the site B instead of A would that do it?



  • OK, first of all I have never used Netopia before so cannot help there. Second that netopia guy obviously has no clue what he is talking about. Ipsec is pretty much all the Netscreen does too for the tunnelling protocol across a WAN. Now I know we can tunnel GRE too that is always encapsulated within IPsec.

    It sounds like you have either a mismatch in proposals or your proxy-id is incorrect. It also looks like the Netscreen is the initiator and the Netopia is the responder. I would suggest having the Netopia initiate the tunnel. That way the Netscreen will be the responder and you can find out exactly what the Netopia is sending. Then match that in the Netscreen. One more note. PFS disable will negate your DH group setting. So if your proposals are using group 1 on the Netscreen then either try enabling PFS on the Netopia or select nopfs as part of your p2 proposal.



  • I had a conversation with a netopia person, this is how the conversation went.

    [digitalmuscle] I have a netopia 3346n-002 that i would like to setup a vpn with a netscreen 5gt.
    [Sal] ok
    [digitalmuscle] I was wondering if this is possible?
    [digitalmuscle] If it is possible what would the settings on the 3346 need to look like?
    [Sal] well the 3346-002 can only do ipsec
    [digitalmuscle] Thats fine, the netscreen 5gt can do ipsec.
    [Sal] yes then this can do ipsec only
    [digitalmuscle] I’m not sure what you mean by ipsec only? Do you mean that some mix ipsec and something else?
    [digitalmuscle] what kind of proposal does the 3346 use in phase1 and 2?
    [Sal] well the 3346 is able to handle ipsec protocol only for VPN
    [Sal] ike
    [digiatlmuscle] so i would have to find out if the netscreen uses ike for phase1 and 2?
    [Sal] yes u may have to



  • Two separate mechanisms for IPSec tunnel support are provided by your Gateway:
    IPSec PassThrough supports VPN clients running on LAN-connected computers. Disable this checkbox if your LAN-side VPN client includes its own NAT interoperability solution.
    SafeHarbour is a keyed feature that enables Gateway-terminated VPN support.

    I have SafeHarbour checked.

    Then I have these options:
    On – checked yes
    Name – MtoT
    Peer External IP Address – the ip address of the netscreen
    Encryption Protocol – i have two options ESP/None – so i picked ESP
    Authentication Protocol – i have three options ESP/AH/None – so i picked ESP
    Key Management – i have one option IKE

    Then on the next page i have:
    Name – MtoT
    Peer Internal Network – 192.168.1.0
    Peer Internal Netmask – 255.255.255.0
    Negotiation Method Main/Aggressive – so i picked Main
    Pre-Shared Key Type ASCII/Hex – so i picked ASCII
    Pre-Shared Key – the key i use in the netscreen 5gt
    DH Group 1/2/5 – i left it on 1
    PFS Enable/Disable – left it on disable
    SA Encrypt Type DES3/DES – i put it on DES
    SA Hash Type MD5/SHA1 – i put it on MD5
    Soft MBytes default at 1000
    Soft Seconds default at 82800
    Hard MBytes default at 1200
    Hard Seconds default at 86400
    IPSec MTU default at 1500

    thats all the sentings for the netopia



  • 2006-03-15 01:21:59 info Rejected an IKE packet on untrust from ipaddress from A:500 to ipaddress B:500 with cookies 47e60e145dbb337d and 4221bddd84e52d43 because there were no acceptable Phase 1 proposals.
    2006-03-15 01:21:59 info IKE <ipaddress a="">Phase 1: Responder starts MAIN mode negotiations.

    A is the netopia
    B is the netscreen</ipaddress>



  • I have this site, http://www.netopia.com/support/hardware/technotes/CQG_053.html and I have the netscreen concepts and examples, which is what im trying to set it up using as my walk throughs.


 

35
Online

38.4k
Users

12.7k
Topics

44.5k
Posts