[Openswan Users] problem to initiate a vpn with a netscreen juniper 208

Wed Jun 21 14:40:18 CEST 2006

Hello,

   I'm using Openswan 2.4.4 with this config :

conn truc
         left=1.2.3.4
         leftsubnet=192.168.1.0/24
         right=5.6.7.8
         rightsubnet=10.47.1.0/24
         auto=add
         compress=no
         type=tunnel
         authby=secret

   I have some errors when tryng to establish the ipsec connection :

# ipsec auto --up truc
104 "truc" #1: STATE_MAIN_I1: initiate
003 "tructruc" #1: ignoring unknown Vendor ID payload  
[248982ac5f111a4ea52807e91f893e1eb00800310000000d00000403]
003 "truc" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
106 "truc" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "truc" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "truc" #1: STATE_MAIN_I4: ISAKMP SA established  
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5  
group=modp1024}
117 "truc" #2: STATE_QUICK_I1: initiate
010 "truc" #2: STATE_QUICK_I1: retransmission; will wait 20s for  
response
010 "truc" #2: STATE_QUICK_I1: retransmission; will wait 40s for  
response
031 "truc" #2: max number of retransmissions (2) reached  
STATE_QUICK_I1.  No acceptable response to our first Quick Mode  
message: perhaps peer likes no proposal
000 "truc" #2: starting keying attempt 2 of an unlimited number, but  
releasing whack

   and the traffic on the network interface is :

12:35:59.546987 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],  
proto: UDP (17), length: 320) 1.2.3.4.isakmp > 5.6.7.8.isakmp: isakmp  
1.0 msgid  cookie ->: phase 1 I ident: [|sa]
12:35:59.564028 IP (tos 0x0, ttl  59, id 33547, offset 0, flags  
[none], proto: UDP (17), length: 164) 5.6.7.8.isakmp >  
1.2.3.4.isakmp: isakmp 1.0 msgid  cookie ->: phase 1 R ident: [|sa]
12:35:59.568037 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],  
proto: UDP (17), length: 208) 1.2.3.4.isakmp > 5.6.7.8.isakmp: isakmp  
1.0 msgid  cookie ->: phase 1 I ident: [|ke]
12:35:59.585890 IP (tos 0x0, ttl  59, id 33548, offset 0, flags  
[none], proto: UDP (17), length: 212) 5.6.7.8.isakmp >  
1.2.3.4.isakmp: isakmp 1.0 msgid  cookie ->: phase 1 R ident: [|ke]
12:35:59.588955 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],  
proto: UDP (17), length: 88) 1.2.3.4.isakmp > 5.6.7.8.isakmp: isakmp  
1.0 msgid  cookie ->: phase 1 I ident[E]: [encrypted id]
12:35:59.599007 IP (tos 0x0, ttl  59, id 33549, offset 0, flags  
[none], proto: UDP (17), length: 96) 5.6.7.8.isakmp > 1.2.3.4.isakmp:  
isakmp 1.0 msgid  cookie ->: phase 1 R ident[E]: [encrypted id]
12:35:59.602992 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],  
proto: UDP (17), length: 400) 1.2.3.4.isakmp > 5.6.7.8.isakmp: isakmp  
1.0 msgid  cookie ->: phase 2/others I oakley-quick[E]: [encrypted hash]
12:36:09.605093 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],  
proto: UDP (17), length: 400) 1.2.3.4.isakmp > 5.6.7.8.isakmp: isakmp  
1.0 msgid  cookie ->: phase 2/others I oakley-quick[E]: [encrypted hash]

   I know that the endpoint 5.6.7.8 is a netscreen juniper 208 but I  
don't have any access to this equipment, I only know a little of his  
logs :

Jun 20 09:11:01 FW-AUB-01 FW-AUB-01: NetScreen device_id=FW-AUB-01   
system-information-00536: IKE<194.206.90.82> Phase 2: No policy  
exists for the proxy ID received: local ID (<10.47.1.0>/ 
<255.255.255.0>,<0>,<0>) remote ID (<192.168.1.0>/ 
<255.255.255.0>,<0>,<0>) (2006-06-20 09:10:59)

   Someone has and idea for my problem ?

thanks

-- 
Thibault