Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Dial-up VPN Errors

Status
Not open for further replies.

davy2k

Technical User
Mar 18, 2007
69
JP
Hi all
I'm trying to configure Dialup VPN for SSG5 Juniper, I followed the instructions on this link:

kb.juniper.net/kb/documents/public/VPN/ScreenOS_Windows_L2TP_IPSec.pdf

and got the following error:

"Rejected an IKE packet on ethernet0/0 from a.a.a.a:1023 to b.b.b.b:500 with cookies <cookie> and <cookie> because There were no acceptable Phase 1 proposals."

After doing a search on kb I saw this

Meaning: The Phase 1 proposals do not match.
Action: Make sure the parameters for the IKE gateway Phase 1 proposals on both the responder and the initiator match:

I cant seem to figure out what to configure in the initiator , or what it actually means.

Please help thank you.

Here is a copy of my config file:


set clock timezone 8
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr" default-vrouter
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "test"
set admin password "def"
set admin manager-ip x.x.x.x 255.255.0.0
set admin manager-ip 192.168.1.0 255.255.255.0
set admin manager-ip 192.168.0.0 255.255.255.0
set admin manager-ip x.x.x.x 255.255.255.240
set admin ssh port 1024
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "untrust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 101 "Internal"
set zone "Internal" vrouter "trust-vr"
set zone id 100 "External"
set zone id 102 "Dial-up"
set zone "Dial-up" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
unset zone "Untrust" block
unset zone "Untrust" tcp-rst
unset zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
unset zone "Internal" tcp-rst
unset zone "External" tcp-rst
set zone "Dial-up" block
unset zone "Dial-up" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface ethernet0/0 phy full 10mb
set interface ethernet0/1 phy full 100mb
set interface ethernet0/2 phy full 100mb
set interface "bri0/0" zone "Untrust"
set interface "ethernet0/0" zone "External"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Internal"
set interface "ethernet0/3" zone "Trust"
set interface "bgroup0" zone "Trust"
set interface "tunnel.1" zone "External"
set interface "tunnel.2" zone "Internal"
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip x.x.x.x/29
set interface ethernet0/0 route
set interface ethernet0/1 ip 192.168.1.1/24
set interface ethernet0/1 nat
set interface ethernet0/2 ip 192.168.0.1/24
set interface ethernet0/2 nat
set interface ethernet0/3 ip 192.168.2.1/24
set interface ethernet0/3 nat
set interface bgroup0 ip 192.168.3.1/24
set interface bgroup0 nat
set interface tunnel.1 ip unnumbered interface ethernet0/0
set interface tunnel.2 ip unnumbered interface ethernet0/2
set interface tunnel.2 mtu 1500
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface ethernet0/2 ip manageable
set interface ethernet0/3 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssh
set interface ethernet0/0 manage ssl
set interface ethernet0/1 manage ssh
set interface ethernet0/1 manage telnet
set interface ethernet0/1 manage web
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage ssh
set interface ethernet0/2 manage telnet
set interface ethernet0/2 manage web
unset interface ethernet0/3 manage ping
unset interface ethernet0/3 manage ssh
unset interface ethernet0/3 manage telnet
unset interface ethernet0/3 manage snmp
unset interface ethernet0/3 manage ssl
unset interface ethernet0/3 manage web
set interface bgroup0 dhcp server service
set interface bgroup0 dhcp server auto
set interface bgroup0 dhcp server option netmask 255.255.255.0
unset interface bgroup0 dhcp server config next-server-ip
