Netscreen 25 and Netgear FVS318 rev3



  • Hi,

    I am trying to set up a site-to-site VPN with an FVS318 (rev 3) and a NS25.  I have deployed other FVS318 (rev2) devices which work fine, but the NS25 doesn’t seem to like the new rev 3 FVS318.  I keep getting the following message:
    Rejected an IKE packet on ethernet3
                                          from xxx.xxx.xxx.xxx:500 to xxx.xxx.xxx.xxx:
                                          500 with cookies f8f0959ada48c1f0 and
                                          0000000000000000 because an initial
                                          Phase 1 packet arrived from an
                                          unrecognized peer gateway.

    Does anyone know if these latest Netgears work ok with the NS25?
    I’ve examined the usual suspects repeatedly (peer id, gw address, preshared key) and I think everything is correct.

    Another piece of info: I am testing the v3 FVS318 from behind the same gateway I usually use an older v2.  So I don’t know if the NS is unhappy to see the same foreign gateway being “reused” for different tunnel attempt.

    It is entirely possible I have something misconfigured somewhere, and will recheck everything again tomorrow…but if anyone has any experience (good or bad) with the v3 FVS318s, I would be most grateful for any info.

    Thanks…



  • There was in fact a type ID mismatch.  The older FVS318s must send type ID 2 as a default.  The newer v3 model gives you choices, though they are not identified numerically.  Type ID 2 corresponds to the “FQDN” choice when specifying local and remote IDs.

    Hope this helps someone else.  The “debug ike detail” was the way to go…thanks, Max.  I would expand that to the following sequence:

    1. ns-25>clear dbuf
    2. ns-25>debug ike detail
    3. Try to establish the vpn.
    4. ns-25>undebug all
    5. ns-25>get dbuf stream

    Once I did that, the problem popped right out, and was relatively easy to fix from there.  So just to be complete, the Netgear FVS318 v3 seems to work fine with the Netscreen.



  • “Phase 1 packet arrived from an unrecognized peer gateway” means that the NS25 did not recognize the peer ID itself or perhaps the peer ID type that the Netgear is sending. I would recommend running “debug ike detail” and see exactly what the Netgear is sending for the peer ID during in phase 1.


 

36
Online

38.4k
Users

12.7k
Topics

44.5k
Posts