[j-nsp] Host-to-Host IPSec, Openswan to Junos
Mike Williams
mike.williams at comodo.com
Thu Nov 18 14:48:00 EST 2010
Hey guys,
Is anyone doing, or know how to do, IPSec tunnels between Openswan and Junos?
Openswan 2.4 on kernel 2.6 to Junos 10.2R3.10 on a J-series to be precise.
So far I've got phase 1 to complete, but phase 2 fails like this:
KMD_PM_P2_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-2 [responder] failed
for p1_local=ipv4(udp:500,[0..3]=85.234.234.118) p1_remote=ipv4(any:0,
[0..3]=81.123.123.98) p2_local=ipv4_subnet(any:0,[0..7]=85.123.123.116/30)
p2_remote=ipv4_subnet(any:0,[0..7]=81.234.234.96/29)
Yet I have:
mikew at thejay# show security ipsec vpn mcroffce_vpn
bind-interface st0.0;
ike {
gateway mcroffice_gateway;
proxy-identity {
local 85.234.234.116/30;
remote 81.123.123.96/29;
service any;
}
ipsec-policy ipsec_pol_1;
}
establish-tunnels immediately;
Ideally I'd like the tunnel between 118/32 and 98/32 as I'll be routing stuff
down a GRE tunnel over IPSec.
With no (left|right)subnet defined in Openswan the P2 policy wanted is;
p1_local=ipv4(udp:500,[0..3]=85.234.234.118) p1_remote=ipv4(any:0,
[0..3]=81.123.123.98) p2_local=ipv4(any:0,[0..3]=85.234.234.118)
p2_remote=ipv4(any:0,[0..3]=81.123.123.98)
You *have* to specify address/prefix in proxy-identity though, so that
couldn't possibly work as no CIDR mask is given in the request.
Could any one possibly enlighten me please?
Thanks
--
Mike Williams
More information about the juniper-nsp
mailing list