error creating vpn tunnel netscreen 5xp

[aperkins]

I got a couple of old NetScreen 5XP's.

When I try to create the phase 2 tunnel I get an unable to create sa error on the console.

If the trusted interface ip is unset, then the tunnel can be created, but once I assign the trusted ip and reboot I get the same error and the tunnel is removed from the config.

Any assistance would be appreciated.

Thanks

 

[aperkins]

Here is the error from the console.

cannot create esp_tunnel
Can not create SA for VPN roni, create sa failed
VPN: can't be added
VPN: can't be added
set vpn "roni" gateway "roy-roni" replay tunnel proposal "g2-esp-3des-sha"

 

[shrubble]

You sure that the tunnel is using g2-esp-3des-sha on both ends?

Also, your IKE needs to be configured so that your peers are both looking for the same IP/Subnet combination. For example, if your remote peer is exposing its host as part of a subnet (192.168.32.0/24 for instance), then your peer needs to be configured the same way.

Hope this helps

-Tom

"I would rather have a free bottle in front of me, than a pre-frontal lobotomy..."

-Shrubble

 

[aperkins]

Not even getting this far.

The error I am getting is during the configuration of the phase2 autokey ike entry.

 

[shrubble]

Is the IP of the host that you are trying to connect to a private address that exists within the subnet of your trust side?

That might not matter, not sure. If unsetting the trust ip allows the tunnel to be built, it kind of points to an addressing conflict.

"I would rather have a free bottle in front of me, than a pre-frontal lobotomy..."

-Shrubble