[j-nsp] VPN tunnel between OpenSwan and SRX220

Ben Dale bdale at comlinx.com.au
Sun Aug 18 19:40:51 EDT 2013


Hi Laurent.

Is your ultimate goal to get the GRE running over IPSEC, or just a vanilla IPSEC tunnel?  Your configuration will need to change either way:

If you want GRE over IPSEC:

You need to remove the /32 on the st0.0 interface and the Openswan rightsourceip and make them a contiguous subnet eg:
172.31.254.41/30 on the Juniper side
172.31.254.42/30 on the Openswan side

Now adjust your GRE configuration to use these addresses for source and destination on both ends
Now adjust your remote proxy-id on the SRX  and leftsubnet on Openswan to match (just the IPs, leave the mask as /32).

The logic behind this is that you will only encrypt traffic between 172.31.254.41/32 and 172.31.254.42/32 which will be your GRE tunnelled traffic (all other traffic will be wrapped up inside this GRE).  

As an aside - the last time I checked, the SRX seemed to only use the Proxy-ID to negotiate the tunnel and then promptly ignored it and allowed you to send and receive whatever traffic your routes and policy allowed.

If you're just trying to do vanilla IPSEC tunnels:

Again, change the /32s on the st0.0 and Openswan rightsourceip:
172.31.254.41/30 on the Juniper side (or leave it unnumbered)
172.31.254.42/30 on the Openswan side

Now on the SRX change your proxy-id local to 192.168.123.0/24 and remote to whatever is sitting behind the Openswan box (eg: leftsubnet)
On Openswan, change the right-subnet to 192.168.123.0/24 and left-subnet to whatever you're trying to tunnel across (or leave it as-is if it's just this host, or you're source-natting)

Once you've got this in place and st0.0 comes up, you'll just need to point static routes on the SRX side to st0.0 or the Openswan next-hop (172.31.254.42) and vice-versa.

If it's still not working, send through the output of:

show security ipsec security-associations

Cheers,

Ben

On 07/08/2013, at 1:55 AM, Laurent CARON <lcaron at unix-scripts.info> wrote:

