[Openswan Users] Openswan to Juniper Netscreen, the peer proposed: ->

Paul Wouters paul at nohats.ca
Sat Nov 23 04:26:59 UTC 2013

On Fri, 22 Nov 2013, Axel Starck wrote:

> Subject: [Openswan Users] Openswan to Juniper Netscreen,
>     the peer proposed: ->
> I am trying to setup a route base VPN to a Juniper Netscreen.
> It is a host to subnet connection, where I realy need to connect to only one host in the peer subnet.
> It seems to go for a bit but somehow the tunnel does not get established.
> At some point I get:
>  the peer proposed: ->
> and thing don't move forward.

That is not a host-subnet proposal. It's an "everything to everything"
tunnel. Likely they mean for you to setup a 0/0 to 0/0 and only "route"
that one subnet in there for that one IP address. It is really a bad way
of configuring things (and basically bypasses IPsec tunnel endpoint

> conn juniper
>        ike=3des-sha1
>        esp=3des-sha1
>        authby=secret
>        keyingtries=0
>        left=213.xxx.168.7
>        leftsubnet=
>        # leftsubnet=
>        leftnexthop=%defaultroute
>        right=91.xxx.165.136
>        # rightsubnet=91.xxx.165.136/32
>        rightnexthop=%defaultroute
>        compress=no
>        auto=start

It looks like you should ask them to change their configuration. Tell
them you need a "policy based VPN" and not a "routing based VPN".

Libreswan Developer - https://libreswan.org/
Red Hat Security - http://people.redhat.com/pwouters/
Personal Blog - https://nohats.ca/

More information about the Users mailing list