{"id":337,"date":"2007-11-17T02:47:56","date_gmt":"2007-11-17T00:47:56","guid":{"rendered":"http:\/\/www.corelan.be:8800\/index.php\/2007\/11\/17\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\/"},"modified":"2007-11-17T02:47:56","modified_gmt":"2007-11-17T00:47:56","slug":"juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2007\/11\/17\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\/","title":{"rendered":"Juniper : Setting up an IPSec VPN tunnel between a Juniper Netscreen firewall\/vpn device and a Cisco VPN device"},"content":{"rendered":"<div class=\"ExternalClassA1624EB13A27465487448661C5879F97\">\n<p>Today, I will explain the (easy) steps to set up a route-based IPSec VPN tunnel between a Juniper Netscreen firewall\/VPN device and a remote Cisco device (such as Cisco ASA)<\/p>\n<p>If you are looking for more generic information on IPSec and building VPNs with Juniper, take a look at my blog post on VPNs with Juniper netscreen : <a title=\"Building IPSec VPN with Juniper Netscreen ScreenOS (CJFV)\" href=\"https:\/\/www.corelan.be\/index.php\/2008\/06\/25\/building-ipsec-vpn-with-juniper-netscreen-screenos-cjfv\/\">Building IPSec VPN with Juniper Netscreen ScreenOS (CJFV)<\/a><\/p>\n<p>The example network used in this explanation looks like this :<\/p>\n<p>&nbsp;&nbsp;<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111707-0952-junipersett11.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"270\" alt=\"111707_0952_JuniperSett1\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111707-0952-junipersett1-thumb1.png\" width=\"552\"><\/a><\/p>\n<p>These are our goals :<\/p>\n<ol>\n<li>\n<div>Set up a two-way VPN between company A (behind the netscreen device) and company B (behind a Cisco device), using PSK, 3DES\/SHA1<\/div>\n<p>PSK (Pre Shared Key) : <span style=\"font-family: courier new\">AD230LdaiJDIdaz392382<\/span><\/li>\n<li>Set up bidirectional routing from A-LAN1 to B-LAN1 and B-LAN2, no network address translation<\/li>\n<li>Allow hosts from A-LAN2 and A-LAN3 to access B-LAN1 and B-LAN2, and use the netscreen firewall interface IP address in the WAN zone (eth0\/1 : 2.2.2.1) as source IP address<\/li>\n<\/ol>\n<p>The public (internet) IP addresses of each vpn device are 3.3.3.1 (Netscreen, Company A) and 1.1.1.1 (Cisco, Company B)<\/p>\n<p>I'm not a Cisco expert, but I can confirm that the setup on the Cisco device is pretty straightforward. You need to define the local and remote network objects (ACL), define Phase 1 and Phase 2 settings and then glue the information together into a VPN (crypto map).<\/p>\n<p>We'll assume the following setup on the Cisco (may not be complete or in the correct order, but at least it shows the networks and the Phase1 &amp; Phase2 settings) :<\/p>\n<p><span style=\"font-size: 9pt; font-family: courier new\">Name 3.3.3.1 CompanyA_VPN-Netscreen        <\/span><\/p>\n<p>object-group network CompanyA<br \/>\nnetwork-object 10.1.1.0 255.255.255.0<br \/>\nnetwork-object 2.2.2.1 255.255.255.255<br \/>\nobject-group network MyCompany<br \/>\nnetwork-object 192.168.1.0 255.255.255.0<br \/>\nnetwork-object 192.168.2.0 255.255.255.0<\/p>\n<p><span style=\"font-size: 9pt; font-family: courier new\">access-list NONAT permit ip object-group MyCompany object-group CompanyA<br \/>\naccess-list CompanyA permit ip object-group MyCompany object-group CompanyA         <\/span><\/p>\n<p>crypto map MyVPN 40 ipsec-isakmp<br \/>\ncrypto map MyVPN 40 match address CompanyA<br \/>\ncrypto map MyVPN 40 set pfs group2<br \/>\ncrypto map MyVPN 40 set peer CompanyA_VPN-Netscreen<br \/>\ncrypto map MyVPN 40 set transform-set MyVPN<br \/>\nisakmp key AD230LdaiJDIdaz392382 address CompanyA_VPN-Netscreen netmask 255.255.255.255<\/p>\n<p>isakmp policy 10 authentication pre-share<br \/>\nisakmp policy 10 encryption 3des<br \/>\nisakmp policy 10 hash sha<br \/>\nisakmp policy 10 group 2<br \/>\nisakmp policy 10 lifetime 28800<\/p>\n<p>&nbsp;&nbsp;<\/p>\n<p>On the Netscreen, you need to do this :<\/p>\n<ul>\n<li>Create 2 tunnel interfaces and bind them to the correct physical interface<\/li>\n<li>Set up routing and route traffic to the corresponding tunnel interface<\/li>\n<li>Create a Phase 1 (Gateway) definition<\/li>\n<li>Create 4 Phase 2 (Autokey IKE) definitions, bind them to the corresponding tunnel interfaces<\/li>\n<li>Create network objects (to be used in the policies)<\/li>\n<li>Create a policy that allows traffic from A-LAN1 to CompanyB<\/li>\n<li>Create a policy that allows traffic from A-LAN2 and A-LAN3 to CompanyB, with nat src<\/li>\n<li>Create a policy that allows traffic from CompanyB to A-LAN1<\/li>\n<\/ul>\n<p>I'll assume that both firewalls have their default gateways set to the internet router, so they can reach each other over the internet.<\/p>\n<p><span style=\"font-size: 9pt; font-family: verdana\">Note : Netscreen basics : you can apply a policy to traffic that goes from one zone to another. We have 3 zones : LAN, WAN and Public. We will define the CompanyB networks as part of Public, so we can apply policies and NAT to traffic from LAN and WAN to Public. The VPN Gateway (Phase1) will be bound to the interface in the public zone, because we want to build the tunnel from the public IP of the firewall to the public IP of the Cisco VPN device. <\/span><\/p>\n<h4>Create tunnel interface<\/h4>\n<p>We need to create 2 tunnel interfaces. Since Cisco requires the use of Proxy ID's on the Netscreen, and since you can only specify one local and one remote network ID in the proxy ID setting, you need to create 2 tunnel interfaces. We will need to perform NAT on traffic coming from the WAN zone, so we need to bind one of the interfaces to the WAN zone interface (so we can enable nat src on that interface). Just make sure to put the two tunnel.x interfaces in the public zone, which is required for routing.<\/p>\n<p><span style=\"font-size: 9pt; font-family: courier new\">set interface \"tunnel.1\" zone \"Public\"<br \/>\nset interface \"tunnel.1\" ip unnumbered interface ethernet0\/2<br \/>\nset interface \"tunnel.2\" zone \"Public\"<br \/>\nset interface \"tunnel.2\" ip unnumbered interface ethernet0\/1 <\/span><\/p>\n<p>&nbsp;&nbsp;<\/p>\n<h4>Set up routing<\/h4>\n<p>Route traffic towards 192.168.1.0\/24 to tunnel.1 and route traffic towards 192.168.2.0\/24 towards tunnel.2 :<\/p>\n<p><span style=\"font-size: 9pt; font-family: courier new\">set route 192.168.1.0\/24 interface tunnel.1 preference 20 permanent<br \/>\nset route 192.168.2.0\/24 interface tunnel.2 preference 20 permanent <\/span><\/p>\n<p>(Use the \"permanent\" keyword to keep the route even when the tunnel appears to be down up)<\/p>\n<h4>\nCreate Phase 1 (Gateway) definition<\/h4>\n<p>This definition is shared between the individual tunnels, so we only need to create one Phase1 definition<\/p>\n<p><span style=\"font-size: 9pt; font-family: courier new\">set ike gateway \"GW_to_CompanyB_Cisco\" address 1.1.1.1 Main outgoing-interface \"ethernet0\/2\" preshare \"AD230LdaiJDIdaz392382\" proposal \"pre-g2-3des-sha\" <\/span><\/p>\n<h4>\nCreate Phase 2 definitions (Autokey IKE)<\/h4>\n<p>Since Cisco requires the use of Proxy ID's, we need to create an