> Hi,
> 
> I'm trying to establish a VPN tunnel between a SRX220 and an OpenSwan box.
> 
> SRX is:
> Model: srx220h
> JUNOS Software Release [12.1X44-D20.3]
> 
> OpenSwan: 2.6.37
> 
> Both are currently hooked on a test LAN.
> 
> 192.168.0.18 = openswan box on lan
> 192.168.0.120 = juniper box on lan
> 
> 172.31.254.41 = ipsec on juniper box
> 172.31.254.27 = ipsec on openswan box
> 
> 172.31.255.27 = loopback on juniper box
> 
> Not relevant for now:
> 10.254.2.33 = gre tunnel on openswan side
> 10.254.2.34 = gre tunnel on juniper side
> 
> Here is the config on the Juniper side:
> 
> set interfaces ge-0/0/0 mtu 1514
> set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.120/24
> 
> set interfaces gr-0/0/0 unit 0 tunnel source 172.31.254.41
> set interfaces gr-0/0/0 unit 0 tunnel destination 172.31.254.27
> set interfaces gr-0/0/0 unit 0 family inet address 10.254.2.34/32
> 
> set interfaces lo0 unit 0 family inet address 172.31.255.41/32
> 
> set interfaces st0 unit 0 family inet address 172.31.254.41/32
> 
> set interfaces vlan unit 0 family inet address 192.168.123.1/24
> 
> set routing-options static route 172.31.254.27/32 next-hop st0.0
> 
> set security ike traceoptions file vpn-debug-ike
> set security ike traceoptions flag all
> 
> set security ike proposal ike_aes_128 authentication-method pre-shared-keys
> 
> set security ike proposal ike_aes_128 dh-group group2
> set security ike proposal ike_aes_128 authentication-algorithm sha1
> set security ike proposal ike_aes_128 encryption-algorithm 3des-cbc
> set security ike proposal ike_aes_128 lifetime-seconds 3600
> 
> set security ike policy phase1_aes_128 mode main
> set security ike policy phase1_aes_128 proposals ike_aes_128
> set security ike policy phase1_aes_128 pre-shared-key ascii-text "pwd"
> 
> set security ike gateway RTR-SIEGE-001 ike-policy phase1_aes_128
> set security ike gateway RTR-SIEGE-001 address 192.168.0.18
> set security ike gateway RTR-SIEGE-001 no-nat-traversal
> set security ike gateway RTR-SIEGE-001 external-interface ge-0/0/0.0
> 
> set security ipsec proposal ipsec_aes_128 protocol esp
> set security ipsec proposal ipsec_aes_128 authentication-algorithm hmac-sha1-96
> 
> set security ipsec proposal ipsec_aes_128 encryption-algorithm 3des-cbc
> set security ipsec proposal ipsec_aes_128 lifetime-seconds 3600
> 
> set security ipsec policy phase2_aes_128 proposals ipsec_aes_128
> 
> set security ipsec vpn VPN_TO_SIEGE-001 bind-interface st0.0
> set security ipsec vpn VPN_TO_SIEGE-001 ike gateway RTR-SIEGE-001
> set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity local 172.31.254.41/32
> set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity remote 172.31.254.27/32
> set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity service any
> set security ipsec vpn VPN_TO_SIEGE-001 ike ipsec-policy phase2_aes_128
> set security ipsec vpn VPN_TO_SIEGE-001 establish-tunnels immediately
> 
> set security flow traceoptions file vpn-debug
> set security flow traceoptions flag basic-datapath
> set security flow traceoptions flag packet-drops
> 
> set security flow tcp-mss ipsec-vpn mss 1412
> 
> 
> Here is the config on the OpenSwan side:
> 
> conn rtr-siege-001_TO_jun-noi-001
>    left=192.168.0.18
>    leftsubnet=172.31.254.27/32
>    leftsourceip=172.31.254.27
>    right=192.168.0.120
>    rightsubnet=172.31.254.41/32
>    rightsourceip=172.31.254.41
>    ike=3des-sha1
>    auth=esp
>    keyingtries=0
>    keyexchange=ike
>    authby=secret
>    compress=no
>    auto=start
>    pfs=no
>    mtu=1412
> 
> The connection establishes fine but drops 10 seconds after and is renegociated, then drops again, endlessly.
> 
> I do have those logs on the openswan side):
> Aug  6 17:42:42 rtr-siege-001 pluto[28569]: added connection description "rtr-siege-001_TO_jun-noi-001"
> Aug  6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #6: initiating Main Mode
> Aug  6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #6: received Vendor ID payload [Dead Peer Detection]
