[j-nsp] Host-to-Host IPSec, Openswan to Junos

Ben Dale bdale at comlinx.com.au
Thu Nov 18 17:52:59 EST 2010


If you're only running GRE over IPSEC, try changing the local and remote proxy-ids to /32s (the GRE endpoints) and leave it at that.

On 19/11/2010, at 5:48 AM, Mike Williams wrote:

> Hey guys,
> 
> Is anyone doing, or know how to do, IPSec tunnels between Openswan and Junos?
> Openswan 2.4 on kernel 2.6 to Junos 10.2R3.10 on a J-series to be precise.
> 
> So far I've got phase 1 to complete, but phase 2 fails like this:
> 
> KMD_PM_P2_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-2 [responder] failed 
> for p1_local=ipv4(udp:500,[0..3]=85.234.234.118) p1_remote=ipv4(any:0,
> [0..3]=81.123.123.98) p2_local=ipv4_subnet(any:0,[0..7]=85.123.123.116/30) 
> p2_remote=ipv4_subnet(any:0,[0..7]=81.234.234.96/29)
> 
> Yet I have:
> 
> mikew at thejay# show security ipsec vpn mcroffce_vpn
> bind-interface st0.0;
> ike {
>    gateway mcroffice_gateway;
>    proxy-identity {
>        local 85.234.234.116/30;
>        remote 81.123.123.96/29;
>        service any;
>    }
>    ipsec-policy ipsec_pol_1;
> }
> establish-tunnels immediately;
> 
> 
> Ideally I'd like the tunnel between 118/32 and 98/32 as I'll be routing stuff 
> down a GRE tunnel over IPSec.
> 
> With no (left|right)subnet defined in Openswan the P2 policy wanted is;
> 
> p1_local=ipv4(udp:500,[0..3]=85.234.234.118) p1_remote=ipv4(any:0,
> [0..3]=81.123.123.98) p2_local=ipv4(any:0,[0..3]=85.234.234.118) 
> p2_remote=ipv4(any:0,[0..3]=81.123.123.98)
> 
> You *have* to specify address/prefix in proxy-identity though, so that 
> couldn't possibly work as no CIDR mask is given in the request.
> 
> 
> Could any one possibly enlighten me please?
> 
> 
> Thanks
> 
> -- 
> Mike Williams
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 




More information about the juniper-nsp mailing list