[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1719
  • Last Modified:

Help with VPN connection error: 3com to Netscreen

I am attempting to establish a VPN tunnel between a 3com 3CR858-91 OfficeConnect vpn router and a netscreen 5GT. Thus far, I have followed the directions from this page ( http://kb.juniper.net/CUSTOMERSERVICE/KB4191 ), and have configured the 3com router. However, when I attempt to connect with the 3com router, I receive the following error message in the Netscreen log:

Rejected an IKE packet on untrust from DHCP IP to Static IP with cookies 4b623ad18e0fe87b and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway.

I have looked all over online for a solution, but have not been able to find on. If anyone could help me, I would really appreciate it. Thanks
0
johnp338
Asked:
johnp338
  • 12
  • 12
3 Solutions
 
amoldkelkarCommented:
Is there anyway you can post your config here and network diagram.It will be helpful to understand if you can post 'both sides' vpn configs.

From the error it looks like either the remote gateway ip is mismatched or some mismatch with the Phase I proposals.
0
 
johnp338Author Commented:
Posting up the 3Com's settings is not an issue, but can you try to indicate which pages you'd like me to take a shot of from the Netscreen?
0
 
amoldkelkarCommented:
Try this document,
http://www.juniper.net/techpubs/software/screenos/screenos5.4.0/CE_v5.pdf
Go to Site-to-site VPN > Site-to-Site vpn configurations > Route-Based site to site

Can you give the netscreen side config part else as i said its difficult to understand which part is missing or has some bad config.

Thanks
-AK
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
dpk_walCommented:
Error you posted indicates that the remote peer IP [3com's] is not understood by 5gt as a known IP. Can you tell if your 3com device is behind a NAT device or does your 3com has a public IP on the external interface.

Can you also make sure that the Phase I settings are identical in terms of algorithms used; and the peer IP addresses are correct as well.
0
 
johnp338Author Commented:
amoldkelkar, I have attempted using that documentation before for help, but have found it virtually impossible to follow. I am still working using the article I originally posted a link to, and I am getting screenshots and hosting them right now. I should have them posted shortly.

Thank you.
0
 
johnp338Author Commented:
Here are the configuration screenshots:

http://img380.imageshack.us/img380/4411/autokeyikekj9.jpg

http://img354.imageshack.us/img354/4538/autokeyikeadvancedlq8.jpg

http://img352.imageshack.us/img352/3519/gatewaydc7.jpg

http://img354.imageshack.us/img354/4207/gatewayadvancedsh6.jpg

http://img352.imageshack.us/img352/9781/interfaces4pk7.jpg

http://img352.imageshack.us/img352/3200/interfaceslistji9.jpg

http://img388.imageshack.us/img388/7420/policytrusttountrusthl3.jpg

http://img354.imageshack.us/img354/3724/policyuntrusttotrustbe7.jpg

http://img354.imageshack.us/img354/9181/ocstatusne5.jpg

http://img354.imageshack.us/img354/9354/ocvpnvc5.jpg

I would also like to point out that although I followed the directions from the article, This connection is clearly different than the other gateway-to-gateway vpns that exist on the device. On the Interfaces  List page, you can see that Tunnel 4, the tunnel currently in question, is in the zone untrust while all of the other tunnels are in the zone trust. However, when I attempt to edit this setting, I get the following error:   Interface tunnel.4 failed to bind to zone Trust. Interface: is currently in use.
0
 
amoldkelkarCommented:
Working on it.
Looking at your screenshots. Let me put your config on paper and then troubleshoot.
Will get back soon.

Thanks,
-AK


0
 
amoldkelkarCommented:
Firstly about the comment which you made in the last,
The reason you cannot edit the tunnel interface is becoz the tunnel interface is bound to the VPN.
You will have to unbind the tunnel interface from the vpn and then you will be able to edit the tunnel interface config.

Coming up with other config..
0
 
amoldkelkarCommented:
Following posts could be the problems so please try my suggestions,

Problem 1:
In Phase I on netscreen under 'securitylevel' you have selected 'Aggressive' mode whereas on the 3com I can see the 'Main' mode is selected.

0
 
amoldkelkarCommented:
Problem 2:
In phase I on netscreen the phase I proposal is selected as compatible which means the proposals could be as following,
pre-g2-3des-sha
pre-g2-3des-md5
pre-g2-des-sha
pre-g2-des-md5
Whereas in the screenshot of your 3com i dont see any Diffie-Hellman group been selected.
Please select the group 2
0
 
johnp338Author Commented:
amoldkelkar, thank you for your replies. I fixed both problems you mentioned, both with the Aggressive mode and the Diffie-Hellman group 2. I still get the same error.

