Juniper : Setting up an IPSec VPN tunnel between a Juniper Netscreen firewall/vpn device and a Cisco VPN device

This article has 76,801 views

Today, I will explain the (easy) steps to set up a route-based IPSec VPN tunnel between a Juniper Netscreen firewall/VPN device and a remote Cisco device (such as Cisco ASA)

If you are looking for more generic information on IPSec and building VPNs with Juniper, take a look at my blog post on VPNs with Juniper netscreen : Building IPSec VPN with Juniper Netscreen ScreenOS (CJFV)

The example network used in this explanation looks like this :

These are our goals :

Set up a two-way VPN between company A (behind the netscreen device) and company B (behind a Cisco device), using PSK, 3DES/SHA1

PSK (Pre Shared Key) : AD230LdaiJDIdaz392382
Set up bidirectional routing from A-LAN1 to B-LAN1 and B-LAN2, no network address translation
Allow hosts from A-LAN2 and A-LAN3 to access B-LAN1 and B-LAN2, and use the netscreen firewall interface IP address in the WAN zone (eth0/1 : 2.2.2.1) as source IP address

The public (internet) IP addresses of each vpn device are 3.3.3.1 (Netscreen, Company A) and 1.1.1.1 (Cisco, Company B)

I’m not a Cisco expert, but I can confirm that the setup on the Cisco device is pretty straightforward. You need to define the local and remote network objects (ACL), define Phase 1 and Phase 2 settings and then glue the information together into a VPN (crypto map).

We’ll assume the following setup on the Cisco (may not be complete or in the correct order, but at least it shows the networks and the Phase1 & Phase2 settings) :

Name 3.3.3.1 CompanyA_VPN-Netscreen

object-group network CompanyA
network-object 10.1.1.0 255.255.255.0
network-object 2.2.2.1 255.255.255.255
object-group network MyCompany
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0

access-list NONAT permit ip object-group MyCompany object-group CompanyA
access-list CompanyA permit ip object-group MyCompany object-group CompanyA

crypto map MyVPN 40 ipsec-isakmp
crypto map MyVPN 40 match address CompanyA
crypto map MyVPN 40 set pfs group2
crypto map MyVPN 40 set peer CompanyA_VPN-Netscreen
crypto map MyVPN 40 set transform-set MyVPN
isakmp key AD230LdaiJDIdaz392382 address CompanyA_VPN-Netscreen netmask 255.255.255.255

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800

On the Netscreen, you need to do this :

Create 2 tunnel interfaces and bind them to the correct physical interface
Set up routing and route traffic to the corresponding tunnel interface
Create a Phase 1 (Gateway) definition
Create 4 Phase 2 (Autokey IKE) definitions, bind them to the corresponding tunnel interfaces
Create network objects (to be used in the policies)
Create a policy that allows traffic from A-LAN1 to CompanyB
Create a policy that allows traffic from A-LAN2 and A-LAN3 to CompanyB, with nat src
Create a policy that allows traffic from CompanyB to A-LAN1

I’ll assume that both firewalls have their default gateways set to the internet router, so they can reach each other over the internet.

Note : Netscreen basics : you can apply a policy to traffic that goes from one zone to another. We have 3 zones : LAN, WAN and Public. We will define the CompanyB networks as part of Public, so we can apply policies and NAT to traffic from LAN and WAN to Public. The VPN Gateway (Phase1) will be bound to the interface in the public zone, because we want to build the tunnel from the public IP of the firewall to the public IP of the Cisco VPN device.

Create tunnel interface

We need to create 2 tunnel interfaces. Since Cisco requires the use of Proxy ID’s on the Netscreen, and since you can only specify one local and one remote network ID in the proxy ID setting, you need to create 2 tunnel interfaces. We will need to perform NAT on traffic coming from the WAN zone, so we need to bind one of the interfaces to the WAN zone interface (so we can enable nat src on that interface). Just make sure to put the two tunnel.x interfaces in the public zone, which is required for routing.

set interface “tunnel.1” zone “Public”
set interface “tunnel.1” ip unnumbered interface ethernet0/2
set interface “tunnel.2” zone “Public”
set interface “tunnel.2” ip unnumbered interface ethernet0/1

