NetScreen Help

[Anonymous]

I am having trouble connecting to a NetScreen firewall. I believe I have set all the proper parameters in VaporSec and I get the “racoon is running” message.

I still can not telnet to a host behind the firewall.

What should I look for on the system to see if the connection is established?

I do not get any failures in system.log. I do get racoon informational messages.

I do not see any new connections when I do “netstat -n -f inet”.

I have noticed a new IPv6 gif0 interface that has a route for the VPN remote subnet.

Thanks,
Dave

[Anonymous]

I am not getting the following in system.log:

Aug 7 22:43:46 iMac racoon: INFO: isakmp.c:795:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 192.168.1.XX[500]<=>208.39.140.XX[500]
Aug 7 22:43:46 iMac racoon: INFO: isakmp.c:800:isakmp_ph1begin_i(): begin Aggressive mode.
Aug 7 22:43:46 iMac racoon: WARNING:ipsec_doi.c:3039:ipsecdoi_checkid1(): ID type mismatched.
Aug 7 22:43:46 iMac racoon: ERROR: isakmp_agg.c:358:agg_i2recv(): invalid ID payload.
…
Aug 7 22:44:17 iMac racoon: ERROR: isakmp.c:1773:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 208.39.140.XX8->192.168.1.XX

My sysadmin gave me the following NetScreen settings. Anything special about these values.

gateway ip: 208.39.140.XX
remote subnet 66.240.0.0/255.255.255.0
id type is email address, ie: [email protected]
preshared key: YYYYY
phase 1 negotiation mode: aggressive
replay detection enabled
phase 1 encryption algorithm: DES
phase 1 hash algorithm: MD5
phase 1 SA lifetime: 28800 sec
key group: diffie-hellman group 2
phase 2 enc alg: DES
phase 2 hash alg: MD5
phase 2 lifetime: 3600 sec
phase 2 negotiations are ESP, not AH
ipsec compression is turned off

Thanks,
Dave

[Author]

Posts