RE: Netscreen-pix515 IPsec interop

Suhdeer,

A very useful site for interoperability is:
http://www.vpnc.org/InteropProfiles/

They have a list of VPN devices setup in a common manner to connect to
each other. Netscreen is listed, but PIX is not. However, the profile
for IOS may be useful.
Good Luck,
Erik

-----Original Message-----
From: firewall-wizards-admin_at_honor.icsalabs.com
[mailto:firewall-wizards-admin_at_honor.icsalabs.com] On Behalf Of Sudheer
MT
Sent: Monday, September 01, 2003 11:46 PM
To: firewall-wizards_at_honor.icsalabs.com
Subject: [fw-wiz] Netscreen-pix515 IPsec interop

Hi,

We are using Netscreen firewall, which is configured
for site to site VPN.(Both end Netscreen firewall)
We need to replace netscreen, here.

We have cisco 515 with IOS 6.2

We are facing problem with Phase 2 nego.

Here is detail of VPN. as configured in Netscreen.

P1 proposal,(pre-g2-3des-sha)
Main mode,
Method preshare,
DH Group 2
Encrypt/Auth: 3DES/SHA
Lifetime 28800

P2 Prpoposal, (g2-esp-3des-sha)

Replay : Enable replay protection
PFS : DH Group 2
Encap : ESP
Encrypt/Auth:3DES/SHA
Lifetime 3600

Here is Pix config for above.
!
crypto ipsec transform-set mytranset esp-3des
esp-sha-hmac
sysopt ipsec pl-compatible
sysopt connection permit-ipsec
no sysopt route dnat
!
access-list myvpn permit tcp 192.168.70.0
255.255.255.224 host 172.16.254.2 eq 2401
access-list myvpn permit tcp 192.168.70.0
255.255.255.224 host 172.16.254.2 eq www
access-list myvpn permit icmp 192.168.70.0
255.255.255.224 host 172.16.254.2
!
isakmp key **** address 194.78.66.32 netmask
255.255.255.255
isakmp identity address
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 3600
isakmp enable outside
!
crypto map vpn-nk 20 ipsec-isakmp
crypto map vpn-nk 20 match address myvpn
crypto map vpn-nk 20 set pfs group2
crypto map vpn-nk 20 set peer 194.78.66.32
crypto map vpn-nk 20 set transform-set mytranset
crypto map vpn-nk interface outside

=============================
Here is log:
NETKRAFT515(config)# show ipsec sa
VPN Peer: ISAKMP: Added new peer: ip:194.78.66.32
Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:194.78.66.32 Ref cnt
incremented to:1 Total VPN Peers:1
ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block: src 194.78.66.32, dest
203.197.172.62
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against
priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 2800
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against
priority 2 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 2800
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): SA is doing pre-shared key authentication
using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 194.78.66.32, dest
203.197.172.62
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): ID payload
        next-payload : 8
        type : 1
        protocol : 17
        port : 500
        length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 194.78.66.32, dest
203.197.172.62
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): beginning Quick Mode exchange, M-ID of
-645140618:d98bef76IPSEC(key_engine): got a queue
event...
IPSEC(spi_response): getting spi
0xdc107272(3692065394) for SA
        from 194.78.66.32 to 203.197.172.62 for prot 3
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): retransmitting phase
2...IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 203.197.172.62, remote=
194.78.66.32,
    local_proxy= 192.168.70.0/255.255.255.224/6/0
(type=4),
    remote_proxy= 172.16.254.2/255.255.255.255/6/2401
(type=1)
ISAKMP (0): beginning Quick Mode exchange, M-ID of
1524565892:5adf0784IPSEC(key_engine): got a queue
event...
IPSEC(spi_response): getting spi
0xfc1bf72c(4229691180) for SA
        from 194.78.66.32 to 203.197.172.62 for prot 3
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase
2...IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 203.197.172.62, remote=
194.78.66.32,
    local_proxy= 192.168.70.0/255.255.255.224/6/0
(type=4),
    remote_proxy= 172.16.254.2/255.255.255.255/6/2401
(type=1)
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): deleting SA: src 203.197.172.62, dst
194.78.66.32
ISADB: reaper checking SA 0x812c2790, conn_id = 0
DELETE IT!
VPN Peer: ISAKMP: Peer ip:194.78.66.32 Ref cnt
decremented to:0 Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:194.78.66.32 Total
VPN peers:0
VPN Peer: ISAKMP: Added new peer: ip:194.78.66.32
Total VPN Peers:1

Sudheer

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Sep 02 2003