Configuring LAN to LAN VPN on Juniper ssg5-serial

I have a Juniper ssg5-serial at a remote medical office that needs to connect to the lab at the local hospital.  The hospital has provided me with all the pertinent information as far as Gateway/Phase1/Phase2/PSK/Host.

We are setup with a Comcast /29 with the first usable as our WAN static for the Juniper and the second static as the Management.  The third usable is for our VPN connection.  

According to the hospital IT department our resource of xxx.xxx.xxx6 is the server that the application that needs the access to the hospital runs on.  

These are the errors we are getting when attempting to create the tunnel:

2011-04-06 16:25:53 info IKE 12.148.43.77 Phase 2 msg ID 1b59ba5b: Negotiations have failed.
2011-04-06 16:25:53 info Rejected an IKE packet on ethernet0/0 from 12.148.43.77:500 to 173.13.31.57:500 with cookies b6c96f702be8ca7f and f61d098c11c0559d because The peer sent a proxy ID that did not match the one in the SA config.
2011-04-06 16:25:53 info IKE 12.148.43.77 Phase 2: No policy exists for the proxy ID received: local ID (173.13.31.59/255.255.255.255, 0, 0) remote ID (12.148.43.49/255.255.255.255, 0, 0).
2011-04-06 16:25:53 info IKE 12.148.43.77 Phase 2 msg ID 1b59ba5b: Responded to the peer's first message.
2011-04-06 16:25:49 info IKE 12.148.43.77 Phase 2 msg ID 1b59ba5b: Negotiations have failed.
2011-04-06 16:25:49 info Rejected an IKE packet on ethernet0/0 from 12.148.43.77:500 to 173.13.31.57:500 with cookies b6c96f702be8ca7f and f61d098c11c0559d because The peer sent a proxy ID that did not match the one in the SA config.
2011-04-06 16:25:49 info IKE 12.148.43.77 Phase 2: No policy exists for the proxy ID received: local ID (173.13.31.59/255.255.255.255, 0, 0) remote ID (12.148.43.49/255.255.255.255, 0, 0).
2011-04-06 16:25:49 info IKE 12.148.43.77 Phase 2 msg ID 1b59ba5b: Responded to the peer's first message.
2011-04-06 16:25:45 info IKE 12.148.43.77 Phase 2 msg ID 1b59ba5b: Negotiations have failed.
2011-04-06 16:25:45 info Rejected an IKE packet on ethernet0/0 from 12.148.43.77:500 to 173.13.31.57:500 with cookies b6c96f702be8ca7f and f61d098c11c0559d because The peer sent a proxy ID that did not match the one in the SA config.
2011-04-06 16:25:45 info IKE 12.148.43.77 Phase 2: No policy exists for the proxy ID received: local ID (173.13.31.59/255.255.255.255, 0, 0) remote ID (12.148.43.49/255.255.255.255, 0, 0).
2011-04-06 16:25:45 info IKE 12.148.43.77 Phase 2 msg ID 1b59ba5b: Responded to the peer's first message.
2011-04-06 16:25:41 info IKE 12.148.43.77 Phase 2 msg ID 1b59ba5b: Negotiations have failed.
2011-04-06 16:25:41 info Rejected an IKE packet on ethernet0/0 from 12.148.43.77:500 to 173.13.31.57:500 with cookies b6c96f702be8ca7f and f61d098c11c0559d because The peer sent a proxy ID that did not match the one in the SA config.
2011-04-06 16:25:41 info IKE 12.148.43.77 Phase 2: No policy exists for the proxy ID received: local ID (173.13.31.59/255.255.255.255, 0, 0) remote ID (12.148.43.49/255.255.255.255, 0, 0).
2011-04-06 16:25:41 info IKE 12.148.43.77 Phase 2 msg ID 1b59ba5b: Responded to the peer's first message.
2011-04-06 16:25:37 info IKE 12.148.43.77 Phase 2 msg ID 1b59ba5b: Negotiations have failed.
2011-04-06 16:25:37 info Rejected an IKE packet on ethernet0/0 from 12.148.43.77:500 to 173.13.31.57:500 with cookies b6c96f702be8ca7f and f61d098c11c0559d because The peer sent a proxy ID that did not match the one in the SA config.
2011-04-06 16:25:37 info IKE 12.148.43.77 Phase 2: No policy exists for the proxy ID received: local ID (173.13.31.59/255.255.255.255, 0, 0) remote ID (12.148.43.49/255.255.255.255, 0, 0).
2011-04-06 16:25:37 info IKE 12.148.43.77 Phase 2 msg ID 1b59ba5b: Responded to the peer's first message.
   
TechGuy_007Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

deimarkCommented:
These 2 messages give the game away here bud

2011-04-06 16:25:37 info Rejected an IKE packet on ethernet0/0 from 12.148.43.77:500 to 173.13.31.57:500 with cookies b6c96f702be8ca7f and f61d098c11c0559d because The peer sent a proxy ID that did not match the one in the SA config.
2011-04-06 16:25:37 info IKE 12.148.43.77 Phase 2: No policy exists for the proxy ID received: local ID (173.13.31.59/255.255.255.255, 0, 0) remote ID (12.148.43.49/255.255.255.255, 0, 0).
2011-04-06 16:25:37 info IKE 12.148.43.77 Phase 2 msg ID 1b59ba5b: Responded to the peer's first message.

The proxy-id is the details of the local and remote networks between which the VPN is to encrypt traffic.

If you are using policy based VPNs, then the policy that you use to encrypt the traffic ie the action of tunnel, the address objects you use for this rule determine the proxy-id.

We can of course overrule this default behaviour and in the autokey ike (phase 2 settings) we can manually set this.

In the logs, the juniper device sees the proxy-id presented from the other side as
local ID (173.13.31.59/255.255.255.255, 0, 0)
remote ID (12.148.43.49/255.255.255.255, 0, 0).

If we set the proxy ID on the SSG to be the inverse of this, ie the other sides local network is our remote net etc, then the VPN should work bud
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TechGuy_007Author Commented:
I don't suppose there is a step by step on how to perform this fix?  
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
It's pretty much that easy as described above: Go into   VPN > AutoKey IKE, and depending on your firmware release you need to click on Proxy ID". If you can't see that, you are on pre-6.3 firmware release, and need to go into "Edit", "Advanced". You now need to set the Proxy ID settings to
   Local ID: 12.148.34.49/24
   Remote ID: 173.13.31.59
   Service: Any
and should be it. Yoou might need to unbind your policy from the VPN first - you'll get an error message stating that then.
0
deimarkCommented:
Couldn't have said it better hehe.

If you still have issues bud, let us know.
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Don't you think I should get some of the points for explaining the how-to?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.