PIX to Netscreen

[sikek]

It's seems i'm having a problem getting phase 2 to work. It's like there's no answer back from the pix for phase 2 but phase 1 completes fine. any ideas? Also this envrioments is mix with alot of netscreen-to-netscreen or PIX-TO-PIX this is the first time we are trying to mix netscreen-to-Pix thanks for any help.



Config

access-list ipsec-ivc permit ip 172.19.1.0 255.255.255.0 192.187.224.0 255.255.255.0

crypto ipsec transform-set mine esp-des esp-sha-hmac
crypto map heights 77 ipsec-isakmp
crypto map heights 77 match address ipsec-ivc
crypto map heights 77 set peer 72.*.*.*
crypto map heights 77 set transform-set mine

isakmp key ************ address 72.*.*.* netmask 255.255.255.255

isakmp policy 77 authentication pre-share
isakmp policy 77 encryption des
isakmp policy 77 hash sha
isakmp policy 77 group 1
isakmp policy 77 lifetime 28800

output of show crypto ipsec sa command.

local ident (addr/mask/prot/port): (172.19.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.*.*.0/255.255.255.0/0/0)
current_peer: 72.*.*.*:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 23328, #recv errors 0

local crypto endpt.: 216.*.*.*, remote crypto endpt.: 72.*.*.*
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0

inbound esp sas:


inbound ah sas:


inbound pcp sas:


outbound esp sas:


outbound ah sas:


outbound pcp sas:



output of show crypto isakmp sa
Total : 10
Embryonic : 0
dst src state pending created

72.*.*.* 216.*.*.* OAK_CONF_ADDR 0



Eveything is correct on the netscreen side this has been verify by JTAC.

events on netscreen

006-08-04 08:54:27 info IKE<216.*.*.*>: Received initial contact notification and removed Phase 1 SAs.
2006-08-04 08:54:27 info IKE<216.*.*.*>: Received initial contact notification and removed Phase 2 SAs.
2006-08-04 08:54:27 info IKE<216.*.*.*>: Received a notification message for DOI <1> <24578> <INITIAL-CONTACT>.
2006-08-04 08:54:27 info IKE<216.*.*.*> Phase 1: Completed Main mode negotiations with a <3600>-second lifetime.

 

[sikek]

here's some more information i hope this helps.


# debug crypto ipsec
IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 216.x.x.x, remote= 72.x.x.x,
local_proxy= 172.19.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.x.x.0/255.255.255.0/0/0 (type=4)
IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 216.x.x.x, remote= 72.x.x.x,
local_proxy= 172.19.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.x.x.0/255.255.255.0/0/0 (type=4)

 

[boymarty24]

Done this sometimes and everytime its the netscreens configuration who has the problem.

In phase 2 settings on the netscreen you can type the local and remote networks, you have to do this or phase 2 will fail.

 

[sikek]

first off thank for the reply boymarty24 . but i already have the Proxy-ID's setup on phase 2. what i notice is that the pix wants to negotiations at <3600>-second lifetime.even that i set it to isakmp policy 77 lifetime 28800 .

 

[boymarty24]

i have you tried to create customized phase 1 and 2 settings on the netscreen? so you can match it up with the pix

 

[sikek]

thanks for the reply boymarty24 . I resolved this issue when it went to do the phase 2 negotiation it was getting two isakmp policies . it would accept the first then the second one would knock it off. i ran a debug ike detail on the netscreen to find that information out.