I also unbound the interface and switched the trust/untrust.
0
 
amoldkelkarCommented:
Problem 3: (Which i feel it could be a problem... correct me if i am wrong)
On netscreen side, under gateway config in your 3rd screenshot you have selected the remote gateway as 'Dynamic peer' and not the 'Static ip' so i am assuming that the peer id on netscreen device 'john.com' is from the ISP?



0
 
johnp338Author Commented:
no, the john.com is just something i simply entered here:

http://img525.imageshack.us/img525/3479/ocvpnstatusig8.jpg
0
 
johnp338Author Commented:
Unfortunately I have a dynamic IP on the 3com side...should I simply set it up as though it's static, and deal with the change when Charter rarely assigns me a new IP?
0
 
amoldkelkarCommented:
Oh if on 3com side you are able to get a static ip then it will be easier.
I am sure it will be helpful

Also just wanna make sure,
In Phase II as well you selected the DH group since on netscreen you have a custom proposal as g2-esp-des-sha
0
 
johnp338Author Commented:
Well, I tried what I just suggesting, assigning the remote gateway's dynamic address as a static address in the netscreen config, and I am no longer getting the "unrecognized peer gateway". I am however, now getting the following error:

2007-07-27 02:00:28      info      Rejected an IKE packet on untrust from 68.188.91.53:500 to 70.62.196.34:500 with cookies 891cd1eef66da363 and c8915c2cb2f2eabb because there were no acceptable Phase 2 proposals.
2007-07-27 02:00:28      info      IKE<68.188.91.53> Phase 2 msg ID <025e2552>: Responded to the peer's first message.
2007-07-27 02:00:18      info      IKE<68.188.91.53> Phase 2 msg ID <025e2552>: Negotiations have failed.
2007-07-27 02:00:18      info      Rejected an IKE packet on untrust from 68.188.91.53:500 to 70.62.196.34:500 with cookies 891cd1eef66da363 and c8915c2cb2f2eabb because there were no acceptable Phase 2 proposals.
2007-07-27 02:00:18      info      IKE<68.188.91.53> Phase 2 msg ID <025e2552>: Responded to the peer's first message.
2007-07-27 02:00:18      info      IKE<68.188.91.53> Phase 1: Completed Aggressive mode negotiations with a <28800>-second lifetime.
2007-07-27 02:00:18      info      IKE<68.188.91.53> Phase 1: Responder starts AGGRESSIVE mode negotiations.
0
 
johnp338Author Commented:
Yes, I did set the DH group, these are my current settings:

http://img401.imageshack.us/img401/7767/newocvpnqo0.jpg
0
 
amoldkelkarCommented:
There is some problem in Phase II proposals
0
 
amoldkelkarCommented:
So on both sides the Phase II proposals are,
g2-esp-des-sha

Can you even try refreshing the netscreen box?

According to me everything looks fine and it should work. Also the tunnel.4 is bound back to your VPN right?
In addition,
Policies on vpn are also permitting both side traffic right?
Also there is a route to guide traffic to tunnel interface reaching LAN of 3COM?

Let me know..
Hoping it works for you.
0
 
johnp338Author Commented:
I mistakenly changed the phase II proposal from custom (g2-esp-des-sha) to compatible. Once I changed it back, the connection worked.

Interestingly enough, however, once I connect the vpn tunnel, I lose all other connectivity, and my router also shows that Ive lost my IP from my ISP, and my connection runs miserably slow.
0
 
amoldkelkarCommented:
Regarding the problem of losing the connectivity could be basically because of the routes you have.
Can you post the routes page on your netscreen and 3com if you can?

On netscreen side you need to have something like this,

Route 1>
set route 192.168.1.0/24 interface tunnel.4 gateway 'next-hop-ip (which can route')
Route 2> Default route (This is for the traffic which you want to route through some local gateway and not through tunnel)
set route 0.0.0.0/0 int untrust gateway i'p'

For the ip addr of the router...hmmm you need to check.
But as far as i know since its dynamic ip the lease might be getting over in hours or in a day or in days. So you will have to keep changing the remote gateway ip in your netscreen box whenever the 3com ip changes.
Until you buy one static ip or the ip which can stay longer

-AK
0
 
johnp338Author Commented:
I do have the first route you mention, but as for the second default route, what is the untrust gateway IP, the IP of the 3com router, or the IP of the netscreen (untrust would presumably be 70.62.196.34)?

Regarding the IP on the 3Com, it literally instantly releases all ISP side settings as soon as the VPN tunnel is connected. Could this be something my ISP is doing, or is it likely a 3Com problem? I'll look into whether or not I can dig anything up.
0
 
johnp338Author Commented:
Well, I tried upgrading the software on the 3Com, and that did the trick.
0
 
amoldkelkarCommented:
ohhh kool
so is it working now?
0
 
johnp338Author Commented:
Yes, everything is working perfectly now, thank you again for your help.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 12
  • 12
Tackle projects and never again get stuck behind a technical roadblock.
Join Now