[Openswan Users] Openswan and Juniper Netscreen ?

Bartz, Joerg joerg.bartz at comnet.de
Tue Jul 3 10:44:52 EDT 2007


Hi Noc,

Is PFS also disabled on the netscreen?

What does the log on the netscreen say? I have this running at a customers' place, had no difficulty setting it up...

Best regards,

Jörg
 

-----Ursprüngliche Nachricht-----
Von: users-bounces at openswan.org [mailto:users-bounces at openswan.org] Im Auftrag von Noc Phibee
Gesendet: Dienstag, 3. Juli 2007 06:09
An: users at openswan.org
Betreff: [Openswan Users] Openswan and Juniper Netscreen ?

Hi

i want connect my linux box to a Juniper Netscreen ...
but at this time, that's don't work ...

This is my config:

conn My-Netscreen
        left=84.14.XX.XX         # (IP of my eth0 connected to internet)
        leftsubnet=192.168.57.0/255.255.255.0  #( my network)
        leftnexthop=84.14.XX.XX #(my gateway)
        right=194.98.XX.XX #(IP of my netscreen on internet)
        rightsubnet=194.103.XX.XX/32
        auto=start
        authby=secret
        ike=3des-sha1
        ikelifetime=60s
        keylife=120s
        rekeymargin=10s
        #pfs=no
        #aggrmode=no
        spi=0x500
        esp=3des-md5

and he don't connect, this is the log message:

Jul  3 06:04:33 gw ipsec__plutorun: Starting Pluto subsystem...
Jul  3 06:04:33 gw pluto[28470]: Starting Pluto (Openswan Version 2.4.5
X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID
OEnMCu\177xOp at c)
Jul  3 06:04:33 gw pluto[28470]: Setting NAT-Traversal port-4500 floating to off
Jul  3 06:04:33 gw pluto[28470]:    port floating activation criteria 
nat_t=0/port_fload=1
Jul  3 06:04:33 gw pluto[28470]:   including NAT-Traversal patch 
(Version 0.6c) [disabled]
Jul  3 06:04:33 gw pluto[28470]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Jul  3 06:04:33 gw pluto[28470]: starting up 1 cryptographic helpers Jul  3 06:04:33 gw pluto[28470]: started helper pid=28471 (fd:6) Jul  3 06:04:33 gw pluto[28470]: Using Linux 2.6 IPsec interface code on 2.6.12-12mdk Jul  3 06:04:33 gw pluto[28470]: Could not change to directory '/etc/openswan/ipsec.d/cacerts'
Jul  3 06:04:33 gw pluto[28470]: Could not change to directory '/etc/openswan/ipsec.d/aacerts'
Jul  3 06:04:33 gw pluto[28470]: Could not change to directory '/etc/openswan/ipsec.d/ocspcerts'
Jul  3 06:04:33 gw pluto[28470]: Could not change to directory '/etc/openswan/ipsec.d/crls'
Jul  3 06:04:34 gw pluto[28470]: added connection description "My-Netscreen"
Jul  3 06:04:35 gw pluto[28470]: listening for IKE messages Jul  3 06:04:35 gw pluto[28470]: adding interface tun1/tun1 192.168.150.129:500 Jul  3 06:04:35 gw pluto[28470]: adding interface tun0/tun0 192.168.150.1:500 Jul  3 06:04:35 gw pluto[28470]: adding interface eth1/eth1 192.168.57.37:500 Jul  3 06:04:35 gw pluto[28470]: adding interface eth0/eth0 84.14.XX.XX:500 Jul  3 06:04:35 gw pluto[28470]: adding interface lo/lo 127.0.0.1:500 Jul  3 06:04:35 gw pluto[28470]: adding interface lo/lo ::1:500 Jul  3 06:04:35 gw pluto[28470]: loading secrets from "/etc/openswan/ipsec.secrets"
Jul  3 06:06:56 gw pluto[29062]: "My-Netscreen" #1: initiating Main Mode Jul  3 06:06:56 gw pluto[29062]: "My-Netscreen" #1: ignoring unknown Vendor ID payload [47d2b126bfcd83489760e2cf8c5d4d5a03497c150000000300000500]
Jul  3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100] Jul  3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Jul  3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: STATE_MAIN_I2: sent MI2, expecting MR2 Jul  3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: I did not send a certificate because I do not have one.
Jul  3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Jul  3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: STATE_MAIN_I3: sent MI3, expecting MR3 Jul  3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: Main mode peer ID is
ID_IPV4_ADDR: '194.98.XX.XX'
Jul  3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 Jul  3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: STATE_MAIN_I4: 
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024} Jul  3 06:06:57 gw pluto[29062]: "My-Netscreen" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1} Jul  3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN Jul  3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: received and ignored informational message


i don't understand the problems,

thanks for your help

_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list