?
Solved

Netscreen Remote VPN - Problems during IKE Phase 2

Posted on 2006-06-06
7
Medium Priority
?
25,021 Views
Last Modified: 2011-08-18
I have never setup a VPN connection using Auto IKE before and am having problems getting through Phase 2.  The Error Message I am getting from the remote router is "Phase 2: No policy exists for the proxy ID received".  Any suggestions, I am stumpped.  Below is the log file from the Netscreen router and the Netscreen VPN client.

Netscreen 5GT (5.3.0r3.0) Event Log

2006-06-06 16:37:30      info      IKE<XXX.XXX.XXX.XXX> Phase 2 msg ID <eaaa0291>: Negotiations have failed.
2006-06-06 16:37:30      info      IKE<XXX.XXX.XXX.XXX> Phase 2: No policy exists for the proxy ID received: local ID (<YYY.YYY.YYY.YYY>/<255.255.255.255>, <0>, <0>) remote ID (<ZZZ.ZZZ.ZZZ.ZZZ>/<255.255.255.255>, <0>, <0>).
2006-06-06 16:37:30      info      Rejected an IKE packet on untrust from XXX.XXX.XXX.XXX:2066 to YYY.YYY.YYY.YYY:500 with cookies 96a3eea36737798c and 0294a2245c99b1eb because the VPN does not have an application SA configured.
2006-06-06 16:37:30      info      IKE<XXX.XXX.XXX.XXX> Phase 2: No policy exists for the proxy ID received: local ID (<YYY.YYY.YYY.YYY>/<255.255.255.255>, <0>, <0>) remote ID (<ZZZ.ZZZ.ZZZ.ZZZ>/<255.255.255.255>, <0>, <0>).
2006-06-06 16:37:30      info      IKE<XXX.XXX.XXX.XXX> Phase 2 msg ID <eaaa0291>: Responded to the peer's first message.
2006-06-06 16:37:30      info      IKE<XXX.XXX.XXX.XXX>: Received initial contact notification and removed Phase 1 SAs.
2006-06-06 16:37:30      info      IKE<XXX.XXX.XXX.XXX> Phase 1: Completed Aggressive mode negotiations with a <28800>-second lifetime.
2006-06-06 16:37:30      info      IKE<XXX.XXX.XXX.XXX> Phase 1: Completed for user <Stacey Bivins>.
2006-06-06 16:37:30      info      IKE<XXX.XXX.XXX.XXX>: Received initial contact notification and removed Phase 2 SAs.
2006-06-06 16:37:30      info      IKE<XXX.XXX.XXX.XXX>: Received a notification message for DOI <1> <24578> <INITIAL-CONTACT>.
2006-06-06 16:37:30      info      IKE<XXX.XXX.XXX.XXX>: Received a notification message for DOI <1> <24577> <REPLAY-STATUS>.
2006-06-06 16:37:29      info      IKE<XXX.XXX.XXX.XXX> Phase 1: Responder starts AGGRESSIVE mode negotiations.


Netscreen-Remote VPN Client Software 8.0

 6-06: 16:38:49.380 My Connections\CLSGroup - Initiating IKE Phase 1 (IP ADDR=XXX.XXX.XXX.XXX)
 6-06: 16:38:49.652 My Connections\CLSGroup - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 6x)
 6-06: 16:38:49.812 My Connections\CLSGroup - RECEIVED<<< ISAKMP OAK AG (SA, VID 3x, KE, NON, ID, HASH)
 6-06: 16:38:49.812 My Connections\CLSGroup - Peer supports Dead Peer Detection Version 1.0
 6-06: 16:38:49.812 My Connections\CLSGroup - Dead Peer Detection enabled
 6-06: 16:38:49.933 My Connections\CLSGroup - SENDING>>>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_REPLAY_STATUS, NOTIFY:STATUS_INITIAL_CONTACT)
 6-06: 16:38:49.933 My Connections\CLSGroup - Established IKE SA
 6-06: 16:38:49.943    MY COOKIE 96 a3 ee a3 67 37 79 8c
 6-06: 16:38:49.943    HIS COOKIE 2 94 a2 24 5c 99 b1 eb
 6-06: 16:38:50.123
 6-06: 16:38:50.123 My Connections\CLSGroup - Initiating IKE Phase 2 with Client IDs (message id: EAAA0291)
 6-06: 16:38:50.123 My Connections\CLSGroup -   Initiator = IP ADDR=ZZZ.ZZZ.ZZZ.ZZZ, prot = 0 port = 0
 6-06: 16:38:50.123 My Connections\CLSGroup -   Responder = IP ADDR=YYY.YYY.YYY.YYY, prot = 0 port = 0
 6-06: 16:38:50.123 My Connections\CLSGroup - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, KE, ID 2x)
 6-06: 16:39:05.895 My Connections\CLSGroup - QM re-keying timed out. Retry count: 1
 6-06: 16:39:05.895 My Connections\CLSGroup - SENDING>>>> ISAKMP OAK QM *(Retransmission)
 6-06: 16:39:21.085 My Connections\CLSGroup - QM re-keying timed out. Retry count: 2
 6-06: 16:39:21.085 My Connections\CLSGroup - SENDING>>>> ISAKMP OAK QM *(Retransmission)
 6-06: 16:39:36.154 My Connections\CLSGroup - QM re-keying timed out. Retry count: 3
 6-06: 16:39:36.154 My Connections\CLSGroup - SENDING>>>> ISAKMP OAK QM *(Retransmission)
 6-06: 16:39:51.263 My Connections\CLSGroup - Exceeded 3 re-keying attempts (message id: EAAA0291)
 6-06: 16:39:51.293 My Connections\CLSGroup - Disconnecting IKE SA negotiation
 6-06: 16:39:51.304 My Connections\CLSGroup - Deleting IKE SA (IP ADDR=XXX.XXX.XXX.XXX)
 6-06: 16:39:51.304    MY COOKIE 96 a3 ee a3 67 37 79 8c
 6-06: 16:39:51.304    HIS COOKIE 2 94 a2 24 5c 99 b1 eb
 6-06: 16:39:51.304 My Connections\CLSGroup - SENDING>>>> ISAKMP OAK INFO *(HASH, DEL)

