[j-nsp] Re: IPSec Interoperability with Cisco Router
Eric Shih (TP/ERT)
eric.shih at ericsson.com
Mon Jan 17 21:02:04 EST 2005
Hello Harshit
In case 1, what do you mean by " negotiation is alredy in progress" ? Becasue when we use monitor traffic or ethereal to capture
packet from J20, it seems that no IKE packet transmit from J20. However in case 2, I do see the IKE retransmit in kmd log or
live tracing packets. I am wandering if we have case 1 log message, does J20 will not re-transmit the IKE seesion ? What we
only see in kmd log is periodic case 1 message but no ike seesion ? Thanks for your support !!
BR // Eric Shih
-----Original Message-----
From: Harshit Kumar [mailto:harshit at juniper.net]
Sent: Tuesday, January 18, 2005 4:33 AM
To: Eric Shih (TP/ERT); juniper-nsp at puck.nether.net
Subject: RE: [j-nsp] IPSec Interoperability with Cisco Router
Hi Eric,
#1 is a periodic trigger to start the ike negotiation, but it finds
that the negotiation is already in progress. Not harmful.
#2 Indicates this end is trying to establish the IKE session but the
other end doesn't seem to be responding. Either due to packet drop
or due to config error on the other end.
The messages like the following indicate that the IKE negotiation is
initiated
by the J20. You can only see them if you set [security traceoptions
flag ike]
Jan 17 12:27:05 jnp_ike_connect: Start, remote_name = 7.7.7.2:500, xchg
=
2, flags = 00010000
Jan 17 12:27:05 ike_sa_allocate: Start, SA = { 3d3c4eb8 987e5e6f -
00000000 00000000 }
Harshit
-----Original Message-----
From: Eric Shih (TP/ERT) [mailto:eric.shih at ericsson.com]
Sent: Monday, January 17, 2005 6:59 AM
To: juniper-nsp at puck.nether.net
Cc: Harshit Kumar
Subject: RE: [j-nsp] IPSec Interoperability with Cisco Router
Hello Harshit
I think we have found out the problem. It may a firewall in-between
that prohibits the ISAKMP packets initiated from M20.
However, there seems no extra log to prove that M20 does initiate a
session. There's only below message 1. Do you have
any idea of thease messages ? However, for other tunnel without FW
in-between that prohibits the ISAKMP service,the kmd
message will show as below message 2. It seems that M20 will
retransmit the ISAKMP packet and tunnel will not
established because of timout.That's what I confused.
1.
Negotiation already started for
p1_local=ipv4(udp:500,[0..3]=211.77.241.245)
p1_remote=ipv4(udp:500,[0..3]=203.74.252.2)
p2_local=ipv4_subnet(any:0,[0..7]=10.3.2.0/24)
p2_remote=ipv4_subnet(any:0,[0..7]=10.0.0.0/8)
2.
Jan 17 22:01:00 ike_retransmit_callback: Start, retransmit SA = {
4b77d272 1600a1f5 - 00000000 00000000}, nego = -1
Jan 17 22:01:00 ike_retransmit_callback: Isakmp query retry limit
reached, deleting
Jan 17 22:01:00 Phase-1 [initiator] failed with error(Timeout) for
local=ipv4(udp:500,[0..3]=211.77.241.241)
remote=ipv4(udp:500,[0..3]=211.73.135.29)
Jan 17 22:01:00 Phase-1 negotiation timeout for
p1_local=ipv4(udp:500,[0..3]=211.77.241.241)
p1_remote=ipv4(udp:500,[0..3]=211.73.135.29)
Jan 17 22:01:00 211.77.241.241:500 (Initiator) <-> 211.73.135.29:500
{ 4b77d272 1600a1f5 - 00000000 00000000 [-1] / 0x00000000 } IP; Error =
Timeout (8197)
-----Original Message-----
From: Harshit Kumar [mailto:harshit at juniper.net]
Sent: Friday, January 14, 2005 10:16 AM
To: Eric Shih (TP/ERT); juniper-nsp at puck.nether.net
Subject: RE: [j-nsp] IPSec Interoperability with Cisco Router
Hi Eric,
Sorry for the late reply. Please contact JTAC and open a
case
with them.
Thanks
Harshit
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Eric Shih
(TP/ERT)
Sent: Saturday, January 01, 2005 7:26 PM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] IPSec Interoperability with Cisco Router
Hello Harshit
Because our J20(M20) is using ES-PIC for IPSec tunnel insted of
AS-PIC, there's no command you mention.
We have tried with Cisco 1760 and Cisco PIX firewall which have same
problem.
BR
Eric
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list