[j-nsp] Host-to-Host IPSec, Openswan to Junos
Ben Dale
bdale at comlinx.com.au
Thu Nov 18 17:52:59 EST 2010
If you're only running GRE over IPSEC, try changing the local and remote proxy-ids to /32s (the GRE endpoints) and leave it at that.
On 19/11/2010, at 5:48 AM, Mike Williams wrote:
> Hey guys,
>
> Is anyone doing, or know how to do, IPSec tunnels between Openswan and Junos?
> Openswan 2.4 on kernel 2.6 to Junos 10.2R3.10 on a J-series to be precise.
>
> So far I've got phase 1 to complete, but phase 2 fails like this:
>
> KMD_PM_P2_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-2 [responder] failed
> for p1_local=ipv4(udp:500,[0..3]=85.234.234.118) p1_remote=ipv4(any:0,
> [0..3]=81.123.123.98) p2_local=ipv4_subnet(any:0,[0..7]=85.123.123.116/30)
> p2_remote=ipv4_subnet(any:0,[0..7]=81.234.234.96/29)
>
> Yet I have:
>
> mikew at thejay# show security ipsec vpn mcroffce_vpn
> bind-interface st0.0;
> ike {
> gateway mcroffice_gateway;
> proxy-identity {
> local 85.234.234.116/30;
> remote 81.123.123.96/29;
> service any;
> }
> ipsec-policy ipsec_pol_1;
> }
> establish-tunnels immediately;
>
>
> Ideally I'd like the tunnel between 118/32 and 98/32 as I'll be routing stuff
> down a GRE tunnel over IPSec.
>
> With no (left|right)subnet defined in Openswan the P2 policy wanted is;
>
> p1_local=ipv4(udp:500,[0..3]=85.234.234.118) p1_remote=ipv4(any:0,
> [0..3]=81.123.123.98) p2_local=ipv4(any:0,[0..3]=85.234.234.118)
> p2_remote=ipv4(any:0,[0..3]=81.123.123.98)
>
> You *have* to specify address/prefix in proxy-identity though, so that
> couldn't possibly work as no CIDR mask is given in the request.
>
>
> Could any one possibly enlighten me please?
>
>
> Thanks
>
> --
> Mike Williams
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list