Set up routing

Route traffic towards 192.168.1.0/24 to tunnel.1 and route traffic towards 192.168.2.0/24 towards tunnel.2 :

set route 192.168.1.0/24 interface tunnel.1 preference 20 permanent
set route 192.168.2.0/24 interface tunnel.2 preference 20 permanent

(Use the “permanent” keyword to keep the route even when the tunnel appears to be down up)

Create Phase 1 (Gateway) definition

This definition is shared between the individual tunnels, so we only need to create one Phase1 definition

set ike gateway “GW_to_CompanyB_Cisco” address 1.1.1.1 Main outgoing-interface “ethernet0/2” preshare “AD230LdaiJDIdaz392382” proposal “pre-g2-3des-sha”

Create Phase 2 definitions (Autokey IKE)

Since Cisco requires the use of Proxy ID’s, we need to create an autokey IKE definition for each subnet combination. So we need a Phase 2 for

A-LAN1 to B-LAN1
A-LAN1 to B-LAN2
2.2.2.1 to B-LAN1
2.2.2.1 to B-LAN2

Autokey IKE 1
set vpn “A-LAN1_to_B-LAN1” gateway “GW_to_CompanyB_Cisco” no-replay tunnel idletime 0 proposal “g2-esp-3des-sha”
set vpn “A-LAN1_to_B-LAN1” bind interface tunnel.1
set vpn “A-LAN1_to_B-LAN1” proxy-id local-ip 10.1.1.0/24 remote-ip 192.168.1.0/24 “ANY”

Autokey IKE 2
set vpn “A-LAN1_to_B-LAN2” gateway “GW_to_CompanyB_Cisco” no-replay tunnel idletime 0 proposal “g2-esp-3des-sha”
set vpn “A-LAN1_to_B-LAN2” bind interface tunnel.1
set vpn “A-LAN1_to_B-LAN2” proxy-id local-ip 10.1.1.0/24 remote-ip 192.168.2.0/24 “ANY”

Autokey IKE 3
set vpn “A-LAN2_to_B-LAN1_natsrc” gateway “GW_to_CompanyB_Cisco” no-replay tunnel idletime 0 proposal “g2-esp-3des-sha”
set vpn “A-LAN2_to_B-LAN1_natsrc” bind interface tunnel.2
set vpn “A-LAN2_to_B-LAN1_natsrc” proxy-id local-ip 2.2.2.1/32 remote-ip 192.168.1.0/24 “ANY”

Autokey IKE 4
set vpn “A-LAN2_to_B-LAN2_natsrc” gateway “GW_to_CompanyB_Cisco” no-replay tunnel idletime 0 proposal “g2-esp-3des-sha”
set vpn “A-LAN2_to_B-LAN2_natsrc” bind interface tunnel.2
set vpn “A-LAN2_to_B-LAN2_natsrc” proxy-id local-ip 2.2.2.1/32 remote-ip 192.168.2.0/24 “ANY”

Create network objects

set address “LAN” “A-LAN1” 10.1.1.0 255.255.255.0
set address “WAN” “A-LAN2” 10.1.2.0 255.255.255.0
set address “WAN” “A-LAN3” 172.20.0.0 255.255.0.0
set address “Public” “B-LAN1” 192.168.1.0 255.255.255.0
set address “Public” “B-LAN2” 192.168.2.0 255.255.255.0

Create policies

Policy to allow traffic from A-LAN1 to B-LAN1 and B-LAN2 :
set policy from “LAN” to “Public” “A-LAN1” “B-LAN1” “ANY” permit
set policy from “LAN” to “Public” “A-LAN1” “B-LAN2” “ANY” permit

Policy to allow traffic from A-LAN2 and A-LAN3 via nat src to B-LAN1 and B-LAN2 :
set policy from “WAN” to “Public” “A-LAN2” “B-LAN1” nat src permit
set policy from “WAN” to “Public” “A-LAN3” “B-LAN1” nat src permit
set policy from “WAN” to “Public” “A-LAN2” “B-LAN2” nat src permit
set policy from “WAN” to “Public” “A-LAN3” “B-LAN2” nat src permit

