[j-nsp] Re: IPSec Interoperability with Cisco Router

Harshit Kumar harshit at juniper.net
Mon Jan 17 15:32:38 EST 2005 

Hi Eric,

        
#1  is a periodic trigger to start the ike negotiation, but it finds
 that the negotiation is already in progress. Not harmful.

#2 Indicates this end is trying to establish the IKE session but the
 other end doesn't seem to be responding. Either due to packet drop
 or due to config error on the other end.

The messages like the following indicate that the IKE negotiation is
initiated
 by the J20. You can only see them if you set [security traceoptions
flag ike]

Jan 17 12:27:05 jnp_ike_connect: Start, remote_name = 7.7.7.2:500, xchg
=
2, flags = 00010000
Jan 17 12:27:05 ike_sa_allocate: Start, SA = { 3d3c4eb8 987e5e6f -
00000000 00000000 }

Harshit


-----Original Message-----
From: Eric Shih (TP/ERT) [mailto:eric.shih at ericsson.com] 
Sent: Monday, January 17, 2005 6:59 AM
To: juniper-nsp at puck.nether.net
Cc: Harshit Kumar
Subject: RE: [j-nsp] IPSec Interoperability with Cisco Router

Hello Harshit

    I think we have found out the problem. It may a firewall in-between
that prohibits the ISAKMP packets initiated from M20.
    However, there seems no extra log to prove that M20 does initiate a
session. There's only below message 1. Do you have
   any idea of thease messages ? However, for other tunnel without FW
in-between that prohibits the ISAKMP service,the kmd 
   message will show as below message 2. It seems that M20 will
retransmit the ISAKMP packet and tunnel will not 
   established because of timout.That's what I confused.

   1.
    Negotiation already started for
p1_local=ipv4(udp:500,[0..3]=211.77.241.245)
                p1_remote=ipv4(udp:500,[0..3]=203.74.252.2)
                p2_local=ipv4_subnet(any:0,[0..7]=10.3.2.0/24)
                p2_remote=ipv4_subnet(any:0,[0..7]=10.0.0.0/8)

    2.
    Jan 17 22:01:00 ike_retransmit_callback: Start, retransmit SA = {
4b77d272 1600a1f5 - 00000000 00000000}, nego = -1
    Jan 17 22:01:00 ike_retransmit_callback: Isakmp query retry limit
reached, deleting
    Jan 17 22:01:00 Phase-1 [initiator] failed with error(Timeout) for
                local=ipv4(udp:500,[0..3]=211.77.241.241)
                remote=ipv4(udp:500,[0..3]=211.73.135.29)
    Jan 17 22:01:00 Phase-1 negotiation timeout for
p1_local=ipv4(udp:500,[0..3]=211.77.241.241)
                p1_remote=ipv4(udp:500,[0..3]=211.73.135.29)
    Jan 17 22:01:00 211.77.241.241:500 (Initiator) <-> 211.73.135.29:500
{ 4b77d272 1600a1f5 - 00000000 00000000 [-1] / 0x00000000 } IP; Error = 
                Timeout    (8197)

-----Original Message-----
From: Harshit Kumar [mailto:harshit at juniper.net]
Sent: Friday, January 14, 2005 10:16 AM
To: Eric Shih (TP/ERT); juniper-nsp at puck.nether.net
Subject: RE: [j-nsp] IPSec Interoperability with Cisco Router


Hi Eric,
              Sorry for the late reply. Please contact JTAC and open a
case 
 with them.

Thanks
Harshit
 

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Eric Shih
(TP/ERT)
Sent: Saturday, January 01, 2005 7:26 PM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] IPSec Interoperability with Cisco Router

Hello Harshit

   Because our J20(M20) is using ES-PIC for IPSec tunnel insted of
AS-PIC, there's no command you mention.
We have tried with Cisco 1760 and Cisco PIX firewall which have same
problem. 

BR
Eric



_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list