[j-nsp] Host-to-Host IPSec, Openswan to Junos

Mike Williams mike.williams at comodo.com
Thu Nov 18 14:48:00 EST 2010


Hey guys,

Is anyone doing, or know how to do, IPSec tunnels between Openswan and Junos?
Openswan 2.4 on kernel 2.6 to Junos 10.2R3.10 on a J-series to be precise.

So far I've got phase 1 to complete, but phase 2 fails like this:

KMD_PM_P2_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-2 [responder] failed 
for p1_local=ipv4(udp:500,[0..3]=85.234.234.118) p1_remote=ipv4(any:0,
[0..3]=81.123.123.98) p2_local=ipv4_subnet(any:0,[0..7]=85.123.123.116/30) 
p2_remote=ipv4_subnet(any:0,[0..7]=81.234.234.96/29)

Yet I have:

mikew at thejay# show security ipsec vpn mcroffce_vpn
bind-interface st0.0;
ike {
    gateway mcroffice_gateway;
    proxy-identity {
        local 85.234.234.116/30;
        remote 81.123.123.96/29;
        service any;
    }
    ipsec-policy ipsec_pol_1;
}
establish-tunnels immediately;


Ideally I'd like the tunnel between 118/32 and 98/32 as I'll be routing stuff 
down a GRE tunnel over IPSec.

With no (left|right)subnet defined in Openswan the P2 policy wanted is;

p1_local=ipv4(udp:500,[0..3]=85.234.234.118) p1_remote=ipv4(any:0,
[0..3]=81.123.123.98) p2_local=ipv4(any:0,[0..3]=85.234.234.118) 
p2_remote=ipv4(any:0,[0..3]=81.123.123.98)

You *have* to specify address/prefix in proxy-identity though, so that 
couldn't possibly work as no CIDR mask is given in the request.


Could any one possibly enlighten me please?


Thanks

-- 
Mike Williams


More information about the juniper-nsp mailing list