autokey IKE definition for each subnet combination. So we need a Phase 2 for<\/p>\n<ul>\n<li>A-LAN1 to B-LAN1<\/li>\n<li>A-LAN1 to B-LAN2<\/li>\n<li>2.2.2.1 to B-LAN1<\/li>\n<li>2.2.2.1 to B-LAN2<\/li>\n<\/ul>\n<p>Autokey IKE 1<br \/>\n<span style=\"font-size: 9pt; font-family: courier new\">set vpn \"A-LAN1_to_B-LAN1\" gateway \"GW_to_CompanyB_Cisco\" no-replay tunnel idletime 0 proposal \"g2-esp-3des-sha\"<br \/>\nset vpn \"A-LAN1_to_B-LAN1\" bind interface tunnel.1<br \/>\nset vpn \"A-LAN1_to_B-LAN1\" proxy-id local-ip 10.1.1.0\/24 remote-ip 192.168.1.0\/24 \"ANY\" <\/span><\/p>\n<p>Autokey IKE 2<span style=\"font-size: 9pt; font-family: courier new\"><br \/>\nset vpn \"A-LAN1_to_B-LAN2\" gateway \"GW_to_CompanyB_Cisco\" no-replay tunnel idletime 0 proposal \"g2-esp-3des-sha\"<br \/>\nset vpn \"A-LAN1_to_B-LAN2\" bind interface tunnel.1<br \/>\nset vpn \"A-LAN1_to_B-LAN2\" proxy-id local-ip 10.1.1.0\/24 remote-ip 192.168.2.0\/24 \"ANY\" <\/span><\/p>\n<p>Autokey IKE 3<br \/>\n<span style=\"font-size: 9pt; font-family: courier new\">set vpn \"A-LAN2_to_B-LAN1_natsrc\" gateway \"GW_to_CompanyB_Cisco\" no-replay tunnel idletime 0 proposal \"g2-esp-3des-sha\"<br \/>\nset vpn \"A-LAN2_to_B-LAN1_natsrc\" bind interface tunnel.2<br \/>\nset vpn \"A-LAN2_to_B-LAN1_natsrc\" proxy-id local-ip 2.2.2.1\/32 remote-ip 192.168.1.0\/24 \"ANY\"<\/span><\/p>\n<p>Autokey IKE 4<br \/>\n<span style=\"font-size: 9pt; font-family: courier new\">set vpn \"A-LAN2_to_B-LAN2_natsrc\" gateway \"GW_to_CompanyB_Cisco\" no-replay tunnel idletime 0 proposal \"g2-esp-3des-sha\"<br \/>\nset vpn \"A-LAN2_to_B-LAN2_natsrc\" bind interface tunnel.2<br \/>\nset vpn \"A-LAN2_to_B-LAN2_natsrc\" proxy-id local-ip 2.2.2.1\/32 remote-ip 192.168.2.0\/24 \"ANY\" <\/span><\/p>\n<p>&nbsp;&nbsp;<\/p>\n<h4>Create network objects<\/h4>\n<p><span style=\"font-size: 9pt; font-family: courier new\">set address \"LAN\" \"A-LAN1\" 10.1.1.0 255.255.255.0<br \/>\nset address \"WAN\" \"A-LAN2\" 10.1.2.0 255.255.255.0<br \/>\nset address \"WAN\" \"A-LAN3\" 172.20.0.0 255.255.0.0<br \/>\nset address \"Public\" \"B-LAN1\" 192.168.1.0 255.255.255.0<br \/>\nset address \"Public\" \"B-LAN2\" 192.168.2.0 255.255.255.0 <\/span><\/p>\n<p>&nbsp;&nbsp;<\/p>\n<h4>Create policies<\/h4>\n<p>Policy to allow traffic from A-LAN1 to B-LAN1 and B-LAN2 :<br \/>\n<span style=\"font-size: 9pt; font-family: courier new\">set policy from \"LAN\" to \"Public\" \"A-LAN1\" \"B-LAN1\" \"ANY\" permit<br \/>\nset policy from \"LAN\" to \"Public\" \"A-LAN1\" \"B-LAN2\" \"ANY\" permit <\/span><\/p>\n<p>Policy to allow traffic from A-LAN2 and A-LAN3 via nat src to B-LAN1 and B-LAN2 :<br \/>\n<span style=\"font-size: 9pt; font-family: courier new\">set policy from \"WAN\" to \"Public\" \"A-LAN2\" \"B-LAN1\" nat src permit<br \/>\nset policy from \"WAN\" to \"Public\" \"A-LAN3\" \"B-LAN1\" nat src permit<br \/>\nset policy from \"WAN\" to \"Public\" \"A-LAN2\" \"B-LAN2\" nat src permit<br \/>\nset policy from \"WAN\" to \"Public\" \"A-LAN3\" \"B-LAN2\" nat src permit <\/span><\/p>\n<p>Since we have defined the route to B-LAN1 and B-LAN2 to use tunnel.2, and since tunnel.2 uses ethernet0\/1 as outgoing interface, then you can use this egress interface IP address to do nat src. If you don't want to use the IP address of the firewall interface from the WAN zone, but an IP address in that same subnet, you can also create a DIP on tunnel.2 interface, use an IP address in the same subnet (such as 2.2.2.2) and use the dip-id in the policy. Whatever combination you want to make, make sure to bind the tunnel.x interface to the physical interface based on what type of NAT you want to apply to it. The IPSec connection itself will use the egress interface ip of the interface defined in the \"gateway\" definition, not the tunnel.x interface definition.<\/p>\n<p>Policy to allow traffic from B-LAN1 and B-LAN2 to A-LAN1 :<br \/>\n<span style=\"font-size: 9pt; font-family: courier new\">set policy from \"Public\" to \"LAN\" \"B-LAN1\" \"A-LAN1\" permit<br \/>\nset policy from \"Public\" to \"LAN\" \"B-LAN2\" \"A-LAN1\" permit<\/span><\/p>\n<p>We don't want to allow CompanyB to access the other 2 networs (nor the IP of the WAN zone), so we don't need a policy for that<\/p>\n<h4>Troubleshooting VPN connections<\/h4>\n<p>You can troubleshoot phase 1 negotiations using syslog and using the following CLI commands :<\/p>\n<ul>\n<li><span style=\"font-size: 9pt; font-family: courier new\">get ike cookie <\/span><\/li>\n<li><span style=\"font-size: 9pt; font-family: courier new\">debug ike detail <\/span><\/li>\n<\/ul>\n<p>First, generate traffic from CompanyA to CompanyB<\/p>\n<p>A \"get ike cookie\" should return something that looks like this :<\/p>\n<p><span style=\"font-size: 9pt; font-family: courier new\">Active: 1, Dead: 0, Total 1        <\/span><\/p>\n<p>182f\/0003, 3.3.3.1:500-&gt;1.1.1.1:500, PRESHR\/grp2\/3DES\/SHA, xchg(5) (Gw_to_CompanyB_Cisco\/grp-1\/usr-1)<br \/>\nresent-tmr 16777218 lifetime 28800 lt-recv 28800 nxt_rekey 28757 cert-expire 0<br \/>\ninitiator, err cnt 0, send dir 0, cond 0x0<br \/>\nnat-traversal map not available<br \/>\nike heartbeat : disabled<br \/>\nike heartbeat last rcv time: 0<br \/>\nike heartbeat last snd time: 0<br \/>\nXAUTH status: 0<br \/>\nDPD seq local 0, peer -588286858<\/p>\n<p>\"debug ike detail\" will show this for Phase 1:<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, 'Courier New', courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> ****** Recv kernel msg IDX-0, TYPE-5 ****** \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> ****** Recv kernel msg IDX-0, TYPE-5 ****** \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> sa orig index<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">0<\/span><span style=\"color: #0000ff\">&gt;<\/span>, peer_id<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1<\/span><span style=\"color: #0000ff\">&gt;<\/span>. \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> isadb get entry by peer\/local ip and port \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> create sa: 3.3.3.1-<span style=\"color: #0000ff\">&gt;<\/span>1.1.1.1 \n## 2007-11-17 14:31:31 : getProfileFromP1Proposal-<span style=\"color: #0000ff\">&gt;<\/span> \n## 2007-11-17 14:31:31 : find profile[0]=<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">00000005<\/span> <span style=\"color: #ff0000\">00000002<\/span> <span style=\"color: #ff0000\">00000001<\/span> <span style=\"color: #ff0000\">00000002<\/span><span style=\"color: #0000ff\">&gt;<\/span> for p1 proposal (id 5), xauth(0) \n## 2007-11-17 14:31:31 : init p1sa, pidt = 0x0 \n## 2007-11-17 14:31:31 : change peer identity for p1 sa, pidt = 0x0 \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">0.0.0.0<\/span> <span style=\"color: #0000ff\">&gt;<\/span> create peer identity 0838b0b140 \n## 2007-11-17 14:31:31 : peer identity 38b0b140 created. \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">0.0.0.0<\/span> <span style=\"color: #0000ff\">&gt;<\/span> EDIPI disabled \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Phase 1: Initiated negotiation in main mode. <span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">3.3.3.1<\/span> =<span