> Aug  6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #6: ignoring unknown Vendor ID payload [699369228741c6d4ca094c93e242c9de19e7b7c60000000500000500]
> Aug  6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #6: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> Aug  6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #6: STATE_MAIN_I2: sent MI2, expecting MR2
> Aug  6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #6: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> Aug  6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #6: STATE_MAIN_I3: sent MI3, expecting MR3
> Aug  6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #6: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.120'
> Aug  6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #6: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> Aug  6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #6: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
> Aug  6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #11: initiating Quick Mode PSK+ENCRYPT+TUNNEL+IKEv2ALLOW+SAREFTRACK {using isakmp#6 msgid:5db2c253 proposal=defaults pfsgroup=no-pfs}
> Aug  6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #11: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=5db2c253
> Aug  6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #11: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
> Aug  6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #11: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x37d4048d <0xfd3420ac xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
> Aug  6 17:44:12 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #31: responding to Main Mode
> Aug  6 17:44:12 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #31: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Aug  6 17:44:12 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #31: STATE_MAIN_R1: sent MR1, expecting MI2
> Aug  6 17:44:12 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #31: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Aug  6 17:44:12 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #31: STATE_MAIN_R2: sent MR2, expecting MI3
> Aug  6 17:44:13 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #31: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
> Aug  6 17:44:13 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #31: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.120'
> Aug  6 17:44:13 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #31: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Aug  6 17:44:13 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #31: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
> Aug  6 17:44:13 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #31: the peer proposed: 172.31.254.27/32:0/0 -> 172.31.254.41/32:0/0
> Aug  6 17:44:13 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #32: responding to Quick Mode proposal {msgid:b498ed1f}
> Aug  6 17:44:13 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #32:     us: 172.31.254.27/32===192.168.0.18<192.168.0.18>[+S=C]
> Aug  6 17:44:13 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #32:   them: 192.168.0.120<192.168.0.120>[+S=C]===172.31.254.41/32
> Aug  6 17:44:13 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #32: keeping refhim=4294901761 during rekey
> Aug  6 17:44:13 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #32: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Aug  6 17:44:13 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #32: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Aug  6 17:44:13 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #32: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Aug  6 17:44:13 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #32: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x9f4be933 <0xa1521a06 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
> Aug  6 17:45:07 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #31: the peer proposed: 172.31.254.27/32:0/0 -> 172.31.254.41/32:0/0
> Aug  6 17:45:07 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #34: responding to Quick Mode proposal {msgid:a1fb5739}
