aando
asked on
Setting up Netscreen to Sonicwall VPN
We are trying to setup a VPN between a Netscreen NS25 and a Sonicwall TZ 210. However, I am not having luck getting any traffic to pass. Has anyone been able to setup a VPN between a Netscreen and Sonicwall?
ASKER
Policy based VPN. It is failing in phase 1. Here is what the netscreen log is saying: Rejected an IKE packet on ethernet4 from 93.38.27.164:500 to 66.187.218.226:500 with cookies 7a12fba321e41ee5 and 0e59cd060121cf22 because there were no acceptable Phase 1 proposals.
on the sonic wall side. What phase 1 proposals are configured? These need to be the same on the juniper. Policy based VPN is the way to go when creating tunnels between dissimilar devices so you are on the right track. I am not to familiar with sonicwall side of the setup, but if you get the info i can help with the juniper end of things.
ASKER
Attached is the setup on the Sonicwall. I set it up to mimic a person who said they got it working with these settings.
Capture.JPG
Capture.JPG
ASKER
I changed the settings around in the proposal now and I'm getting: Warning VPN IKE Received packet retransmission. Drop duplicate packet
Sonicwall:
1) Main Mode
Goup 2
3DES
SHA1
28800
2) ESP
3DES
SHA1
3600
Netscreen
1) pre-g2-3des-sha
2) nopfs-esp-3des-sha
Sonicwall:
1) Main Mode
Goup 2
3DES
SHA1
28800
2) ESP
3DES
SHA1
3600
Netscreen
1) pre-g2-3des-sha
2) nopfs-esp-3des-sha
ok when configuring the gateway (VPNs > AutoKey Advanced > Gateway > Edit)
go to the advanced section and set your Security level to custom: phase1 proposal=pre-g2-3des-sha
And when configuring the Autokey (VPNs > AutoKey IKE > Edit)
go to the advanced section and agin choose cutom security level as: g2-esp-3des-sha
That shoul make the juniper phase 1 and 2 proposals match the sonciwall.
go to the advanced section and set your Security level to custom: phase1 proposal=pre-g2-3des-sha
And when configuring the Autokey (VPNs > AutoKey IKE > Edit)
go to the advanced section and agin choose cutom security level as: g2-esp-3des-sha
That shoul make the juniper phase 1 and 2 proposals match the sonciwall.
you beat me to the punch, i would use g2-esp-3des-sha for the phase 2 proposal. Also if you juniper does not have a static ip for its public address, you should use Aggressive mode instead of main mode.
ASKER
I'm getting the following on the Sonicwall logs:
IKE Initiator: Start Main Mode negotiation (Phase 1)
VPN IKE NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal VPN IKE
IKE Initiator: Start Main Mode negotiation (Phase 1)
VPN IKE NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal VPN IKE
Is you juniper netscreen configured with a public ip on its untrust/wan interface?
ASKER
Yes it has a static public IP.
If the sonic wall has a static public IP as well then this should not be an issue. I am not too familiar with the sonic wall setup, but from what i can see through a quick google search, you might have NAT traversal enabled on the sonicwall
http://help.mysonicwall.com/sw/eng/general/ui1/6600/VPN/NAT_Traversal.htm
http://help.mysonicwall.com/sw/eng/general/ui1/6600/VPN/NAT_Traversal.htm
ASKER
I disabled NAT traversal on the sonicwall.
Netscreen log:
2011-04-27 12:57:40 info Rejected an IKE packet on ethernet4 from 196.38.57.14:500 to 118.127.208.56:500 with cookies 38b5f8e14338a452 and d99a1735c964d084 because Phase 1 negotiations failed. (The preshared keys might not match.).
2011-04-27 12:57:39 info IKE<196.38.57.14> Phase 1: Responder starts MAIN mode negotiations.
Sonicwall log:
3 04/27/2011 12:34:20.400 Warning VPN IKE Received packet retransmission. Drop duplicate packet 118.127.208.56, 500, .bellsouth.net 196.38.57.14, 500 VPN Policy: FaS
4 04/27/2011 12:34:19.272 Info VPN IKE IKE Initiator: Remote party timeout - Retransmitting IKE request. 196.38.57.14, 500 118.127.208.56, 500, .bellsouth.net VPN Policy: FaS
Netscreen log:
2011-04-27 12:57:40 info Rejected an IKE packet on ethernet4 from 196.38.57.14:500 to 118.127.208.56:500 with cookies 38b5f8e14338a452 and d99a1735c964d084 because Phase 1 negotiations failed. (The preshared keys might not match.).
2011-04-27 12:57:39 info IKE<196.38.57.14> Phase 1: Responder starts MAIN mode negotiations.
Sonicwall log:
3 04/27/2011 12:34:20.400 Warning VPN IKE Received packet retransmission. Drop duplicate packet 118.127.208.56, 500, .bellsouth.net 196.38.57.14, 500 VPN Policy: FaS
4 04/27/2011 12:34:19.272 Info VPN IKE IKE Initiator: Remote party timeout - Retransmitting IKE request. 196.38.57.14, 500 118.127.208.56, 500, .bellsouth.net VPN Policy: FaS
When you are configuring the gateway on the juniper did you input the same pre-shared key as is configured on the sonicwall?
on the juniper: VPNs > AutoKey Advanced > Gateway > Edit
At the bottom of the screen is where the pre-shared key is setup.
on the juniper: VPNs > AutoKey Advanced > Gateway > Edit
At the bottom of the screen is where the pre-shared key is setup.
ASKER
Yes I have checked it several times just to be sure.
Other than the items we addressed in previous entries, i can not see anything else that needs to be corrected on the netscreen. I am going to reach out to a colleague that uses predominatly sonciwall equipment and see if he can provide some new insights into what may be wrong.
ASKER
Awesome thanks... Let me know if you need any more info. I'd be glad to take screen shots, etc. Thanks again...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Didn't solve... Customer had to buy another firewall.
We had a similar issue with a 5gt and a NSA 2400.
on 5 gt created a custom p2 proposal that we called sonicwall
Perfect Forward Secret - DH Group2
3DES-CBC
SHA-1
MD5
--on NSA 2400
IKE Phase 1
Aggressive
Group2
3DES
SHA-1
28800
Phase2
ESP, 3DES, SHA-1, Enable Perfect Secret, Group 2, 28800
on 5 gt created a custom p2 proposal that we called sonicwall
Perfect Forward Secret - DH Group2
3DES-CBC
SHA-1
MD5
--on NSA 2400
IKE Phase 1
Aggressive
Group2
3DES
SHA-1
28800
Phase2
ESP, 3DES, SHA-1, Enable Perfect Secret, Group 2, 28800
let us know.