style=\"color: #0000ff\">&gt;<\/span> 1.1.1.1<span style=\"color: #0000ff\">&gt;<\/span> \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Construct ISAKMP header. \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Msg header built (next payload #1) \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Construct [SA] for ISAKMP \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> auth(1)<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">PRESHRD<\/span><span style=\"color: #0000ff\">&gt;<\/span>, encr(5)<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">3DES<\/span><span style=\"color: #0000ff\">&gt;<\/span>, hash(2)<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">SHA<\/span><span style=\"color: #0000ff\">&gt;<\/span>, group(2) \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> xauth attribute: disabled \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> lifetime\/lifesize (28800\/0) \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Construct NetScreen [VID] \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Construct custom [VID] \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Construct custom [VID] \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span> <span style=\"color: #0000ff\">&gt;<\/span> Xmit : [SA] [VID] [VID] [VID] \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Initiator sending IPv4 IP 1.1.1.1\/port 500 \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Send Phase 1 packet (len=156) \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Phase 2 task added \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> ike packet, len 132, action 0 \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Catcher: received 104 bytes from socket. \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> ****** Recv packet if <span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">ethernet2<\/span>\/<span style=\"color: #ff0000\">0<\/span><span style=\"color: #0000ff\">&gt;<\/span> of vsys <span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">Root<\/span><span style=\"color: #0000ff\">&gt;<\/span> ****** \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Catcher: get 104 bytes. src port 500 \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">0.0.0.0<\/span> <span style=\"color: #0000ff\">&gt;<\/span> ISAKMP msg: len 104, nxp 1[SA], exch 2[MM], flag 00 \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span> <span style=\"color: #0000ff\">&gt;<\/span> Recv : [SA] [VID] \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">0.0.0.0<\/span> <span style=\"color: #0000ff\">&gt;<\/span> extract payload (76): \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> MM in state OAK_MM_NO_STATE. \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Process [VID]: \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span> <span style=\"color: #0000ff\">&gt;<\/span> Vendor ID: \n## 2007-11-17 14:31:31 : 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 \n## 2007-11-17 14:31:31 : c0 00 00 00 \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> receive unknown vendor ID payload \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Process [SA]: \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Proposal received: xauthflag b4 \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> auth(1)<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">PRESHRD<\/span><span style=\"color: #0000ff\">&gt;<\/span>, encr(5)<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">3DES<\/span><span style=\"color: #0000ff\">&gt;<\/span>, hash(2)<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">SHA<\/span><span style=\"color: #0000ff\">&gt;<\/span>, group(2) \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> xauth attribute: disabled \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Phase 1 proposal [0] selected. \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> SA Life Type = seconds \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> SA lifetime (TV) = 28800 \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">0.0.0.0<\/span> <span style=\"color: #0000ff\">&gt;<\/span> dh group 2 \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> DH_BG_consume OK. p1 resp \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Phase 1 MM Initiator constructing 3rd message. \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Construct ISAKMP header. \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Msg header built (next payload #4) \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Construct [KE] for ISAKMP \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Construct [NONCE] \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span> <span style=\"color: #0000ff\">&gt;<\/span> Xmit : [KE] [NONCE] \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Initiator sending IPv4 IP 1.1.1.1\/port 500 \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Send Phase 1 packet (len=184) \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> IKE msg done: PKI state<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">0<\/span><span style=\"color: #0000ff\">&gt;<\/span> IKE state<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1<\/span>\/<span style=\"color: #ff0000\">0007<\/span><span style=\"color: #0000ff\">&gt;<\/span> \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> ike packet, len 284, action 0 \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Catcher: received 256 bytes from socket. \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> ****** Recv packet if <span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">ethernet2<\/span>\/<span style=\"color: #ff0000\">0<\/span><span style=\"color: #0000ff\">&gt;<\/span> of vsys <span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">Root<\/span><span style=\"color: #0000ff\">&gt;<\/span> ****** \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Catcher: get 256 bytes. src port 500 \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">0.0.0.0<\/span> <span style=\"color: #0000ff\">&gt;<\/span> ISAKMP msg: len 256, nxp 4[KE], exch 2[MM], flag 00 \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span> <span style=\"color: #0000ff\">&gt;<\/span> Recv : [KE] [NONCE] [VID] [VID] [VID] [VID] \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">0.0.0.0<\/span> <span style=\"color: #0000ff\">&gt;<\/span> extract payload (228): \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> MM in state OAK_MM_SA_SETUP. \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Process [VID]: \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span> <span style=\"color: #0000ff\">&gt;<\/span> Vendor ID: \n## 2007-11-17 14:31:31 : 12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00 \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> rcv non-NAT-Traversal VID payload. \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Process [VID]: \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span> <span style=\"color: #0000ff\">&gt;<\/span> Vendor ID: \n## 2007-11-17 14:31:31 : 09 00 26 89 df d6 b7 12 \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> rcv XAUTH v6.0 vid \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Process [VID]: \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span> <span style=\"color: #0000ff\">&gt;<\/span> Vendor ID: \n## 2007-11-17 14:31:31 : db bc fe 9d fe 5f 5e 91 c3 f4 47 42 77 8b 58 9a \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> rcv non-NAT-Traversal VID payload. \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Process [VID]: \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span> <span style=\"color: #0000ff\">&gt;<\/span> Vendor ID: \n## 2007-11-17 14:31:31 : 1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00 \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> rcv non-NAT-Traversal VID payload. \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Process [KE]: \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> processing ISA_KE in phase 1. \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Process [NONCE]: \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> processing NONCE in phase 1. \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> IKE msg done: PKI state<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">0<\/span><span style=\"color: #0000ff\">&gt;<\/span> IKE state<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1<\/span>\/<span style=\"color: #ff0000\">a00080f<\/span><span style=\"color: #0000ff\">&gt;<\/span> \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">0.0.0.0<\/span> <span style=\"color: #0000ff\">&gt;<\/span> finished job pkaidx <span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">0<\/span><span style=\"color: #0000ff\">&gt;<\/span> dh_len<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">128<\/span><span style=\"color: #0000ff\">&gt;<\/span> dmax<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">64<\/span><span style=\"color: #0000ff\">&gt;<\/span> \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">0.0.0.0<\/span> <span style=\"color: #0000ff\">&gt;<\/span> finished job d<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">27442b6c<\/span><span style=\"color: #0000ff\">&gt;&lt;<\/span><span style=\"color: #800000\">3dc804d4<\/span><span style=\"color: #0000ff\">&gt;&lt;<\/span><span style=\"color: #800000\">87bfa30b<\/span><span style=\"color: #0000ff\">&gt;&lt;<\/span><span style=\"color: #800000\">7323f84e<\/span><span style=\"color: #0000ff\">&gt;<\/span> \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> gen_skeyid() \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> MM in state OAK_MM_SA_SETUP. \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> re-enter MM after offline DH done \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Phase 1 MM Initiator constructing 5th message. \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Construct ISAKMP header. \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Msg header built (next payload #5) \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Construct [ID] for ISAKMP \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Construct [HASH] \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> ID, len=8, type=1, pro=17, port=500, \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> addr=3.3.3.1 \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> throw packet to the peer, paket_len=64 \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span> <span style=\"color: #0000ff\">&gt;<\/span> Xmit*: [ID] [HASH] \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Encrypt P1 payload (len 64) \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Initiator sending IPv4 IP 1.1.1.1\/port 500 \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Send Phase 1 packet (len=68) \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> ike packet, len 112, action 0 \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Catcher: received 84 bytes from socket. \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> ****** Recv packet if <span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">ethernet2<\/span>\/<span style=\"color: #ff0000\">0<\/span><span style=\"color: #0000ff\">&gt;<\/span> of vsys <span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">Root<\/span><span style=\"color: #0000ff\">&gt;<\/span> ****** \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Catcher: get 84 bytes. src port 500 \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">0.0.0.0<\/span> <span style=\"color: #0000ff\">&gt;<\/span> ISAKMP msg: len 84, nxp 5[ID], exch 2[MM], flag 01 E \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Decrypting payload (length 56) \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span> <span style=\"color: #0000ff\">&gt;<\/span> Recv*: [ID] [HASH] [VID] \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">0.0.0.0<\/span> <span style=\"color: #0000ff\">&gt;<\/span> extract payload (56): \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> MM in state OAK_MM_KEY_EXCH. \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Process [VID]: \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span> <span style=\"color: #0000ff\">&gt;<\/span> Vendor ID: \n## 2007-11-17 14:31:31 : af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Process [ID]: \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> ID received: type=ID_IPV4_ADDR, ip = 1.1.1.1, port=500, protocol=17 \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> ID processed. return 0. sa-<span style=\"color: #0000ff\">&gt;<\/span>p1_state = 2. \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Process [HASH]: \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> ID, len=8, type=1, pro=17, port=500, \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> addr=1.1.1.1 \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> completing Phase 1 \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> sa_pidt = 38b0b140 \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> found existing peer identity 38b0b698 \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> peer_identity_unregister_p1_sa. \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">0.0.0.0<\/span> <span style=\"color: #0000ff\">&gt;<\/span> delete peer identity 0x38b0b140 \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> peer_idt.c peer_identity_unregister_p1_sa 509: pidt deleted. \n## 2007-11-17 14:31:31 : IKE<span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">1.1.1.1<\/span><span style=\"color: #0000ff\">&gt;<\/span> Phase 1: Completed Main mode negotiation with a <span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">28800<\/span><span style=\"color: #0000ff\">&gt;<\/span>-second lifetime.