XXX.XXX.XXX.XXX = Remote IP
YYY.YYY.YYY.YYY = My Public IP
ZZZ.ZZZ.ZZZ.ZZZ = My LAN IP

Terry
0
Comment
Question by:thepner
  • 4
  • 3
7 Comments
 
LVL 9

Expert Comment

by:jabiii
ID: 16852461
No policy exists for local ID (<YYY.YYY.YYY.YYY>/<255.255.255.255>,) remote ID (<ZZZ.ZZZ.ZZZ.ZZZ>/<255.255.255.255>, )

It's saying your policies don't match, or that there is not one created on the 5gt for what your trying to do.

can you sanitize your config for the 5GT relating to this connection.
I need the IKe Gateway,
Ike VPN
phase 1 and 2 proposals your using.
the objects being used.
and the policy defined.

and we'll see if we can't get you going

Jim
0
 
LVL 1

Author Comment

by:thepner
ID: 16853563
Here is my cleansed 5GT config.

set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "***************"
set admin password "***************"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip XXX.XXX.XXX.XXX/24
set interface trust nat
set interface untrust ip XXX.XXX.XXX.XXX/29
set interface untrust route
set interface untrust gateway XXX.XXX.XXX.XXX
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface untrust manage-ip XXX.XXX.XXX.XXX
set interface trust ip manageable
set interface untrust ip manageable
set interface trust manage mtrace
set interface untrust manage ping
set interface untrust manage telnet
set interface untrust manage web
set interface trust dhcp server service
set interface trust dhcp server enable
set interface trust dhcp server option lease 1440000
set interface trust dhcp server option gateway XXX.XXX.XXX.XXX
set interface trust dhcp server option netmask 255.255.255.0
set interface trust dhcp server option dns1 XXX.XXX.XXX.XXX
set interface trust dhcp server option dns2 XXX.XXX.XXX.XXX
set interface trust dhcp server option dns3 XXX.XXX.XXX.XXX
set interface trust dhcp server option wins1 XXX.XXX.XXX.XXX
set interface trust dhcp server option custom XXX.XXX.XXX.XXX
set interface trust dhcp server option custom 156 string "ftpservers=XXX.XXX.XXX.XXX, country=1, language=1, layer2tagging=0, vlanid=n"
set interface trust dhcp server option custom 4 ip XXX.XXX.XXX.XXX
set interface trust dhcp server ip XXX.XXX.XXX.XXX to XXX.XXX.XXX.XXX
set interface trust dhcp server ip XXX.XXX.XXX.XXX mac 001049021000
set interface "untrust" mip XXX.XXX.XXX.XXX host XXX.XXX.XXX.XXX netmask 255.255.255.255 vr "trust-vr"
set pak-poll p1queue pak-threshold 96
set pak-poll p2queue pak-threshold 32
set flow tcp-mss
unset flow tcp-syn-check
set domain domain.local.
set hostname ns5gt

set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 XXX.XXX.XXX.XXX
set dns host dns2 0.0.0.0