> Aug  6 17:45:07 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #34:     us: 172.31.254.27/32===192.168.0.18<192.168.0.18>[+S=C]
> Aug  6 17:45:07 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #34:   them: 192.168.0.120<192.168.0.120>[+S=C]===172.31.254.41/32
> Aug  6 17:45:07 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #34: keeping refhim=4294901761 during rekey
> Aug  6 17:45:07 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #34: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Aug  6 17:45:07 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #34: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Aug  6 17:45:07 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #34: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Aug  6 17:45:07 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #34: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xe4c9ebcc <0xf06b5a23 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
> 
> 
> IKE logs on the Juniper side:
> 
> [Aug  6 17:44:57]Added (spi=0x7f237f41, protocol=0) entry to the spi table
> [Aug  6 17:44:57]ssh_ike_connect_ipsec: Start, remote_name = :500, flags = 00000000
> [Aug  6 17:44:57]ike_sa_find_ip_port: Remote = all:500, Found SA = { 8154c89b 6db92b86 - be707f00 28175f1b}
> [Aug  6 17:44:57]ike_alloc_negotiation: Start, SA = { 8154c89b 6db92b86 - be707f00 28175f1b}
> [Aug  6 17:44:57]ssh_ike_connect_ipsec: SA = { 8154c89b 6db92b86 - be707f00 28175f1b}, nego = 1
> [Aug  6 17:44:57]ike_init_qm_negotiation: Start, initiator = 1, message_id = 3957fba1
> [Aug  6 17:44:57]ike_st_o_qm_hash_1: Start
> [Aug  6 17:44:57]ike_st_o_qm_sa_proposals: Start
> [Aug  6 17:44:57]ike_st_o_qm_nonce: Start
> [Aug  6 17:44:57]ike_policy_reply_qm_nonce_data_len: Start
> [Aug  6 17:44:57]ike_st_o_qm_optional_ke: Start
> [Aug  6 17:44:57]ike_st_o_qm_optional_ids: Start
> [Aug  6 17:44:57]ike_st_qm_optional_id: Start
> [Aug  6 17:44:57]ike_st_qm_optional_id: Start
> [Aug  6 17:44:57]ike_st_o_private: Start
> [Aug  6 17:44:57]Construction NHTB payload for  local:192.168.0.120, remote:192.168.0.18 IKEv1 P1 SA index 2746472 sa-cfg VPN_TO_SIEGE-001
> [Aug  6 17:44:57]Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg VPN_TO_SIEGE-001
> [Aug  6 17:44:57]ike_policy_reply_private_payload_out: Start
> [Aug  6 17:44:57]ike_st_o_encrypt: Marking encryption for packet
> [Aug  6 17:44:57]ike_encode_packet: Start, SA = { 0x8154c89b 6db92b86 - be707f00 28175f1b } / 3957fba1, nego = 1
> [Aug  6 17:44:57]ike_finalize_qm_hash_1: Hash[0..20] = 38960ccc b0eea282 ...
> [Aug  6 17:44:57]ike_send_packet: Start, send SA = { 8154c89b 6db92b86 - be707f00 28175f1b}, nego = 1, dst = 192.168.0.18:500,  routing table id = 0
> [Aug  6 17:45:07]ike_retransmit_callback: Start, retransmit SA = { 8154c89b 6db92b86 - be707f00 28175f1b}, nego = 1
> [Aug  6 17:45:07]ike_send_packet: Start, retransmit previous packet SA = { 8154c89b 6db92b86 - be707f00 28175f1b}, nego = 1, dst = 192.168.0.18:500 routing table id = 0
> [Aug  6 17:45:07]ikev2_packet_allocate: Allocated packet da9800 from freelist
> [Aug  6 17:45:07]ike_sa_find: Found SA = { 8154c89b 6db92b86 - be707f00 28175f1b }
> [Aug  6 17:45:07]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
> [Aug  6 17:45:07]ike_get_sa: Start, SA = { 8154c89b 6db92b86 - be707f00 28175f1b } / 3957fba1, remote = 192.168.0.18:500
> [Aug  6 17:45:07]ike_sa_find: Found SA = { 8154c89b 6db92b86 - be707f00 28175f1b }
> [Aug  6 17:45:07]ike_decode_packet: Start
> [Aug  6 17:45:07]ike_decode_packet: Start, SA = { 8154c89b 6db92b86 - be707f00 28175f1b} / 3957fba1, nego = 1
> [Aug  6 17:45:07]ike_decode_payload_sa: Start
> [Aug  6 17:45:07]ike_decode_payload_t: Start, # trans = 1
> [Aug  6 17:45:07]ike_st_i_encrypt: Check that packet was encrypted succeeded
> [Aug  6 17:45:07]ike_st_i_qm_hash_2: Start, hash[0..20] = a70d6990 13e5c42d ...
> [Aug  6 17:45:07]ike_st_i_qm_sa_values: Start
> [Aug  6 17:45:07]ike_st_i_qm_nonce: Nonce[0..16] = 77d4a445 32f055ee ...
> [Aug  6 17:45:07]ike_st_i_private: Start