<\/pre>\n<\/div>\n<div>&nbsp;&nbsp;<\/div>\n<p>Phase 1 needs to work before you can look at Phase 2. If you do not get a valid Phase 1 negotiation, there's no reason to start looking at Phase 2 problems. You can troubleshoot Phase 2 using syslog as well as the following CLI commands :<\/p>\n<ul>\n<li><span style=\"font-size: 9pt; font-family: courier new\">get sa active <\/span><\/li>\n<li><span style=\"font-size: 9pt; font-family: courier new\">debug ike detail <\/span><\/li>\n<\/ul>\n<p>&nbsp;&nbsp;<\/p>\n<p>In Syslog, you will see these messages when you attempt to access resources over a IPSec tunnel :<\/p>\n<p><span style=\"font-size: 9pt; font-family: courier new\">Nov 17 14:18:07 netscreen.domain.com: NetScreen device_id=netscreen [Root]system-information-00536: IKE&lt;3.3.3.1&gt; &gt;&gt; &lt;1.1.1.1&gt; Phase 1: Initiated negotiations in main mode. (2007-11-17 14:18:07)<\/span><\/p>\n<p>Nov 17 14:18:07 netscreen.domain.com: NetScreen device_id=netscreen [Root]system-information-00536: IKE&lt;1.1.1.1&gt; Phase 1: Completed Main mode negotiations with a &lt;28800&gt;-second lifetime. (2007-11-17 14:18:07)<\/p>\n<p>Nov 17 14:18:07 netscreen.domain.com: NetScreen device_id=netscreen [Root]system-information-00536: IKE&lt;1.1.1.1&gt; Phase 2: Initiated negotiations. (2007-11-17 14:18:07)<\/p>\n<p>Nov 17 14:18:07 netscreen.domain.com: NetScreen device_id=netscreen [Root]system-information-00536: IKE&lt;1.1.1.1&gt; Phase 2 msg ID &lt;a55cc636&gt;: Completed negotiations with SPI &lt;17a221d5&gt;, tunnel ID &lt;12&gt;, and lifetime &lt;3600&gt; seconds\/&lt;0&gt; KB. (2007-11-17 14:18:07)<\/p>\n<p>This indicates that both Phase1 and Phase2 have been successfully negotiated.<\/p>\n<p>If you get messages that looks like this, then you need to check your proxy ID settings :<\/p>\n<p><span style=\"font-size: 9pt; font-family: courier new\">Nov 17 14:24:58 netscreen.domain.com: NetScreen device_id=netscreen [Root]system-information-00536: IKE&lt;1.1.1.1&gt;: Received a notification message for DOI &lt;1&gt; &lt;18&gt; &lt;INVALID-ID-INFORMATION&gt;. (2007-11-17 14:24:58)<\/span><\/p>\n<p>Nov 17 14:24:58 netscreen.domain.com: NetScreen device_id=netscreen [Root]system-information-00536: IKE&lt;1.1.1.1&gt; Phase 2: No policy exists for the proxy ID received: local ID (&lt;0.0.0.0&gt;\/&lt;255.255.0.0&gt;, &lt;0&gt;, &lt;0&gt;) remote ID (&lt;192.168.1.0&gt;\/&lt;255.255.255.0&gt;, &lt;0&gt;, &lt;0&gt;). (2007-11-17 14:21:45)<\/p>\n<p>Nov 17 14:24:58 netscreen.domain.com: NetScreen device_id= netscreen [Root]system-information-00536: Rejected an IKE packet on ethernet2\/0 from 3.3.3.1:500 to 1.1.1.1:500 with cookies fea6d5d4514bf8cc and 6eb4f79ad6050aa5 because the peer sent a proxy ID that did not match the one in the SA config. (2007-11-17 14:43:14)<\/p>\n<p>A \"debug ike detail\" will show this for a successful Phase 2 negotiation :<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, 'Courier New', courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Phase 2: Initiated Quick Mode negotiation. \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Phase-2: start quick mode negotiation \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Phase-2: no change <span style=\"color: #0000ff\">in<\/span> Modecfg IPv4 address <span style=\"color: #0000ff\">for<\/span> tunnel ifp. \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Create conn entry... \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; ...done(<span style=\"color: #0000ff\">new<\/span> 77d189f0) \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Initiator not set commit bit on 1st QM. \n## 2007-11-17 14:31:31 : IKE&lt;0.0.0.0 &gt; dh group 2 \n## 2007-11-17 14:31:31 : IKE&lt;0.0.0.0 &gt; add sa list <span style=\"color: #0000ff\">for<\/span> msg id &lt;77d189f0&gt; \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; 0,0\/0(0)\/spi(d521a21f)\/keylen(0) \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Construct ISAKMP header. \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Msg header built (next payload #8) \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Construct [HASH] \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Construct [SA] <span style=\"color: #0000ff\">for<\/span> IPSEC \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Set IPSEC SA attrs: lifetime(3600\/0) \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; atts&lt;00000003 00000000 00000003 00000002 00000001 00000002&gt; \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; proto(3)&lt;ESP&gt;, esp(3)&lt;ESP_3DES&gt;, auth(2)&lt;SHA&gt;, encap(1)&lt;TUNNEL&gt;, group(2) \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Before NAT-T attr unmap: <span style=\"color: #0000ff\">private<\/span> tunnel = 1. \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; After NAT-T attr unmap: <span style=\"color: #0000ff\">private<\/span> tunnel = 1. \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Policy have separate SA. Use P2 ID from policy sa (12). \n## 2007-11-17 14:31:31 : IKE&lt;10.1.1.0&gt; IP&lt;10.1.1.0&gt; mask&lt;255.255.255.0&gt; prot&lt;0&gt; port&lt;0&gt; \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Initiator P2 ID built: \n## 2007-11-17 14:31:31 : IKE&lt;192.168.1.0&gt; IP&lt;192.168.1.0&gt; mask&lt;255.255.255.0&gt; prot&lt;0&gt; port&lt;0&gt; \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Responder P2 ID built: \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Construct [NONCE] <span style=\"color: #0000ff\">for<\/span> IPSec \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Construct [KE] <span style=\"color: #0000ff\">for<\/span> PFS \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Construct [ID] <span style=\"color: #0000ff\">for<\/span> Phase 2 \n## 2007-11-17 14:31:31 : id payload constructed. type(4),ip(00001dac),mask(0000ffff), prot(0), port(0) \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Construct [ID] <span style=\"color: #0000ff\">for<\/span> Phase 2 \n## 2007-11-17 14:31:31 : id payload constructed. type(4),ip(002110ac),mask(00ffffff), prot(0), port(0) \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; construct QM HASH \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; need to wait <span style=\"color: #0000ff\">for<\/span> offline p2 DH work done. \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; IKE msg done: PKI state&lt;0&gt; IKE state&lt;3\/182f&gt; \n## 2007-11-17 14:31:31 : IKE&lt;0.0.0.0 &gt; finished job pkaidx &lt;0&gt; dh_len&lt;128&gt; dmax&lt;64&gt; \n## 2007-11-17 14:31:31 : IKE&lt;0.0.0.0 &gt; finished job d&lt;76cd1846&gt;&lt;fb6061b8&gt;&lt;39eb1d71&gt;&lt;22e81049&gt; \n## 2007-11-17 14:31:31 : IKE&lt;0.0.0.0 &gt; BN, top32 dmax64 zero&lt;no&gt; \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; construct QM HASH \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1 &gt; Xmit*: [HASH] [SA] [NONCE] [KE] [ID] [ID] \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Encrypt P2 payload (len 296) \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Initiator sending IPv4 IP 1.1.1.1\/port 500 \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Send Phase 2 packet (len=300) \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; ike packet, len 320, action 0 \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Catcher: received 292 bytes from socket. \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; ****** Recv packet <span style=\"color: #0000ff\">if<\/span> &lt;ethernet2\/0&gt; of vsys &lt;Root&gt; ****** \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Catcher: get 292 bytes. src port 500 \n## 2007-11-17 14:31:31 : IKE&lt;0.0.0.0 &gt; ISAKMP msg: len 292, nxp 8[HASH], exch 32[QM], flag 01 E \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Decrypting