Netscreen 25 and Netgear FVS318 rev3
jtbock last edited by
I am trying to set up a site-to-site VPN with an FVS318 (rev 3) and a NS25. I have deployed other FVS318 (rev2) devices which work fine, but the NS25 doesn’t seem to like the new rev 3 FVS318. I keep getting the following message:
Rejected an IKE packet on ethernet3
from xxx.xxx.xxx.xxx:500 to xxx.xxx.xxx.xxx:
500 with cookies f8f0959ada48c1f0 and
0000000000000000 because an initial
Phase 1 packet arrived from an
unrecognized peer gateway.
Does anyone know if these latest Netgears work ok with the NS25?
I’ve examined the usual suspects repeatedly (peer id, gw address, preshared key) and I think everything is correct.
Another piece of info: I am testing the v3 FVS318 from behind the same gateway I usually use an older v2. So I don’t know if the NS is unhappy to see the same foreign gateway being “reused” for different tunnel attempt.
It is entirely possible I have something misconfigured somewhere, and will recheck everything again tomorrow…but if anyone has any experience (good or bad) with the v3 FVS318s, I would be most grateful for any info.
jtbock last edited by
There was in fact a type ID mismatch. The older FVS318s must send type ID 2 as a default. The newer v3 model gives you choices, though they are not identified numerically. Type ID 2 corresponds to the “FQDN” choice when specifying local and remote IDs.
Hope this helps someone else. The “debug ike detail” was the way to go…thanks, Max. I would expand that to the following sequence:
1. ns-25>clear dbuf
2. ns-25>debug ike detail
3. Try to establish the vpn.
4. ns-25>undebug all
5. ns-25>get dbuf stream
Once I did that, the problem popped right out, and was relatively easy to fix from there. So just to be complete, the Netgear FVS318 v3 seems to work fine with the Netscreen.
MaxPipeline last edited by
“Phase 1 packet arrived from an unrecognized peer gateway” means that the NS25 did not recognize the peer ID itself or perhaps the peer ID type that the Netgear is sending. I would recommend running “debug ike detail” and see exactly what the Netgear is sending for the peer ID during in phase 1.