> [Aug  6 17:45:07]ike_st_o_qm_hash_3: Start
> [Aug  6 17:45:07]ike_st_o_private: Start
> [Aug  6 17:45:07]ike_policy_reply_private_payload_out: Start
> [Aug  6 17:45:07]ike_st_o_encrypt: Marking encryption for packet
> [Aug  6 17:45:07]<none>:500 (Initiator) <-> 192.168.0.18:500 { 8154c89b 6db92b86 - be707f00 28175f1b [1] / 0x3957fba1 } QM; MESSAGE: Phase 2 connection succeeded, No PFS, group = 0
> [Aug  6 17:45:07]ike_qm_call_callback: MESSAGE: Phase 2 connection succeeded, No PFS, group = 0
> [Aug  6 17:45:07]<none>:500 (Initiator) <-> 192.168.0.18:500 { 8154c89b 6db92b86 - be707f00 28175f1b [1] / 0x3957fba1 } QM; MESSAGE: SA[0][0] = ESP 3des, life = 0 kB/3600 sec, group = 0, tunnel, hmac-sha1-96, Extended seq not used, key len
> [Aug  6 17:45:07]ike_qm_call_callback: MESSAGE: SA[0][0] = ESP 3des, life = 0 kB/3600 sec, group = 0, tunnel, hmac-sha1-96, Extended seq not used, key len = 0, key rounds = 0
> [Aug  6 17:45:07]iked_pm_ipsec_sa_install: local:192.168.0.120, remote:192.168.0.18  IKEv1 for SA-CFG VPN_TO_SIEGE-001
> [Aug  6 17:45:07]Added (spi=0xe4c9ebcc, protocol=ESP dst=192.168.0.120) entry to the peer hash table
> [Aug  6 17:45:07]Added (spi=0xf06b5a23, protocol=ESP dst=192.168.0.18) entry to the peer hash table
> [Aug  6 17:45:07]Hardlife timer started for inbound VPN_TO_SIEGE-001 with 3600 seconds/0 kilobytes
> [Aug  6 17:45:07]Softlife timer started for inbound VPN_TO_SIEGE-001 with 2965 seconds/0 kilobytes
> [Aug  6 17:45:07]In iked_ipsec_sa_pair_add Adding GENCFG msg with key; Tunnel = 131073;SPI-In = 0xe4c9ebcc
> [Aug  6 17:45:07]Added dependency on SA config blob with tunnelid = 131073
> [Aug  6 17:45:07]Successfully added ipsec SA PAIR
> [Aug  6 17:45:07]ike_st_o_qm_wait_done: Marking for waiting for done
> [Aug  6 17:45:07]ike_encode_packet: Start, SA = { 0x8154c89b 6db92b86 - be707f00 28175f1b } / 3957fba1, nego = 1
> [Aug  6 17:45:07]ike_send_packet: Start, send SA = { 8154c89b 6db92b86 - be707f00 28175f1b}, nego = 1, dst = 192.168.0.18:500,  routing table id = 0
> [Aug  6 17:45:07]ike_send_notify: Connected, SA = { 8154c89b 6db92b86 - be707f00 28175f1b}, nego = 1
> [Aug  6 17:45:07]IPSec  negotiation done successfully for SA-CFG VPN_TO_SIEGE-001 for local:192.168.0.120, remote:192.168.0.18  IKEv1
> [Aug  6 17:45:07]IPSec SA done callback with sa-cfg NULL in p2_ed. status: Error ok
> [Aug  6 17:47:13]ike_state_restart_packet: Start, restart packet SA = { 8154c89b 6db92b86 - be707f00 28175f1b}, nego = 0
> [Aug  6 17:47:13]ike_st_o_qm_done: Quick Mode negotiation done
> [Aug  6 17:47:13]ike_send_notify: Connected, SA = { 8154c89b 6db92b86 - be707f00 28175f1b}, nego = 0
> [Aug  6 17:47:13]ike_delete_negotiation: Start, SA = { 8154c89b 6db92b86 - be707f00 28175f1b}, nego = 0
> [Aug  6 17:47:13]ike_free_negotiation_qm: Start, nego = 0
> [Aug  6 17:47:13]ike_free_negotiation: Start, nego = 0
> [Aug  6 17:47:13]ike_free_id_payload: Start, id type = 1
> [Aug  6 17:47:13]ike_free_id_payload: Start, id type = 1
> [Aug  6 17:47:13]ike_free_id_payload: Start, id type = 1
> [Aug  6 17:47:13]ike_free_id_payload: Start, id type = 1
> [Aug  6 17:48:07]ike_state_restart_packet: Start, restart packet SA = { 8154c89b 6db92b86 - be707f00 28175f1b}, nego = 1
> [Aug  6 17:48:07]ike_st_o_qm_done: Quick Mode negotiation done
> [Aug  6 17:48:07]ike_send_notify: Connected, SA = { 8154c89b 6db92b86 - be707f00 28175f1b}, nego = 1
> [Aug  6 17:48:07]ike_delete_negotiation: Start, SA = { 8154c89b 6db92b86 - be707f00 28175f1b}, nego = 1
> [Aug  6 17:48:07]ike_free_negotiation_qm: Start, nego = 1
> [Aug  6 17:48:07]ike_free_negotiation: Start, nego = 1
> [Aug  6 17:48:07]ike_free_id_payload: Start, id type = 1
> [Aug  6 17:48:07]ike_free_id_payload: Start, id type = 1
> [Aug  6 17:48:07]ike_free_id_payload: Start, id type = 1
> [Aug  6 17:48:07]ike_free_id_payload: Start, id type = 1
> 
> 
> Do any of you have a clue about what's going on ?
> 
> I tried to fiddle with MTU to no avail.
> 
> Thanks
> 
> Laurent
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 




More information about the juniper-nsp mailing list