set interface ethernet0/0 dip 25 x.x.x.x x.x.x.x
set interface "ethernet0/0" mip x.x.x.x host 192.168.1.205 netmask 255.255.255.255 vr "untrust-vr"
set interface "ethernet0/0" mip x.x.x.x host 192.168.1.218 netmask 255.255.255.255 vr "untrust-vr"
set interface "ethernet0/0" mip x.x.x.x host 192.168.1.238 netmask 255.255.255.255 vr "untrust-vr"
set interface "ethernet0/0" mip x.x.x.x host 192.168.1.207 netmask 255.255.255.255 vr "untrust-vr"
set interface "ethernet0/0" mip x.x.x.x host 192.168.0.202 netmask 255.255.255.255 vr "untrust-vr"
set flow tcp-mss
set flow all-tcp-mss 1304
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set hostname sas
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set pki x509 dn state-name "abc"
set pki x509 dn local-name "xyz"
set pki x509 dn org-name "ttt"
set pki x509 dn org-unit-name "IT"
set pki x509 dn name "VPN"
set pki x509 dn phone "81-3-5114-6167"
set pki x509 cert-fqdn inago-tyofw.inago.com
set dns host dns1 x.x.x.x src-interface ethernet0/0
set dns host dns2 x.x.x.x src-interface ethernet0/0
set dns host dns3 0.0.0.0
set address "Trust" "192.168.0.202/24" 192.168.0.202 255.255.255.0
set address "Trust" "x_LAN" 192.168.0.0 255.255.255.0
set address "DMZ" "192.168.0.0/24" 192.168.0.0 255.255.255.0
set address "DMZ" "192.168.1.0/24" 192.168.1.0 255.255.255.0
set address "DMZ" "x.x.x.x/32" x.x.x.x 255.255.255.255
set address "Internal" "192.168.0.0/24" 192.168.0.222 255.255.255.0
set address "Internal" "192.168.0.202/32" 192.168.0.202 255.255.255.255
set address "Internal" "192.168.1.0/24" 192.168.1.0 255.255.255.0
set address "Internal" "192.168.123.0/24" 192.168.123.0 255.255.255.0
set address "Internal" "x_LAN" 192.168.0.0 255.255.255.0 "x LAN IP"
set address "External" "192.168.1.205/32" 192.168.1.205 255.255.255.255
set address "External" "192.168.123.0/24" 192.168.123.0 255.255.255.0
set address "External" "x.x.x.x/16" x.x.x.x 255.255.0.0
set address "External" "x.x.x.x/32" x.x.x.x 255.255.255.255
set address "External" "x.x.x.x/32" x.x.x.x 255.255.255.255
set address "External" "y_LAN" 192.168.123.0 255.255.255.0 "y LAN IP"
set ippool "L2TP_pool" 10.10.1.10 10.10.1.50
set user "vpnuser" uid 13
set user "vpnuser" ike-id asn1-dn wildcard "CN=sysadmin@inago.com,OU=IT,O=iNAGO,L=Minato-ku,ST=Tokyo,C=JP,Email=admin@abc.com,DC=," share-limit 1
set user "vpnuser" type ike l2tp
set user "vpnuser" password "quW/U3FxNqncBjsOZLCXGbM8ngniqH/62g=="
unset user "vpnuser" type auth
set user "vpnuser" "enable"
set ike gateway "WindowsVPN-GW" dialup "vpnuser" Main outgoing-interface "ethernet0/0" preshare "lH12bepNNPZZqmsfjUCPMmj70hnq1EKfcA==" proposal "rsa-g2-des-sha"
set ike gateway "WindowsVPN-GW" cert peer-ca all
unset ike gateway "WindowsVPN-GW" nat-traversal
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "Tokyo_Toronto_VPN" id 20 manual 3020 3030 gateway 66.207.201.62 outgoing-interface "ethernet0/0" esp 3des password TiiFfofd16092008 auth sha-1 password FistfulOf16092008
set vpn "Tokyo_Toronto_VPN" monitor
set vpn "Tokyo_Toronto_VPN" id 0 bind interface tunnel.1
set vpn "WindowsVPN-vpn" gateway "WindowsVPN-GW" no-replay transport idletime 0 sec-level compatible
set vpn "WindowsVPN-vpn" monitor
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set l2tp default dns1 x.x.x.x
set l2tp default dns2 x.x.x.x
set l2tp default ippool "L2TP_pool"
set l2tp "WindowsVPN-l2tp" id 7 outgoing-interface ethernet0/0 keepalive 60
set url protocol websense
exit
set anti-spam profile ns-profile
set sbl default-server enable
exit
set policy id 22 from "External" to "Internal" "y_LAN" "x_LAN" "ANY" permit
set policy id 22
exit