Since we have defined the route to B-LAN1 and B-LAN2 to use tunnel.2, and since tunnel.2 uses ethernet0/1 as outgoing interface, then you can use this egress interface IP address to do nat src. If you don’t want to use the IP address of the firewall interface from the WAN zone, but an IP address in that same subnet, you can also create a DIP on tunnel.2 interface, use an IP address in the same subnet (such as 2.2.2.2) and use the dip-id in the policy. Whatever combination you want to make, make sure to bind the tunnel.x interface to the physical interface based on what type of NAT you want to apply to it. The IPSec connection itself will use the egress interface ip of the interface defined in the “gateway” definition, not the tunnel.x interface definition.

Policy to allow traffic from B-LAN1 and B-LAN2 to A-LAN1 :
set policy from “Public” to “LAN” “B-LAN1” “A-LAN1” permit
set policy from “Public” to “LAN” “B-LAN2” “A-LAN1” permit

We don’t want to allow CompanyB to access the other 2 networs (nor the IP of the WAN zone), so we don’t need a policy for that

Troubleshooting VPN connections

You can troubleshoot phase 1 negotiations using syslog and using the following CLI commands :

get ike cookie
debug ike detail

First, generate traffic from CompanyA to CompanyB

A “get ike cookie” should return something that looks like this :

Active: 1, Dead: 0, Total 1

182f/0003, 3.3.3.1:500->1.1.1.1:500, PRESHR/grp2/3DES/SHA, xchg(5) (Gw_to_CompanyB_Cisco/grp-1/usr-1)
resent-tmr 16777218 lifetime 28800 lt-recv 28800 nxt_rekey 28757 cert-expire 0
initiator, err cnt 0, send dir 0, cond 0x0
nat-traversal map not available
ike heartbeat : disabled
ike heartbeat last rcv time: 0
ike heartbeat last snd time: 0
XAUTH status: 0
DPD seq local 0, peer -588286858

“debug ike detail” will show this for Phase 1:

