VPN IKE Phase 1 issues between NS50 and Checkpoint NG

  • Hi,

    I’d appreciate some help on a VPN issue. I’ve just configured our first VPN (route based Autokey IKE with preshared key) on our Netscreen 50 (5.0.0r8.0) to a Checkpoint NG Feature Pack 3 firewall. The Netscreen VPN guide was used to ensure the correct method of configuration.

    I receive the following event and debug info (ultimately a phase 1 re-trans timeout):

    IKE<> >> <>
    Phase 1: Initiated negotiations in
    main mode.
    IKE<> Phase 1:
    Retransmission limit has been reached.

    send_request to peer
    Send Phase 1 packet (len=136)
    SA: (Root, local, state 0/0001, i):
    re-trans timer expired, msg retry (9) (0001/0)

    We’re using the following IKE/IPSEC settings, as specified from the 3rd party:
    IKE:  3DES, SHA-1, DH Group 2, Timeout 1440 Minutes
    IPSEC:  3DES, SHA-1, No PFS, Timeout 3600 seconds.

    The 3rd Party belive that they see the UDP port 500 request to initiate the tunnel from my firewall, and they believe that they send a response. However the NS keeps sending the same initiation packet because I presume it doesn’t see the response.

    I can provide the full config if it helps, but here’s what I believe to be relevant with a few numbers hidden for security:
    set interface ethernet1 ip
    set interface ethernet1 nat
    set interface ethernet2 ip
    set interface ethernet2 route
    set interface ethernet3 ip OUTSIDEADDRESS/27
    set interface ethernet3 route
    set interface tunnel.1 ip unnumbered interface ethernet3
    set ike p1-proposal “LMUKPhase1” preshare group2 esp 3des sha-1 minute 1440
    set ike p2-proposal “LMUKPhase2” no-pfs esp 3des sha-1 second 3600
    set ike gateway “LMUK-Nectar” address REMOTEADDRESS Main outgoing-interface “ethernet3” preshare “XXX==” proposal "pre-g2-3des-sha"
    set ike respond-bad-spi 1
    set vpn “LMUK-NectarNetwork” gateway “LMUK-Nectar” no-replay tunnel idletime 0 proposal "LMUKPhase2"
    set vpn “LMUK-NectarNetwork” monitor

    Any assistance would be appreciated.

  • Ok, Some dumba$$ configured our outside interface to be using the network address of our outside subnet! I’ll be changing in tonight and I’m sure that should do the job. It’s been like that for two years too!