[j-nsp] IPSec Interoperability with Cisco Router

Eric Shih (TP/ERT) eric.shih at ericsson.com
Mon Jan 17 09:58:43 EST 2005


Hello Harshit

    I think we have found out the problem. It may a firewall in-between that prohibits the ISAKMP packets initiated from M20.
    However, there seems no extra log to prove that M20 does initiate a session. There's only below message 1. Do you have
   any idea of thease messages ? However, for other tunnel without FW in-between that prohibits the ISAKMP service,the kmd 
   message will show as below message 2. It seems that M20 will retransmit the ISAKMP packet and tunnel will not 
   established because of timout.That's what I confused.

   1.
    Negotiation already started for p1_local=ipv4(udp:500,[0..3]=211.77.241.245)
                p1_remote=ipv4(udp:500,[0..3]=203.74.252.2)
                p2_local=ipv4_subnet(any:0,[0..7]=10.3.2.0/24)
                p2_remote=ipv4_subnet(any:0,[0..7]=10.0.0.0/8)

    2.
    Jan 17 22:01:00 ike_retransmit_callback: Start, retransmit SA = { 4b77d272 1600a1f5 - 00000000 00000000}, nego = -1
    Jan 17 22:01:00 ike_retransmit_callback: Isakmp query retry limit reached, deleting
    Jan 17 22:01:00 Phase-1 [initiator] failed with error(Timeout) for
                local=ipv4(udp:500,[0..3]=211.77.241.241)
                remote=ipv4(udp:500,[0..3]=211.73.135.29)
    Jan 17 22:01:00 Phase-1 negotiation timeout for  p1_local=ipv4(udp:500,[0..3]=211.77.241.241)
                p1_remote=ipv4(udp:500,[0..3]=211.73.135.29)
    Jan 17 22:01:00 211.77.241.241:500 (Initiator) <-> 211.73.135.29:500 { 4b77d272 1600a1f5 - 00000000 00000000 [-1] / 0x00000000 } IP; Error = 
                Timeout    (8197)

-----Original Message-----
From: Harshit Kumar [mailto:harshit at juniper.net]
Sent: Friday, January 14, 2005 10:16 AM
To: Eric Shih (TP/ERT); juniper-nsp at puck.nether.net
Subject: RE: [j-nsp] IPSec Interoperability with Cisco Router


Hi Eric,
              Sorry for the late reply. Please contact JTAC and open a
case 
 with them.

Thanks
Harshit
 

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Eric Shih
(TP/ERT)
Sent: Saturday, January 01, 2005 7:26 PM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] IPSec Interoperability with Cisco Router

Hello Harshit

   Because our J20(M20) is using ES-PIC for IPSec tunnel insted of
AS-PIC, there's no command you mention.
We have tried with Cisco 1760 and Cisco PIX firewall which have same
problem. 

BR
Eric



_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list