## 2007-11-17 14:31:31 : IKE<1.1.1.1> ****** Recv kernel msg IDX-0, TYPE-5 ****** 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> ****** Recv kernel msg IDX-0, TYPE-5 ****** 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> sa orig index<0>, peer_id<1>. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> isadb get entry by peer/local ip and port 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> create sa: 3.3.3.1->1.1.1.1 
## 2007-11-17 14:31:31 : getProfileFromP1Proposal-> 
## 2007-11-17 14:31:31 : find profile[0]=<00000005 00000002 00000001 00000002> for p1 proposal (id 5), xauth(0) 
## 2007-11-17 14:31:31 : init p1sa, pidt = 0x0 
## 2007-11-17 14:31:31 : change peer identity for p1 sa, pidt = 0x0 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > create peer identity 0838b0b140 
## 2007-11-17 14:31:31 : peer identity 38b0b140 created. 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > EDIPI disabled 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Phase 1: Initiated negotiation in main mode. <3.3.3.1 => 1.1.1.1> 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Construct ISAKMP header. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Msg header built (next payload #1) 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Construct [SA] for ISAKMP 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> auth(1)<PRESHRD>, encr(5)<3DES>, hash(2)<SHA>, group(2) 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> xauth attribute: disabled 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> lifetime/lifesize (28800/0) 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Construct NetScreen [VID] 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Construct custom [VID] 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Construct custom [VID] 
## 2007-11-17 14:31:31 : IKE<1.1.1.1 > Xmit : [SA] [VID] [VID] [VID] 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Initiator sending IPv4 IP 1.1.1.1/port 500 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Send Phase 1 packet (len=156) 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Phase 2 task added 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> ike packet, len 132, action 0 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Catcher: received 104 bytes from socket. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> ****** Recv packet if <ethernet2/0> of vsys <Root> ****** 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Catcher: get 104 bytes. src port 500 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > ISAKMP msg: len 104, nxp 1[SA], exch 2[MM], flag 00 
## 2007-11-17 14:31:31 : IKE<1.1.1.1 > Recv : [SA] [VID] 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > extract payload (76): 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> MM in state OAK_MM_NO_STATE. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Process [VID]: 
## 2007-11-17 14:31:31 : IKE<1.1.1.1 > Vendor ID: 
## 2007-11-17 14:31:31 : 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 
## 2007-11-17 14:31:31 : c0 00 00 00 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> receive unknown vendor ID payload 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Process [SA]: 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Proposal received: xauthflag b4 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> auth(1)<PRESHRD>, encr(5)<3DES>, hash(2)<SHA>, group(2) 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> xauth attribute: disabled 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Phase 1 proposal [0] selected. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> SA Life Type = seconds 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> SA lifetime (TV) = 28800 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > dh group 2 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> DH_BG_consume OK. p1 resp 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Phase 1 MM Initiator constructing 3rd message. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Construct ISAKMP header. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Msg header built (next payload #4) 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Construct [KE] for ISAKMP 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Construct [NONCE] 
## 2007-11-17 14:31:31 : IKE<1.1.1.1 > Xmit : [KE] [NONCE] 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Initiator sending IPv4 IP 1.1.1.1/port 500 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Send Phase 1 packet (len=184) 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> IKE msg done: PKI state<0> IKE state<1/0007> 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> ike packet, len 284, action 0 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Catcher: received 256 bytes from socket. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> ****** Recv packet if <ethernet2/0> of vsys <Root> ****** 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Catcher: get 256 bytes. src port 500 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > ISAKMP msg: len 256, nxp 4[KE], exch 2[MM], flag 00 
## 2007-11-17 14:31:31 : IKE<1.1.1.1 > Recv : [KE] [NONCE] [VID] [VID] [VID] [VID] 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > extract payload (228): 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> MM in state OAK_MM_SA_SETUP. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Process [VID]: 
## 2007-11-17 14:31:31 : IKE<1.1.1.1 > Vendor ID: 
## 2007-11-17 14:31:31 : 12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> rcv non-NAT-Traversal VID payload. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Process [VID]: 
## 2007-11-17 14:31:31 : IKE<1.1.1.1 > Vendor ID: 
## 2007-11-17 14:31:31 : 09 00 26 89 df d6 b7 12 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> rcv XAUTH v6.0 vid 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Process [VID]: 
## 2007-11-17 14:31:31 : IKE<1.1.1.1 > Vendor ID: 
## 2007-11-17 14:31:31 : db bc fe 9d fe 5f 5e 91 c3 f4 47 42 77 8b 58 9a 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> rcv non-NAT-Traversal VID payload. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Process [VID]: 
## 2007-11-17 14:31:31 : IKE<1.1.1.1 > Vendor ID: 
## 2007-11-17 14:31:31 : 1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> rcv non-NAT-Traversal VID payload. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Process [KE]: 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> processing ISA_KE in phase 1. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Process [NONCE]: 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> processing NONCE in phase 1. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> IKE msg done: PKI state<0> IKE state<1/a00080f> 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > finished job pkaidx <0> dh_len<128> dmax<64> 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > finished job d<27442b6c><3dc804d4><87bfa30b><7323f84e> 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> gen_skeyid() 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> MM in state OAK_MM_SA_SETUP. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> re-enter MM after offline DH done 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Phase 1 MM Initiator constructing 5th message. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Construct ISAKMP header. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Msg header built (next payload #5) 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Construct [ID] for ISAKMP 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Construct [HASH] 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> ID, len=8, type=1, pro=17, port=500, 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> addr=3.3.3.1 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> throw packet to the peer, paket_len=64 
## 2007-11-17 14:31:31 : IKE<1.1.1.1 > Xmit*: [ID] [HASH] 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Encrypt P1 payload (len 64) 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Initiator sending IPv4 IP 1.1.1.1/port 500 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Send Phase 1 packet (len=68) 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> ike packet, len 112, action 0 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Catcher: received 84 bytes from socket. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> ****** Recv packet if <ethernet2/0> of vsys <Root> ****** 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Catcher: get 84 bytes. src port 500 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > ISAKMP msg: len 84, nxp 5[ID], exch 2[MM], flag 01 E 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Decrypting payload (length 56) 
## 2007-11-17 14:31:31 : IKE<1.1.1.1 > Recv*: [ID] [HASH] [VID] 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > extract payload (56): 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> MM in state OAK_MM_KEY_EXCH. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Process [VID]: 
## 2007-11-17 14:31:31 : IKE<1.1.1.1 > Vendor ID: 
## 2007-11-17 14:31:31 : af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Process [ID]: 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> ID received: type=ID_IPV4_ADDR, ip = 1.1.1.1, port=500, protocol=17 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> ID processed. return 0. sa->p1_state = 2. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Process [HASH]: 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> ID, len=8, type=1, pro=17, port=500, 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> addr=1.1.1.1 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> completing Phase 1 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> sa_pidt = 38b0b140 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> found existing peer identity 38b0b698 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> peer_identity_unregister_p1_sa. 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > delete peer identity 0x38b0b140 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> peer_idt.c peer_identity_unregister_p1_sa 509: pidt deleted. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Phase 1: Completed Main mode negotiation with a <28800>-second lifetime.