payload (length 264) \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1 &gt; Recv*: [HASH] [SA] [NONCE] [KE] [ID] [ID] \n## 2007-11-17 14:31:31 : IKE&lt;0.0.0.0 &gt; extract payload (264): \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; QM <span style=\"color: #0000ff\">in<\/span> state OAK_QM_SA_ACCEPT. \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Process [SA]: \n## 2007-11-17 14:31:31 : IKE&lt;0.0.0.0 &gt; Check P2 Proposal \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; SA life type = seconds \n## 2007-11-17 14:31:31 : IKE&lt;0.0.0.0 &gt; SA life duration (TV) = 3600 \n## 2007-11-17 14:31:31 : IKE&lt;0.0.0.0 &gt; PFS group = 2 \n## 2007-11-17 14:31:31 : IKE&lt;0.0.0.0 &gt; encap mode from peer = 1. \n## 2007-11-17 14:31:31 : IKE&lt;0.0.0.0 &gt; encap mode after converting it to <span style=\"color: #0000ff\">private<\/span> value = 1. \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Phase 2 received: \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; atts&lt;00000003 00000000 00000003 00000002 00000001 00000002&gt; \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; proto(3)&lt;ESP&gt;, esp(3)&lt;ESP_3DES&gt;, auth(2)&lt;SHA&gt;, encap(1)&lt;TUNNEL&gt;, group(2) \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; P2 proposal [0] selected. \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Process [KE]: \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; processing ISA_KE <span style=\"color: #0000ff\">for<\/span> PFS <span style=\"color: #0000ff\">in<\/span> phase 2. \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Process [NONCE]: \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; processing NONCE <span style=\"color: #0000ff\">in<\/span> phase 2. \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Process [ID]: \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Process [ID]: \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; IKE msg done: PKI state&lt;0&gt; IKE state&lt;3\/182f&gt; \n## 2007-11-17 14:31:31 : IKE&lt;0.0.0.0 &gt; finished job pkaidx &lt;0&gt; dh_len&lt;128&gt; dmax&lt;64&gt; \n## 2007-11-17 14:31:31 : IKE&lt;0.0.0.0 &gt; finished job d&lt;1fce18cb&gt;&lt;5192d6b0&gt;&lt;f9c23a41&gt;&lt;6005d373&gt; \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; re-enter QM after offline DH done \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; xauth_cleanup() \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Done cleaning up IKE Phase 1 SA \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Start by finding matching member SA (verify 0\/0) \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Verify sa: index 0 \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; IKE: Matching policy: gw ip &lt;1.1.1.1&gt; peer entry id&lt;0&gt; \n## 2007-11-17 14:31:31 : IKE&lt;0.0.0.0 &gt; protocol matched expected&lt;0&gt;. \n## 2007-11-17 14:31:31 : IKE&lt;0.0.0.0 &gt; port matched expect&lt;0&gt;. \n## 2007-11-17 14:31:31 : ipvx = IPV4 \n## 2007-11-17 14:31:31 : rcv_local_addr = 10.1.1.0, rcv_local_mask = 255.255.255.0, p_rcv_local_real = 10.1.1.0 \n## 2007-11-17 14:31:31 : rcv_remote_addr = 192.168.1.0, rcv_remote_mask = 255.255.255.0, p_rcv_remote_real = 192.168.1.0 \n## 2007-11-17 14:31:31 : ike_p2_id-&gt;local_ip = 10.1.1.0, cfg_local_mask = 255.255.255.0, p_cfg_local_real = 10.1.1.0 \n## 2007-11-17 14:31:31 : ike_p2_id-&gt;remote_ip = 192.168.1.0, cfg_remote_mask = 255.255.255.0, p_cfg_remote_real = 192.168.1.0 \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Proxy ID match: Located matching Phase 2 SA &lt;12&gt;. \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; sa ID <span style=\"color: #0000ff\">for<\/span> phase 2 sa <span style=\"color: #0000ff\">is<\/span> &lt;12&gt;. IP version <span style=\"color: #0000ff\">is<\/span> 4. \n## 2007-11-17 14:31:31 : IKE&lt;0.0.0.0 &gt; life (sec or kb): lcl 3600, peer 3600, set 3600. \n## 2007-11-17 14:31:31 : IKE&lt;0.0.0.0 &gt; life (sec or kb): lcl 0, peer 0, set 0. \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; gen_qm_key() \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; load_sa_keys(): enter. \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; gen_qm_key() \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; load_sa_keys(): enter. \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; ikmpd.c 3668. sa ID <span style=\"color: #0000ff\">for<\/span> phase 2 sa <span style=\"color: #0000ff\">is<\/span> &lt;12&gt;. IP version <span style=\"color: #0000ff\">is<\/span> 4. \n## 2007-11-17 14:31:31 : IKE&lt;0.0.0.0 &gt; spi hash node removed: type&lt;2&gt;,spi&lt;d521a21e&gt;,ip&lt;3.3.3.1&gt; \n## 2007-11-17 14:31:31 : IKE&lt;0.0.0.0 &gt; spi hash node removed: type&lt;2&gt;,spi&lt;2e340d5a&gt;,ip&lt;1.1.1.1&gt; \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; clean_all_sa_state_node_from_list-&gt; \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; no relocate earlier SA-state, not active. \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; key_modify: sa index &lt;0&gt; bk_idx &lt;0&gt;. \n## 2007-11-17 14:31:31 : IKE&lt;0.0.0.0 &gt; insert_sa_state_to_spi_hash spi&lt;1fa221d5&gt;, sa_index&lt;0&gt;, Incoming \n## 2007-11-17 14:31:31 : IKE&lt;0.0.0.0 &gt; insert_sa_state_to_spi_hash spi&lt;34b48a1e&gt;, sa_index&lt;0&gt;, Outgoing \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; \ncrypto_ctx 22, 8, 24, 8, 0, 0, 16, 0, 12, 48 \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; modify esp tunnel: src (peer) ipv4 &lt;1.1.1.1&gt; \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; modifying esp tunnel: self &lt;ipv4 3.3.3.1&gt; \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; update auto NHTB status <span style=\"color: #0000ff\">for<\/span> sa 0 \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; after mod, <span style=\"color: #0000ff\">out<\/span> nsptunnel &lt;05258b58&gt;. \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Phase 2 msg-id &lt;f089d177&gt;: Completed Quick Mode negotiation with SPI &lt;1fa221d5&gt;\n\n  , tunnel ID &lt;12&gt;, and lifetime &lt;3600&gt; seconds\/&lt;0&gt; KB. \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Application sa installed. \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Phase 2 Initiator constructing 3rd(last) message. \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; oakley_final_qm():enter \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Construct ISAKMP header. \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Msg header built (next payload #8) \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Construct [HASH] <span style=\"color: #0000ff\">in<\/span> QM \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; oakley_final_qm():exit \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1 &gt; Xmit*: [HASH] \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Encrypt P2 payload (len 52) \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Initiator sending IPv4 IP 1.1.1.1\/port 500 \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; Send Phase 2 packet (len=60) \n## 2007-11-17 14:31:31 : IKE&lt;1.1.1.1&gt; oakley_process_quick_mode():exit \n## 2007-11-17 14:31:32 : IKE&lt;0.0.0.0 &gt; dh group 2 \n## 2007-11-17 14:31:32 : IKE&lt;1.1.1.1&gt; nhtb_list_update_status: vpn A-LAN1_to_B-LAN1 \n## 2007-11-17 14:31:32 : IKE&lt;1.1.1.1&gt; ** link ready <span style=\"color: #0000ff\">return<\/span> 8 \n## 2007-11-17 14:31:32 : IKE&lt;1.1.1.1&gt; sa_link_status_for_tunl_ifp: saidx 2, preliminary status 8 \n## 2007-11-17 14:31:32 : IKE&lt;1.1.1.1&gt; nhtb_list_update_status: vpn A-LAN1_to_B-LAN1 \n## 2007-11-17 14:31:32 : IKE&lt;1.1.1.1&gt; ** link ready <span style=\"color: #0000ff\">return<\/span> 8 \n## 2007-11-17 14:31:32 : IKE&lt;1.1.1.1&gt; sa_link_status_for_tunl_ifp: saidx 1, preliminary status 8 \n## 2007-11-17 14:31:32 : IKE&lt;1.1.1.1&gt; nhtb_list_update_status: vpn A-LAN1_to_B-LAN1 \n## 2007-11-17 14:31:32 : IKE&lt;1.1.1.1&gt; ** link ready <span style=\"color: #0000ff\">return<\/span> 8 \n## 2007-11-17 14:31:32 : IKE&lt;1.1.1.1&gt; sa_link_status_for_tunl_ifp: saidx 0, preliminary status 8 \n## 2007-11-17 14:31:32 : IKE&lt;0.0.0.0 &gt; finished job pkaidx &lt;0&gt; dh_len&lt;128&gt; dmax&lt;64&gt; \n## 2007-11-17 14:31:32 : IKE&lt;0.0.0.0 &gt; finished job d&lt;b97702b6&gt;&lt;c27f3334&gt;&lt;693fdcc4&gt;&lt;479bfd9c&gt; \n## 2007-11-17 14:31:32 : IKE&lt;0.0.0.0 &gt; BN, top32 dmax64 zero&lt;no&gt;\n<\/pre>\n<\/div>\n<p>&nbsp;&nbsp;<\/p>\n<p>&nbsp;&nbsp;<\/p>\n<h4>Quick note on syslog<\/h4>\n<p>if you have a Linux box, then you can use the built-in syslog features. If you are using Windows, you can download a free syslog daemon from <a href=\"http:\/\/support.3com.com\/software\/utilities_for_windows_32_bit.htm\">http:\/\/support.3com.com\/software\/utilities_for_windows_32_bit.htm<\/a> (Look for 3CDaemon)<\/p>\n<p>Once you have the syslog engine running, configure the netscreen to use syslog :<\/p>\n<p><span style=\"font-size: 9pt; font-family: courier new\">set syslog config \"ip_of_syslog_server\" facilities local0 local1<\/span><\/p>\n<p>set syslog src-interface ethernet0\/0<\/p>\n<p>set syslog enable<\/p>\n<p>&nbsp;&nbsp;<\/p>\n<p>Good luck !<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Today, I will explain the (easy) steps to set up a route-based IPSec VPN tunnel between a Juniper Netscreen firewall\/VPN device and a remote Cisco device (such as Cisco ASA) If you are looking for more generic information on IPSec and building VPNs with Juniper, take a look at my blog post on VPNs with &hellip; <a href=\"https:\/\/www.corelan.be\/index.php\/2007\/11\/17\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> \"Juniper : Setting up an IPSec VPN tunnel between a Juniper Netscreen firewall\/vpn device and a Cisco VPN device\"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[554,164,127],"tags":[3735,998,583,571],"class_list":["post-337","post","type-post","status-publish","format-standard","hentry","category-juniper","category-networking","category-security","tag-juniper-netscreen-screenos","tag-cisco","tag-vpn","tag-ipsec"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Juniper : Setting up an IPSec VPN tunnel between a Juniper Netscreen firewall\/vpn device and a Cisco VPN device - Corelan | Exploit Development &amp; Vulnerability Research<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.corelan.be\/index.php\/2007\/11\/17\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Juniper : Setting up an IPSec VPN tunnel between a Juniper Netscreen firewall\/vpn device and a Cisco VPN device - Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"og:description\" content=\"Today, I will explain the (easy) steps to set up a route-based IPSec VPN tunnel between a Juniper Netscreen firewall\/VPN device and a remote Cisco device (such as Cisco ASA) If you are looking for more generic information on IPSec and building VPNs with Juniper, take a look at my blog post on VPNs with &hellip; Continue reading &quot;Juniper : Setting up an IPSec VPN tunnel between a Juniper Netscreen firewall\/vpn device and a Cisco VPN device&quot;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.corelan.be\/index.php\/2007\/11\/17\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\/\" \/>\n<meta property=\"og:site_name\" content=\"Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/corelanconsulting\" \/>\n<meta property=\"article:published_time\" content=\"2007-11-17T00:47:56+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111707-0952-junipersett1-thumb1.png\" \/>\n<meta name=\"author\" content=\"corelanc0d3r\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@corelanc0d3r\" \/>\n<meta name=\"twitter:site\" content=\"@corelanc0d3r\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"TechArticle\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/11\\\/17\\\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/11\\\/17\\\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\\\/\"},\"author\":{\"name\":\"corelanc0d3r\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\"},\"headline\":\"Juniper : Setting up an IPSec VPN tunnel between a Juniper Netscreen firewall\\\/vpn device and a Cisco VPN device\",\"datePublished\":\"2007-11-17T00:47:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/11\\\/17\\\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\\\/\"},\"wordCount\":1784,\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/11\\\/17\\\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2008\\\/09\\\/111707-0952-junipersett1-thumb1.png\",\"keywords\":[\"juniper netscreen screenos\",\"Cisco\",\"vpn\",\"ipsec\"],\"articleSection\":[\"Juniper\",\"Networking\",\"Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/11\\\/17\\\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/11\\\/17\\\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\\\/\",\"name\":\"Juniper : Setting up an IPSec VPN tunnel between a Juniper Netscreen firewall\\\/vpn device and a Cisco VPN device - Corelan | Exploit Development &amp; Vulnerability Research\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/11\\\/17\\\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/11\\\/17\\\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2008\\\/09\\\/111707-0952-junipersett1-thumb1.png\",\"datePublished\":\"2007-11-17T00:47:56+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/11\\\/17\\\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/11\\\/17\\\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/11\\\/17\\\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2008\\\/09\\\/111707-0952-junipersett1-thumb1.png\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2008\\\/09\\\/111707-0952-junipersett1-thumb1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/11\\\/17\\\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.corelan.be\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Juniper : Setting up an IPSec VPN tunnel between a Juniper Netscreen firewall\\\/vpn device and a Cisco VPN device\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"name\":\"Corelan CyberSecurity Research\",\"description\":\"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.corelan.be\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\",\"name\":\"Corelan CyberSecurity Research\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"width\":200,\"height\":200,\"caption\":\"Corelan CyberSecurity Research\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/corelanconsulting\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\",\"https:\\\/\\\/x.com\\\/corelanconsulting\",\"https:\\\/\\\/instagram.com\\\/corelanconsult\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\",\"name\":\"corelanc0d3r\",\"pronouns\":\"he\\\/him\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"caption\":\"corelanc0d3r\"},\"description\":\"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.