[Openswan Users] Openswan and Juniper Netscreen ?

Bartz, Joerg joerg.bartz at comnet.de
Tue Jul 3 14:41:22 EDT 2007 

Hi Noc,

In your ipsec.conf that you have posted you have esp=3des-md5

Don't you have access to the netscreens logfiles?

I will try so send the two configurations tomorrow!

Best regards!

Jörg


 

-----Ursprüngliche Nachricht-----
Von: Noc Phibee [mailto:noc at phibee.net] 
Gesendet: Dienstag, 3. Juli 2007 19:52
An: Bartz, Joerg
Betreff: Re: [Openswan Users] Openswan and Juniper Netscreen ?

Hi

thanks for your answer

in phase 2 on the netscreen, i have put "nopfs-esp-3des-sha"
and into my config esp=3des-sha1

Can you copy me your config on openswan and netscreen please ?

thanks bye


Bartz, Joerg a écrit :
> Hi Noc,
>
> Is PFS also disabled on the netscreen?
>
> What does the log on the netscreen say? I have this running at a customers' place, had no difficulty setting it up...
>
> Best regards,
>
> Jörg
>  
>
> -----Ursprüngliche Nachricht-----
> Von: users-bounces at openswan.org [mailto:users-bounces at openswan.org] Im 
> Auftrag von Noc Phibee
> Gesendet: Dienstag, 3. Juli 2007 06:09
> An: users at openswan.org
> Betreff: [Openswan Users] Openswan and Juniper Netscreen ?
>
> Hi
>
> i want connect my linux box to a Juniper Netscreen ...
> but at this time, that's don't work ...
>
> This is my config:
>
> conn My-Netscreen
>         left=84.14.XX.XX         # (IP of my eth0 connected to internet)
>         leftsubnet=192.168.57.0/255.255.255.0  #( my network)
>         leftnexthop=84.14.XX.XX #(my gateway)
>         right=194.98.XX.XX #(IP of my netscreen on internet)
>         rightsubnet=194.103.XX.XX/32
>         auto=start
>         authby=secret
>         ike=3des-sha1
>         ikelifetime=60s
>         keylife=120s
>         rekeymargin=10s
>         #pfs=no
>         #aggrmode=no
>         spi=0x500
>         esp=3des-md5
>
> and he don't connect, this is the log message:
>
> Jul  3 06:04:33 gw ipsec__plutorun: Starting Pluto subsystem...
> Jul  3 06:04:33 gw pluto[28470]: Starting Pluto (Openswan Version 
> 2.4.5
> X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID
> OEnMCu\177xOp at c)
> Jul  3 06:04:33 gw pluto[28470]: Setting NAT-Traversal port-4500 floating to off
> Jul  3 06:04:33 gw pluto[28470]:    port floating activation criteria 
> nat_t=0/port_fload=1
> Jul  3 06:04:33 gw pluto[28470]:   including NAT-Traversal patch 
> (Version 0.6c) [disabled]
> Jul  3 06:04:33 gw pluto[28470]: ike_alg_register_enc(): Activating
> OAKLEY_AES_CBC: Ok (ret=0)
> Jul  3 06:04:33 gw pluto[28470]: starting up 1 cryptographic helpers Jul  3 06:04:33 gw pluto[28470]: started helper pid=28471 (fd:6) Jul  3 06:04:33 gw pluto[28470]: Using Linux 2.6 IPsec interface code on 2.6.12-12mdk Jul  3 06:04:33 gw pluto[28470]: Could not change to directory '/etc/openswan/ipsec.d/cacerts'
> Jul  3 06:04:33 gw pluto[28470]: Could not change to directory '/etc/openswan/ipsec.d/aacerts'
> Jul  3 06:04:33 gw pluto[28470]: Could not change to directory '/etc/openswan/ipsec.d/ocspcerts'
> Jul  3 06:04:33 gw pluto[28470]: Could not change to directory '/etc/openswan/ipsec.d/crls'
> Jul  3 06:04:34 gw pluto[28470]: added connection description "My-Netscreen"
> Jul  3 06:04:35 gw pluto[28470]: listening for IKE messages Jul  3 06:04:35 gw pluto[28470]: adding interface tun1/tun1 192.168.150.129:500 Jul  3 06:04:35 gw pluto[28470]: adding interface tun0/tun0 192.168.150.1:500 Jul  3 06:04:35 gw pluto[28470]: adding interface eth1/eth1 192.168.57.37:500 Jul  3 06:04:35 gw pluto[28470]: adding interface eth0/eth0 84.14.XX.XX:500 Jul  3 06:04:35 gw pluto[28470]: adding interface lo/lo 127.0.0.1:500 Jul  3 06:04:35 gw pluto[28470]: adding interface lo/lo ::1:500 Jul  3 06:04:35 gw pluto[28470]: loading secrets from "/etc/openswan/ipsec.secrets"
> Jul  3 06:06:56 gw pluto[29062]: "My-Netscreen" #1: initiating Main 
> Mode Jul  3 06:06:56 gw pluto[29062]: "My-Netscreen" #1: ignoring 
> unknown Vendor ID payload 
> [47d2b126bfcd83489760e2cf8c5d4d5a03497c150000000300000500]
> Jul  3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100] Jul  3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Jul  3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: STATE_MAIN_I2: sent MI2, expecting MR2 Jul  3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: I did not send a certificate because I do not have one.
> Jul  3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: transition from 
> state STATE_MAIN_I2 to state STATE_MAIN_I3 Jul  3 06:06:57 gw 
> pluto[29062]: "My-Netscreen" #1: STATE_MAIN_I3: sent MI3, expecting 
> MR3 Jul  3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: Main mode peer 
> ID is
> ID_IPV4_ADDR: '194.98.XX.XX'
> Jul  3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 Jul  3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: STATE_MAIN_I4: 
> ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024} Jul  3 
> 06:06:57 gw pluto[29062]: "My-Netscreen" #2: initiating Quick Mode 
> PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1} Jul  3 06:06:57 gw 
> pluto[29062]: "My-Netscreen" #1: ignoring informational payload, type 
> NO_PROPOSAL_CHOSEN Jul  3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: 
> received and ignored informational message
>
>
> i don't understand the problems,
>
> thanks for your help
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=2831
> 55 _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=2831
> 55
>
>
>

More information about the Users mailing list