Phase 1 needs to work before you can look at Phase 2. If you do not get a valid Phase 1 negotiation, there’s no reason to start looking at Phase 2 problems. You can troubleshoot Phase 2 using syslog as well as the following CLI commands :

get sa active
debug ike detail

In Syslog, you will see these messages when you attempt to access resources over a IPSec tunnel :

Nov 17 14:18:07 netscreen.domain.com: NetScreen device_id=netscreen [Root]system-information-00536: IKE<3.3.3.1> >> <1.1.1.1> Phase 1: Initiated negotiations in main mode. (2007-11-17 14:18:07)

Nov 17 14:18:07 netscreen.domain.com: NetScreen device_id=netscreen [Root]system-information-00536: IKE<1.1.1.1> Phase 1: Completed Main mode negotiations with a <28800>-second lifetime. (2007-11-17 14:18:07)

Nov 17 14:18:07 netscreen.domain.com: NetScreen device_id=netscreen [Root]system-information-00536: IKE<1.1.1.1> Phase 2: Initiated negotiations. (2007-11-17 14:18:07)

Nov 17 14:18:07 netscreen.domain.com: NetScreen device_id=netscreen [Root]system-information-00536: IKE<1.1.1.1> Phase 2 msg ID <a55cc636>: Completed negotiations with SPI <17a221d5>, tunnel ID <12>, and lifetime <3600> seconds/<0> KB. (2007-11-17 14:18:07)

This indicates that both Phase1 and Phase2 have been successfully negotiated.

If you get messages that looks like this, then you need to check your proxy ID settings :

Nov 17 14:24:58 netscreen.domain.com: NetScreen device_id=netscreen [Root]system-information-00536: IKE<1.1.1.1>: Received a notification message for DOI <1> <18> <INVALID-ID-INFORMATION>. (2007-11-17 14:24:58)

Nov 17 14:24:58 netscreen.domain.com: NetScreen device_id=netscreen [Root]system-information-00536: IKE<1.1.1.1> Phase 2: No policy exists for the proxy ID received: local ID (<0.0.0.0>/<255.255.0.0>, <0>, <0>) remote ID (<192.168.1.0>/<255.255.255.0>, <0>, <0>). (2007-11-17 14:21:45)

Nov 17 14:24:58 netscreen.domain.com: NetScreen device_id= netscreen [Root]system-information-00536: Rejected an IKE packet on ethernet2/0 from 3.3.3.1:500 to 1.1.1.1:500 with cookies fea6d5d4514bf8cc and 6eb4f79ad6050aa5 because the peer sent a proxy ID that did not match the one in the SA config. (2007-11-17 14:43:14)

A “debug ike detail” will show this for a successful Phase 2 negotiation :

