[Openswan Users] Openswan and Juniper Netscreen ?
Bartz, Joerg
joerg.bartz at comnet.de
Tue Jul 3 10:44:52 EDT 2007
Hi Noc,
Is PFS also disabled on the netscreen?
What does the log on the netscreen say? I have this running at a customers' place, had no difficulty setting it up...
Best regards,
Jörg
-----Ursprüngliche Nachricht-----
Von: users-bounces at openswan.org [mailto:users-bounces at openswan.org] Im Auftrag von Noc Phibee
Gesendet: Dienstag, 3. Juli 2007 06:09
An: users at openswan.org
Betreff: [Openswan Users] Openswan and Juniper Netscreen ?
Hi
i want connect my linux box to a Juniper Netscreen ...
but at this time, that's don't work ...
This is my config:
conn My-Netscreen
left=84.14.XX.XX # (IP of my eth0 connected to internet)
leftsubnet=192.168.57.0/255.255.255.0 #( my network)
leftnexthop=84.14.XX.XX #(my gateway)
right=194.98.XX.XX #(IP of my netscreen on internet)
rightsubnet=194.103.XX.XX/32
auto=start
authby=secret
ike=3des-sha1
ikelifetime=60s
keylife=120s
rekeymargin=10s
#pfs=no
#aggrmode=no
spi=0x500
esp=3des-md5
and he don't connect, this is the log message:
Jul 3 06:04:33 gw ipsec__plutorun: Starting Pluto subsystem...
Jul 3 06:04:33 gw pluto[28470]: Starting Pluto (Openswan Version 2.4.5
X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID
OEnMCu\177xOp at c)
Jul 3 06:04:33 gw pluto[28470]: Setting NAT-Traversal port-4500 floating to off
Jul 3 06:04:33 gw pluto[28470]: port floating activation criteria
nat_t=0/port_fload=1
Jul 3 06:04:33 gw pluto[28470]: including NAT-Traversal patch
(Version 0.6c) [disabled]
Jul 3 06:04:33 gw pluto[28470]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Jul 3 06:04:33 gw pluto[28470]: starting up 1 cryptographic helpers Jul 3 06:04:33 gw pluto[28470]: started helper pid=28471 (fd:6) Jul 3 06:04:33 gw pluto[28470]: Using Linux 2.6 IPsec interface code on 2.6.12-12mdk Jul 3 06:04:33 gw pluto[28470]: Could not change to directory '/etc/openswan/ipsec.d/cacerts'
Jul 3 06:04:33 gw pluto[28470]: Could not change to directory '/etc/openswan/ipsec.d/aacerts'
Jul 3 06:04:33 gw pluto[28470]: Could not change to directory '/etc/openswan/ipsec.d/ocspcerts'
Jul 3 06:04:33 gw pluto[28470]: Could not change to directory '/etc/openswan/ipsec.d/crls'
Jul 3 06:04:34 gw pluto[28470]: added connection description "My-Netscreen"
Jul 3 06:04:35 gw pluto[28470]: listening for IKE messages Jul 3 06:04:35 gw pluto[28470]: adding interface tun1/tun1 192.168.150.129:500 Jul 3 06:04:35 gw pluto[28470]: adding interface tun0/tun0 192.168.150.1:500 Jul 3 06:04:35 gw pluto[28470]: adding interface eth1/eth1 192.168.57.37:500 Jul 3 06:04:35 gw pluto[28470]: adding interface eth0/eth0 84.14.XX.XX:500 Jul 3 06:04:35 gw pluto[28470]: adding interface lo/lo 127.0.0.1:500 Jul 3 06:04:35 gw pluto[28470]: adding interface lo/lo ::1:500 Jul 3 06:04:35 gw pluto[28470]: loading secrets from "/etc/openswan/ipsec.secrets"
Jul 3 06:06:56 gw pluto[29062]: "My-Netscreen" #1: initiating Main Mode Jul 3 06:06:56 gw pluto[29062]: "My-Netscreen" #1: ignoring unknown Vendor ID payload [47d2b126bfcd83489760e2cf8c5d4d5a03497c150000000300000500]
Jul 3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100] Jul 3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Jul 3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: STATE_MAIN_I2: sent MI2, expecting MR2 Jul 3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: I did not send a certificate because I do not have one.
Jul 3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Jul 3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: STATE_MAIN_I3: sent MI3, expecting MR3 Jul 3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: Main mode peer ID is
ID_IPV4_ADDR: '194.98.XX.XX'
Jul 3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 Jul 3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024} Jul 3 06:06:57 gw pluto[29062]: "My-Netscreen" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1} Jul 3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN Jul 3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: received and ignored informational message
i don't understand the problems,
thanks for your help
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list