set user "VPN_User" uid 1
set user "VPN_User" ike-id u-fqdn "vpnuser@domain.com" share-limit 1
set user "VPN_User" type  ike
set user "VPN_User" "enable"
set ike gateway "VPN_Gateway" dialup "VPN_User" Main outgoing-interface "untrust" preshare "********************" sec-level standard
set ike gateway "VPN_Gateway" cert peer-ca all
unset ike gateway "VPN_Gateway" nat-traversal
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "VPN_IKE" gateway "VPN_Gateway" replay tunnel idletime 0 sec-level standard
set vpn "VPN_IKE" bind zone Untrust-Tun
set vpn-group id 1
set l2tp default dns1 XXX.XXX.XXX.XXX
set l2tp default dns2 XXX.XXX.XXX.XXX

set policy id 11 name "IKE" from "Untrust" to "Trust"  "Dial-Up VPN" "Any" "ANY" tunnel vpn "VPN_IKE" id 8 pair-policy 12 log
set policy id 11
exit
set policy id 12 name "IKE" from "Trust" to "Untrust"  "Any" "Dial-Up VPN" "ANY" tunnel vpn "VPN_IKE" id 8 pair-policy 11 log
set policy id 12
exit

Both my router and client are set to the following proposals (Netscreen calls them "standard")

Phase 1 - g2-esp-3des-sha
Phase 2 - pre-g2-3des-sha
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16860771
Things are a little crazy right now, I haven't forgotten you. Just need a little bit to clear stuff up at work first. I appreciate your patience,
Jim
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 1

Author Comment

by:thepner
ID: 16886604
Any chance that you may have a second to look at this again?  We are still unable to get this connection to work
0
 
LVL 9

Accepted Solution

by:
jabiii earned 2000 total points
ID: 16887413
Ok, I saw a couple things.

I copied/pasted your config, and deleted the stuff we weren't worried about like dhcp and dns.
I loaded my NSR and got a policy missmatch error, different but simiar to what you got.

first thing. Under your>VPN> Autokey Ike.  your Ike has 2 P2 Props' in the top 2 boxes. in the top right box change it to none.

second, same thing in your VPN> Gateway. you have two here as well, change the top right one to none.

thirdly you policy is from VPN user to any. in NSR I defined the local subnet which yo uare trying to connect to, which I am assuming you did too, but in the GT you listed any. Tell it the same subnet as the NSR policy.


My 5GT that worked:
set interface trust ip 1.1.1.2/24
set interface untrust ip 2.2.2.1/24
set address "Trust" "1.1.1..0/24" 1.1.1.0 255.255.255.0
set user "VPN_User" uid 1
set user "VPN_User" ike-id u-fqdn "vpnuser@domain.com" share-limit 1
set user "VPN_User" type  ike
set user "VPN_User" "enable"
set ike gateway "VPN_Gateway" dialup "VPN_User" Main outgoing-interface "untrust" preshare netscreen proposal "pre-g2-3des-sha"
set ike gateway "VPN_Gateway" cert peer-ca all
unset ike gateway "VPN_Gateway" nat-traversal
set vpn "VPN_IKE" gateway "VPN_Gateway" replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set vpn "VPN_IKE" bind zone Untrust-Tun
set policy id 11 name "IKE" from "Untrust" to "Trust"  "Dial-Up VPN" "1.1.1..0/24" "ANY" tunnel vpn "VPN_IKE" id 9 pair-policy 12 log
set policy id 12 name "IKE" from "Trust" to "Untrust"  "1.1.1..0/24" "Dial-Up VPN" "ANY" tunnel vpn "VPN_IKE" id 9 pair-policy 11 log

My NSR that worked:
Connection Name:
ID type _ IP Subnet
Subnet 1.1.1.0
mask 255.255.255.0
connct using secure gateway tunnel
ID_type IP 2.2.2.1

My Identity
Cert : none
ID_Type Email Address: vpnuser@domain.com
Virtual addapter disabled
internal interface : any
Preshare: netscreen

Security Policy: aggressive mode:
enable PFS
PFS Key group DH Group 2
Enable Replay Detection

P1
preshare
trip des
sha1
unspecified
dh group 2

p2
unspecified
none
encapsulation protocol ESP
3des
sha
tunnel


Check this out, it's a step-by-step on how to do user VPN's using preshare.
http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108012c3c1903901
0
 
LVL 1

Author Comment

by:thepner
ID: 16896431
Jim,

I got it working thanks to your code above.  Thanks for solving a huge headache for me.

I had an additional question, but I posted it seperate since this was complete.

http://www.experts-exchange.com/Networking/Broadband/VPN/Q_21884990.html

Thanks again
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16896462
Cool!

ALways love it when what you offer helps someone save some hair :)

I will take a look at the other one. Might want to go ahead close this one out so it clears the que.

Tx again,

Jim
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below. A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0). …
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question