## 2007-11-17 14:31:31 : IKE<1.1.1.1> Phase 2: Initiated Quick Mode negotiation. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Phase-2: start quick mode negotiation 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Phase-2: no change in Modecfg IPv4 address for tunnel ifp. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Create conn entry... 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> ...done(new 77d189f0) 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Initiator not set commit bit on 1st QM. 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > dh group 2 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > add sa list for msg id <77d189f0> 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> 0,0/0(0)/spi(d521a21f)/keylen(0) 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Construct ISAKMP header. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Msg header built (next payload #8) 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Construct [HASH] 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Construct [SA] for IPSEC 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Set IPSEC SA attrs: lifetime(3600/0) 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> atts<00000003 00000000 00000003 00000002 00000001 00000002> 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> proto(3)<ESP>, esp(3)<ESP_3DES>, auth(2)<SHA>, encap(1)<TUNNEL>, group(2) 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Before NAT-T attr unmap: private tunnel = 1. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> After NAT-T attr unmap: private tunnel = 1. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Policy have separate SA. Use P2 ID from policy sa (12). 
## 2007-11-17 14:31:31 : IKE<10.1.1.0> IP<10.1.1.0> mask<255.255.255.0> prot<0> port<0> 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Initiator P2 ID built: 
## 2007-11-17 14:31:31 : IKE<192.168.1.0> IP<192.168.1.0> mask<255.255.255.0> prot<0> port<0> 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Responder P2 ID built: 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Construct [NONCE] for IPSec 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Construct [KE] for PFS 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Construct [ID] for Phase 2 
## 2007-11-17 14:31:31 : id payload constructed. type(4),ip(00001dac),mask(0000ffff), prot(0), port(0) 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Construct [ID] for Phase 2 
## 2007-11-17 14:31:31 : id payload constructed. type(4),ip(002110ac),mask(00ffffff), prot(0), port(0) 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> construct QM HASH 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> need to wait for offline p2 DH work done. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> IKE msg done: PKI state<0> IKE state<3/182f> 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > finished job pkaidx <0> dh_len<128> dmax<64> 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > finished job d<76cd1846><fb6061b8><39eb1d71><22e81049> 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > BN, top32 dmax64 zero<no> 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> construct QM HASH 
## 2007-11-17 14:31:31 : IKE<1.1.1.1 > Xmit*: [HASH] [SA] [NONCE] [KE] [ID] [ID] 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Encrypt P2 payload (len 296) 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Initiator sending IPv4 IP 1.1.1.1/port 500 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Send Phase 2 packet (len=300) 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> ike packet, len 320, action 0 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Catcher: received 292 bytes from socket. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> ****** Recv packet if <ethernet2/0> of vsys <Root> ****** 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Catcher: get 292 bytes. src port 500 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > ISAKMP msg: len 292, nxp 8[HASH], exch 32[QM], flag 01 E 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Decrypting payload (length 264) 
## 2007-11-17 14:31:31 : IKE<1.1.1.1 > Recv*: [HASH] [SA] [NONCE] [KE] [ID] [ID] 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > extract payload (264): 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> QM in state OAK_QM_SA_ACCEPT. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Process [SA]: 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > Check P2 Proposal 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> SA life type = seconds 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > SA life duration (TV) = 3600 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > PFS group = 2 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > encap mode from peer = 1. 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > encap mode after converting it to private value = 1. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Phase 2 received: 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> atts<00000003 00000000 00000003 00000002 00000001 00000002> 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> proto(3)<ESP>, esp(3)<ESP_3DES>, auth(2)<SHA>, encap(1)<TUNNEL>, group(2) 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> P2 proposal [0] selected. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Process [KE]: 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> processing ISA_KE for PFS in phase 2. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Process [NONCE]: 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> processing NONCE in phase 2. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Process [ID]: 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Process [ID]: 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> IKE msg done: PKI state<0> IKE state<3/182f> 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > finished job pkaidx <0> dh_len<128> dmax<64> 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > finished job d<1fce18cb><5192d6b0><f9c23a41><6005d373> 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> re-enter QM after offline DH done 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> xauth_cleanup() 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Done cleaning up IKE Phase 1 SA 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Start by finding matching member SA (verify 0/0) 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Verify sa: index 0 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> IKE: Matching policy: gw ip <1.1.1.1> peer entry id<0> 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > protocol matched expected<0>. 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > port matched expect<0>. 
## 2007-11-17 14:31:31 : ipvx = IPV4 
## 2007-11-17 14:31:31 : rcv_local_addr = 10.1.1.0, rcv_local_mask = 255.255.255.0, p_rcv_local_real = 10.1.1.0 
## 2007-11-17 14:31:31 : rcv_remote_addr = 192.168.1.0, rcv_remote_mask = 255.255.255.0, p_rcv_remote_real = 192.168.1.0 
## 2007-11-17 14:31:31 : ike_p2_id->local_ip = 10.1.1.0, cfg_local_mask = 255.255.255.0, p_cfg_local_real = 10.1.1.0 
## 2007-11-17 14:31:31 : ike_p2_id->remote_ip = 192.168.1.0, cfg_remote_mask = 255.255.255.0, p_cfg_remote_real = 192.168.1.0 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Proxy ID match: Located matching Phase 2 SA <12>. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> sa ID for phase 2 sa is <12>. IP version is 4. 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > life (sec or kb): lcl 3600, peer 3600, set 3600. 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > life (sec or kb): lcl 0, peer 0, set 0. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> gen_qm_key() 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> load_sa_keys(): enter. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> gen_qm_key() 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> load_sa_keys(): enter. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> ikmpd.c 3668. sa ID for phase 2 sa is <12>. IP version is 4. 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > spi hash node removed: type<2>,spi<d521a21e>,ip<3.3.3.1> 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > spi hash node removed: type<2>,spi<2e340d5a>,ip<1.1.1.1> 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> clean_all_sa_state_node_from_list-> 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> no relocate earlier SA-state, not active. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> key_modify: sa index <0> bk_idx <0>. 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > insert_sa_state_to_spi_hash spi<1fa221d5>, sa_index<0>, Incoming 
## 2007-11-17 14:31:31 : IKE<0.0.0.0 > insert_sa_state_to_spi_hash spi<34b48a1e>, sa_index<0>, Outgoing 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> 
crypto_ctx 22, 8, 24, 8, 0, 0, 16, 0, 12, 48 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> modify esp tunnel: src (peer) ipv4 <1.1.1.1> 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> modifying esp tunnel: self <ipv4 3.3.3.1> 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> update auto NHTB status for sa 0 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> after mod, out nsptunnel <05258b58>. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Phase 2 msg-id <f089d177>: Completed Quick Mode negotiation with SPI <1fa221d5>