\",\"sameAs\":[\"https:\\\/\\\/www.corelan-training.com\",\"https:\\\/\\\/instagram.com\\\/corelanc0d3r\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/petervaneeckhoutte\\\/\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\"],\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/author\\\/admin0\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Juniper : Setting up an IPSec VPN tunnel between a Juniper Netscreen firewall\/vpn device and a Cisco VPN device - Corelan | Exploit Development &amp; Vulnerability Research","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.corelan.be\/index.php\/2007\/11\/17\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\/","og_locale":"en_US","og_type":"article","og_title":"Juniper : Setting up an IPSec VPN tunnel between a Juniper Netscreen firewall\/vpn device and a Cisco VPN device - Corelan | Exploit Development &amp; Vulnerability Research","og_description":"Today, I will explain the (easy) steps to set up a route-based IPSec VPN tunnel between a Juniper Netscreen firewall\/VPN device and a remote Cisco device (such as Cisco ASA) If you are looking for more generic information on IPSec and building VPNs with Juniper, take a look at my blog post on VPNs with &hellip; Continue reading \"Juniper : Setting up an IPSec VPN tunnel between a Juniper Netscreen firewall\/vpn device and a Cisco VPN device\"","og_url":"https:\/\/www.corelan.be\/index.php\/2007\/11\/17\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\/","og_site_name":"Corelan | Exploit Development &amp; Vulnerability Research","article_publisher":"https:\/\/www.facebook.com\/corelanconsulting","article_published_time":"2007-11-17T00:47:56+00:00","og_image":[{"url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111707-0952-junipersett1-thumb1.png","type":"","width":"","height":""}],"author":"corelanc0d3r","twitter_card":"summary_large_image","twitter_creator":"@corelanc0d3r","twitter_site":"@corelanc0d3r","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"TechArticle","@id":"https:\/\/www.corelan.be\/index.php\/2007\/11\/17\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\/#article","isPartOf":{"@id":"https:\/\/www.corelan.be\/index.php\/2007\/11\/17\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\/"},"author":{"name":"corelanc0d3r","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f"},"headline":"Juniper : Setting up an IPSec VPN tunnel between a Juniper Netscreen firewall\/vpn device and a Cisco VPN device","datePublished":"2007-11-17T00:47:56+00:00","mainEntityOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2007\/11\/17\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\/"},"wordCount":1784,"publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"image":{"@id":"https:\/\/www.corelan.be\/index.php\/2007\/11\/17\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\/#primaryimage"},"thumbnailUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111707-0952-junipersett1-thumb1.png","keywords":["juniper netscreen screenos","Cisco","vpn","ipsec"],"articleSection":["Juniper","Networking","Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.corelan.be\/index.php\/2007\/11\/17\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\/","url":"https:\/\/www.corelan.be\/index.php\/2007\/11\/17\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\/","name":"Juniper : Setting up an IPSec VPN tunnel between a Juniper Netscreen firewall\/vpn device and a Cisco VPN device - Corelan | Exploit Development &amp; Vulnerability Research","isPartOf":{"@id":"https:\/\/www.corelan.be\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2007\/11\/17\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\/#primaryimage"},"image":{"@id":"https:\/\/www.corelan.be\/index.php\/2007\/11\/17\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\/#primaryimage"},"thumbnailUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111707-0952-junipersett1-thumb1.png","datePublished":"2007-11-17T00:47:56+00:00","breadcrumb":{"@id":"https:\/\/www.corelan.be\/index.php\/2007\/11\/17\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.corelan.be\/index.php\/2007\/11\/17\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/index.php\/2007\/11\/17\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\/#primaryimage","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111707-0952-junipersett1-thumb1.png","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111707-0952-junipersett1-thumb1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.corelan.be\/index.php\/2007\/11\/17\/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.corelan.be\/"},{"@type":"ListItem","position":2,"name":"Juniper : Setting up an IPSec VPN tunnel between a Juniper Netscreen firewall\/vpn device and a Cisco VPN device"}]},{"@type":"WebSite","@id":"https:\/\/www.corelan.be\/#website","url":"https:\/\/www.corelan.be\/","name":"Corelan CyberSecurity Research","description":"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.","publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.corelan.be\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.corelan.be\/#organization","name":"Corelan CyberSecurity Research","url":"https:\/\/www.corelan.be\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","width":200,"height":200,"caption":"Corelan CyberSecurity Research"},"image":{"@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/corelanconsulting","https:\/\/x.com\/corelanc0d3r","https:\/\/x.com\/corelanconsulting","https:\/\/instagram.com\/corelanconsult"]},{"@type":"Person","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f","name":"corelanc0d3r","pronouns":"he\/him","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","url":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","caption":"corelanc0d3r"},"description":"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.","sameAs":["https:\/\/www.corelan-training.com","https:\/\/instagram.com\/corelanc0d3r","https:\/\/www.linkedin.com\/in\/petervaneeckhoutte\/","https:\/\/x.com\/corelanc0d3r"],"url":"https:\/\/www.corelan.be\/index.php\/author\/admin0\/"}]}},"views":76996,"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/337","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/comments?post=337"}],"version-history":[{"count":0,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/337\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/media?parent=337"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/categories?post=337"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/tags?post=337"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}