Configuring LAN to LAN VPN on Juniper ssg5-serial

I have a Juniper ssg5-serial at a remote medical office that needs to connect to the lab at the local hospital.  The hospital has provided me with all the pertinent information as far as Gateway/Phase1/Phase2/PSK/Host.

We are setup with a Comcast /29 with the first usable as our WAN static for the Juniper and the second static as the Management.  The third usable is for our VPN connection.  

According to the hospital IT department our resource of xxx.xxx.xxx6 is the server that the application that needs the access to the hospital runs on.  

These are the errors we are getting when attempting to create the tunnel:

2011-04-06 16:25:53 info IKE 12.148.43.77 Phase 2 msg ID 1b59ba5b: Negotiations have failed.
2011-04-06 16:25:53 info Rejected an IKE packet on ethernet0/0 from 12.148.43.77:500 to 173.13.31.57:500 with cookies b6c96f702be8ca7f and f61d098c11c0559d because The peer sent a proxy ID that did not match the one in the SA config.
2011-04-06 16:25:53 info IKE 12.148.43.77 Phase 2: No policy exists for the proxy ID received: local ID (173.13.31.59/255.255.255.255, 0, 0) remote ID (12.148.43.49/255.255.255.255, 0, 0).
2011-04-06 16:25:53 info IKE 12.148.43.77 Phase 2 msg ID 1b59ba5b: Responded to the peer's first message.
2011-04-06 16:25:49 info IKE 12.148.43.77 Phase 2 msg ID 1b59ba5b: Negotiations have failed.
2011-04-06 16:25:49 info Rejected an IKE packet on ethernet0/0 from 12.148.43.77:500 to 173.13.31.57:500 with cookies b6c96f702be8ca7f and f61d098c11c0559d because The peer sent a proxy ID that did not match the one in the SA config.
2011-04-06 16:25:49 info IKE 12.148.43.77 Phase 2: No policy exists for the proxy ID received: local ID (173.13.31.59/255.255.255.255, 0, 0) remote ID (12.148.43.49/255.255.255.255, 0, 0).
2011-04-06 16:25:49 info IKE 12.148.43.77 Phase 2 msg ID 1b59ba5b: Responded to the peer's first message.
2011-04-06 16:25:45 info IKE 12.148.43.77 Phase 2 msg ID 1b59ba5b: Negotiations have failed.
2011-04-06 16:25:45 info Rejected an IKE packet on ethernet0/0 from 12.148.43.77:500 to 173.13.31.57:500 with cookies b6c96f702be8ca7f and f61d098c11c0559d because The peer sent a proxy ID that did not match the one in the SA config.
2011-04-06 16:25:45 info IKE 12.148.43.77 Phase 2: No policy exists for the proxy ID received: local ID (173.13.31.59/255.255.255.255, 0, 0) remote ID (12.148.43.49/255.255.255.255, 0, 0).
2011-04-06 16:25:45 info IKE 12.148.43.77 Phase 2 msg ID 1b59ba5b: Responded to the peer's first message.
2011-04-06 16:25:41 info IKE 12.148.43.77 Phase 2 msg ID 1b59ba5b: Negotiations have failed.
2011-04-06 16:25:41 info Rejected an IKE packet on ethernet0/0 from 12.148.43.77:500 to 173.13.31.57:500 with cookies b6c96f702be8ca7f and f61d098c11c0559d because The peer sent a proxy ID that did not match the one in the SA config.
2011-04-06 16:25:41 info IKE 12.148.43.77 Phase 2: No policy exists for the proxy ID received: local ID (173.13.31.59/255.255.255.255, 0, 0) remote ID (12.148.43.49/255.255.255.255, 0, 0).
2011-04-06 16:25:41 info IKE 12.148.43.77 Phase 2 msg ID 1b59ba5b: Responded to the peer's first message.
2011-04-06 16:25:37 info IKE 12.148.43.77 Phase 2 msg ID 1b59ba5b: Negotiations have failed.
2011-04-06 16:25:37 info Rejected an IKE packet on ethernet0/0 from 12.148.43.77:500 to 173.13.31.57:500 with cookies b6c96f702be8ca7f and f61d098c11c0559d because The peer sent a proxy ID that did not match the one in the SA config.
2011-04-06 16:25:37 info IKE 12.148.43.77 Phase 2: No policy exists for the proxy ID received: local ID (173.13.31.59/255.255.255.255, 0, 0) remote ID (12.148.43.49/255.255.255.255, 0, 0).
2011-04-06 16:25:37 info IKE 12.148.43.77 Phase 2 msg ID 1b59ba5b: Responded to the peer's first message.
   
TechGuy_007Asked:
Who is Participating?
 
deimarkCommented:
These 2 messages give the game away here bud

2011-04-06 16:25:37 info Rejected an IKE packet on ethernet0/0 from 12.148.43.77:500 to 173.13.31.57:500 with cookies b6c96f702be8ca7f and f61d098c11c0559d because The peer sent a proxy ID that did not match the one in the SA config.
2011-04-06 16:25:37 info IKE 12.148.43.77 Phase 2: No policy exists for the proxy ID received: local ID (173.13.31.59/255.255.255.255, 0, 0) remote ID (12.148.43.49/255.255.255.255, 0, 0).
2011-04-06 16:25:37 info IKE 12.148.43.77 Phase 2 msg ID 1b59ba5b: Responded to the peer's first message.

The proxy-id is the details of the local and remote networks between which the VPN is to encrypt traffic.

If you are using policy based VPNs, then the policy that you use to encrypt the traffic ie the action of tunnel, the address objects you use for this rule determine the proxy-id.

We can of course overrule this default behaviour and in the autokey ike (phase 2 settings) we can manually set this.

In the logs, the juniper device sees the proxy-id presented from the other side as
local ID (173.13.31.59/255.255.255.255, 0, 0)
remote ID (12.148.43.49/255.255.255.255, 0, 0).

If we set the proxy ID on the SSG to be the inverse of this, ie the other sides local network is our remote net etc, then the VPN should work bud
0
 
TechGuy_007Author Commented:
I don't suppose there is a step by step on how to perform this fix?  
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
It's pretty much that easy as described above: Go into   VPN > AutoKey IKE, and depending on your firmware release you need to click on Proxy ID". If you can't see that, you are on pre-6.3 firmware release, and need to go into "Edit", "Advanced". You now need to set the Proxy ID settings to
   Local ID: 12.148.34.49/24
   Remote ID: 173.13.31.59
   Service: Any
and should be it. Yoou might need to unbind your policy from the VPN first - you'll get an error message stating that then.
0
 
deimarkCommented:
Couldn't have said it better hehe.

If you still have issues bud, let us know.
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Don't you think I should get some of the points for explaining the how-to?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.