  , tunnel ID <12>, and lifetime <3600> seconds/<0> KB. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Application sa installed. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Phase 2 Initiator constructing 3rd(last) message. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> oakley_final_qm():enter 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Construct ISAKMP header. 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Msg header built (next payload #8) 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Construct [HASH] in QM 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> oakley_final_qm():exit 
## 2007-11-17 14:31:31 : IKE<1.1.1.1 > Xmit*: [HASH] 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Encrypt P2 payload (len 52) 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Initiator sending IPv4 IP 1.1.1.1/port 500 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> Send Phase 2 packet (len=60) 
## 2007-11-17 14:31:31 : IKE<1.1.1.1> oakley_process_quick_mode():exit 
## 2007-11-17 14:31:32 : IKE<0.0.0.0 > dh group 2 
## 2007-11-17 14:31:32 : IKE<1.1.1.1> nhtb_list_update_status: vpn A-LAN1_to_B-LAN1 
## 2007-11-17 14:31:32 : IKE<1.1.1.1> ** link ready return 8 
## 2007-11-17 14:31:32 : IKE<1.1.1.1> sa_link_status_for_tunl_ifp: saidx 2, preliminary status 8 
## 2007-11-17 14:31:32 : IKE<1.1.1.1> nhtb_list_update_status: vpn A-LAN1_to_B-LAN1 
## 2007-11-17 14:31:32 : IKE<1.1.1.1> ** link ready return 8 
## 2007-11-17 14:31:32 : IKE<1.1.1.1> sa_link_status_for_tunl_ifp: saidx 1, preliminary status 8 
## 2007-11-17 14:31:32 : IKE<1.1.1.1> nhtb_list_update_status: vpn A-LAN1_to_B-LAN1 
## 2007-11-17 14:31:32 : IKE<1.1.1.1> ** link ready return 8 
## 2007-11-17 14:31:32 : IKE<1.1.1.1> sa_link_status_for_tunl_ifp: saidx 0, preliminary status 8 
## 2007-11-17 14:31:32 : IKE<0.0.0.0 > finished job pkaidx <0> dh_len<128> dmax<64> 
## 2007-11-17 14:31:32 : IKE<0.0.0.0 > finished job d<b97702b6><c27f3334><693fdcc4><479bfd9c> 
## 2007-11-17 14:31:32 : IKE<0.0.0.0 > BN, top32 dmax64 zero<no>