set policy id 21 from "Internal" to "External" "x_LAN" "y_LAN" "ANY" permit
set policy id 21
exit
set policy id 20 from "External" to "Internal" "Any" "192.168.123.0/24" "ANY" permit
set policy id 20
exit
set policy id 8 name "INSIDE-LAN_to_INTERNET" from "Internal" to "External" "192.168.0.0/24" "Any" "ANY" nat src dip-id 25 permit
set policy id 8
exit
set policy id 7 name "DMZLAN_to_Internet" from "DMZ" to "External" "192.168.1.0/24" "Any" "ANY" nat src dip-id 25 permit
set policy id 7
exit
set policy id 2 name "web" from "DMZ" to "External" "Any" "Any" "HTTP" permit
set policy id 2 disable
set policy id 2
set service "HTTPS"
exit
set policy id 3 name "DNS" from "DMZ" to "External" "Any" "Any" "DNS" permit
set policy id 3 disable
set policy id 3
exit
set policy id 5 name "WEB" from "External" to "External" "Any" "MIP(x.x.x.x)" "HTTP" permit
set policy id 5
set service "HTTPS"
exit
set policy id 6 name "WEB" from "External" to "External" "Any" "MIP(x.x.x.x)" "HTTP" permit
set policy id 6
set service "HTTPS"
exit
set policy id 12 name "WEB" from "External" to "External" "Any" "MIP(x.x.x.x)" "HTTP" permit
set policy id 12
set service "HTTPS"
exit
set policy id 15 from "Internal" to "DMZ" "192.168.0.0/24" "192.168.1.0/24" "ANY" permit log
set policy id 15
exit
set policy id 16 from "DMZ" to "Internal" "192.168.1.0/24" "192.168.0.202/32" "DNS" permit
set policy id 16
set service "ICMP-ANY"
exit
set policy id 17 name "WEB" from "External" to "External" "Any" "MIP(x.x.x.x)" "HTTP" permit
set policy id 17
set service "HTTPS"
exit
set policy id 24 from "Internal" to "External" "192.168.0.0/24" "Dial-Up VPN" "ANY" tunnel vpn "WindowsVPN-vpn" id 31 l2tp "WindowsVPN-l2tp"
set policy id 24
exit
set policy id 25 from "Internal" to "External" "192.168.0.0/24" "Dial-Up VPN" "ANY" tunnel vpn "WindowsVPN-vpn" id 31 l2tp "WindowsVPN-l2tp"
set policy id 25
exit
set policy id 26 from "External" to "Internal" "Dial-Up VPN" "192.168.0.0/24" "ANY" tunnel vpn "WindowsVPN-vpn" id 31 l2tp "WindowsVPN-l2tp"
set policy id 26
exit
set policy id 27 name "WEB" from "External" to "External" "Any" "MIP(x.x.x.x)" "PPTP" permit
set policy id 27
exit
set pppoe name "x_ext"
set pppoe name "x_ext" username "cde" password "yyy"
set pppoe name "x_ext" static-ip
set pppoe name "x_ext" interface ethernet0/0
unset pppoe name "x_ext" update-dhcpserver
set log module system level error destination console
set log module system level debugging destination console
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set config lock timeout 5
unset license-key auto-update
set ssl port 6636
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
set route 192.168.123.0/24 interface tunnel.1 preference 20
set route 192.168.0.0/24 vrouter "trust-vr" preference 20 metric 1
set route 192.168.123.0/24 vrouter "trust-vr" preference 20
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/0 preference 20
set route 192.168.1.0/24 interface ethernet0/1 preference 20
set route 192.168.123.0/24 interface null preference 20 metric 10
set route 192.168.123.0/24 interface tunnel.1
set route 10.10.1.0/24 interface tunnel.2 preference 20
set route 0.0.0.0/0 interface ethernet0/0 gateway x.x.x.x
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
 
Hi all,
I finally fixed this issue, I had to synchronize the SSG5 to an NTP server then delete the old cer and crl file and then recreate the key on the SSG and recreate the pkcs#10 and the crl files. I also deleted the XP client's certificate from the Personal and the Trusted Certificate folder as well
I then tried to reconnect and voila it worked.

Thank you
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top