Quick note on syslog

if you have a Linux box, then you can use the built-in syslog features. If you are using Windows, you can download a free syslog daemon from http://support.3com.com/software/utilities_for_windows_32_bit.htm (Look for 3CDaemon)

Once you have the syslog engine running, configure the netscreen to use syslog :

set syslog config “ip_of_syslog_server” facilities local0 local1

set syslog src-interface ethernet0/0

set syslog enable

Good luck !

© Corelan Consulting BV. All rights reserved. The contents of this page may not be reproduced, redistributed, or republished, in whole or in part, for commercial or non-commercial purposes without prior written permission. See the Terms of Use and Privacy Policy for details.

7 thoughts on “Juniper : Setting up an IPSec VPN tunnel between a Juniper Netscreen firewall/vpn device and a Cisco VPN device”

hag says:

April 4, 2009 at 16:27

Thanks Peter for this great tutorial!
suyog21 says:

October 8, 2011 at 22:46

Thanks for the debugs example it helped a lot….
ccbuckley says:

July 25, 2012 at 11:58

Thanks your website is awesome! – I’m trying to get my SSG20 create a dial up tunnel to strongvpn but I’m at a loss as how to get assigned an IP address from their servers – is this possible with screenos?
1. Corelan Team (corelanc0d3r) says:
  
  July 25, 2012 at 12:06
  
  hmm that’s not how a tunnel VPN works. You are trying to combine a tunnel VPN with a client VPN I guess. (I have no exprience with strongvpn, so not sure if I can really help here)
shaik882 says:

September 14, 2012 at 09:58

Great article !!!

Can you please post the article on asa well ?? that would be great !! 🙂

Cheers!!
abnetwork says:

October 6, 2012 at 13:30

Thanks Corelan Team for this wonderful explanation:

I want bit more explanation on this .
As you have mentioned

set route 192.168.1.0/24 interface tunnel.1 preference 20 permanent
set route 192.168.2.0/24 interface tunnel.2 preference 20 permanent

here you have routed network 192.168.1.0/24 via tunnel.1 and n/w 192.168.2.0/24 via tunnel.2
While configuring phase2 as below you have used tunnel.1 for both Autokey IKE1 and AutoKey IKE2 but remote ip used in IKE2 is 192.168.2.0/24 then how it can be work with tunnel.1 as it routed through tunnel.2
Please explain this.

Autokey IKE 1
set vpn “A-LAN1_to_B-LAN1” gateway “GW_to_CompanyB_Cisco” no-replay tunnel idletime 0 proposal “g2-esp-3des-sha”
set vpn “A-LAN1_to_B-LAN1” bind interface tunnel.1
set vpn “A-LAN1_to_B-LAN1” proxy-id local-ip 10.1.1.0/24 remote-ip 192.168.1.0/24 “ANY”

Autokey IKE 2
set vpn “A-LAN1_to_B-LAN2” gateway “GW_to_CompanyB_Cisco” no-replay tunnel idletime 0 proposal “g2-esp-3des-sha”
set vpn “A-LAN1_to_B-LAN2” bind interface tunnel.1

set vpn “A-LAN1_to_B-LAN2” proxy-id local-ip 10.1.1.0/24 remote-ip 192.168.2.0/24 “ANY”

Also please tell me how many tunnel interfaces and how many phase 2(Autokey IKE) we need if we have 2 souces networks(local IPs) and 1 destination(remote IPs)

Please clear how we can decide how many tunnel interfaces we need in route based VPN?
Please reply
Thanks
1. Corelan Team (corelanc0d3r) says:
  
  October 6, 2012 at 19:07
  
  please ask your questions in the forum