Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN between Netscreen 5XT and Watchguard edge X10e

Status
Not open for further replies.
Beecky

Beecky

IS-IT--Management
Dec 16, 2006
29
0
0
BE
Hi,

I'm trying to setup a branch office vpn tunnel between a netscreen 5XT and a Watchguard Edge X10e.
I'm familiar with Watchguard but not with Netscreen.
So far I could condigure the VPN and Phase 2 is initated and completed. I can see that the SA is active, but no traffic goes over the VPN. This is an extract from the netscreen logs.

2006-12-16 10:53:38 info IKE<84.194.173.99> Phase 2 msg ID <46478372>: Completed negotiations with SPI <6f372264>, tunnel ID <5>, and lifetime <3600> seconds/<0> KB.
2006-12-16 10:53:38 info IKE<84.194.173.99> Phase 2 msg ID <46478372>: Responded to the peer's first message.

But the VPN monitor status shows as follows

VPN_to_x 00000005 28/29 84.194.173.99 AutoIKE Active Down

There must be something that I forgot, but I don't know what.

Thanks for your help

Greetz Beecky
 
Sort by date Sort by votes
Hi,

What type of VPN did you configure? If you're using the VPN monitor, I'm guessing you're using a route based VPN with a tunnel interface. If so, the VPN monitor may be bringing down the tunnel "Active Down". Do you add a route for your remote LAN? If not, try adding a route with a next hop via your tunnel int. Also, make sure you have a Policy. Hope this helps.

Rgds,

John
 
Upvote 0 Downvote
Hi,

I'm currently testing it with policy based VPN. But even when I change it to route base, it doesn't work.
In route base I can see the the route in the routing table and it is marked as active, but there are no pings or other traffic going through the tunnel.
When in route base I have a policy that permits all traffic between the 2 vpn networks.
In policy based I have 2 rules that are tunneling the traffic.

Maybe something usefull is when I start a trace-route from the netscreen towards the remote network, The data is going to the internet and doesn't seem to be uncrypted. I don't know if that is normal behaviour ?

thanks.

David
 
Upvote 0 Downvote
Hi,

If you want, we can debug this together. Try the following and paste the results.

debug ike all
clear db
ping x.x.x.x from trust (x.x.x.x = IP on remote LAN)
undebug all
get db str
get int tun.x
get route
get pol from trust to untrust
get pol from untrust to trust

Paste the results of the get commands above(multiple pages) to this post and I will have a look.

Rgds,

John
 
Upvote 0 Downvote
Hi John,

Thanks for your help.

ns5xp-> get db str
## 20:54:44 : ms 71045016 rt-timer callback
## 20:54:44 : ms 71045029 rt-timer callback
## 20:54:45 : ms 71046016 rt-timer callback
## 20:54:45 : ms 71046116 rt-timer callback
## 20:54:46 : ms 71047016 rt-timer callback
## 20:54:46 : ms 71047031 rt-timer callback
## 20:54:47 : ms 71048016 rt-timer callback
## 20:54:47 : ms 71048118 rt-timer callback
## 20:54:48 : ms 71049016 rt-timer callback
## 20:54:48 : ms 71049028 rt-timer callback
## 20:54:49 : ms 71050017 rt-timer callback
## 20:54:49 : ms 71050119 rt-timer callback
## 20:54:49 : IKE<84.194.173.119 > hdr
## 20:54:49 : 76 ee 67 63 10 98 50 f0 fa 49 1e 29 f6 db 84 d8
## 20:54:49 : 08 10 05 01 c9 d1 43 01 00 00 00 3c 3f 69 a6 96
## 20:54:49 : IKE<84.194.173.119 > ike packet, len 88, action 0
## 20:54:49 : IKE<0.0.0.0 > coach. sock 64
## 20:54:49 : IKE<84.194.173.119 > ****** Recv packet if <untrust> of vsys <Root> ******
## 20:54:49 : IKE<84.194.173.119 > Catcher: get 60 bytes. src port 500
## 20:54:49 : IKE<84.194.173.119 > SA: (Root, local 192.168.2.2, state 6/102f +, i):
## 20:54:49 : IKE<84.194.173.119 > ISAKMP msg: len 60, nxp 8[HASH], exch 5[INFO], flag 01 E
## 20:54:49 : IKE<84.194.173.119 > Create conn entry...
--- more ---
## 20:54:49 : IKE<84.194.173.119 > ...done(new c9d14301)
## 20:54:49 : IKE<84.194.173.119 > Decrypting payload (length 32)
## 20:54:49 : IKE<84.194.173.119 > iv:
## 20:54:49 : 4c 11 9f 23 78 7b 8e e9
## 20:54:49 : IKE<84.194.173.119 > new iv:
## 20:54:49 : e9 cf 5b 1b 21 da 7e 10
## 20:54:49 : IKE<84.194.173.119 > Recv*: [HASH] [NOTIF]
## 20:54:49 : IKE<84.194.173.119 > Process [NOTIF]:
## 20:54:49 : IKE<84.194.173.119 > rcv HeartBeat with hello interval 40
## 20:54:49 : IKE<84.194.173.119 > Create conn entry...
## 20:54:49 : IKE<84.194.173.119 > ...done(new 107b4111)
## 20:54:49 : IKE<84.194.173.119 > Construct ISAKMP header.
## 20:54:49 : IKE<84.194.173.119 > Msg header built (next payload #8)
## 20:54:49 : IKE<84.194.173.119 > Construct [HASH]
## 20:54:49 : IKE<84.194.173.119 > Construct [NOTIF]:(NOTIFY_HEARTBEAT)
## 20:54:49 : IKE<84.194.173.119 > construct QM HASH
## 20:54:49 : IKE<84.194.173.119 > P2 message header:
## 20:54:49 : IKE<84.194.173.119 > ISAKMP msg: len 28, nxp 8[HASH], exch 5[INFO], flag 00
## 20:54:49 : IKE<84.194.173.119 > Xmit*: [HASH] [NOTIF]
## 20:54:49 : IKE<84.194.173.119 > Encrypt P2 payload (len 64)
## 20:54:49 : IKE<84.194.173.119 > clear p2 pkt dump:
## 20:54:49 : 76 ee 67 63 10 98 50 f0 fa 49 1e 29 f6 db 84 d8
--- more ---
## 20:54:49 : 08 10 05 00 10 7b 41 11 00 00 00 1c 0b 00 00 14
## 20:54:49 : 3b 7d d1 5f 0a 72 6c 1b 17 d4 1b 37 b1 8e 3e 39
## 20:54:49 : 00 00 00 10 00 00 00 01 01 00 80 00 00 00 00 00
## 20:54:49 : IKE<84.194.173.119 > iv:
## 20:54:49 : cd a0 2a 9d 21 8d ac c1
## 20:54:49 : IKE<84.194.173.119 > new iv:
## 20:54:49 : 95 f9 14 ac 0c 2c 99 8c
## 20:54:49 : IKE<84.194.173.119 > send_request to peer
## 20:54:49 : IKE<84.194.173.119 > Send Phase 2 packet (len=68)
## 20:54:49 : IKE<84.194.173.119 > Delete conn entry...
## 20:54:49 : IKE<84.194.173.119 > ...found(107b4111)
## 20:54:49 : IKE<84.194.173.119 > process notify exit with <0>.
## 20:54:49 : IKE<84.194.173.119 > Delete conn entry...
## 20:54:49 : IKE<84.194.173.119 > ...found(c9d14301)
## 20:54:49 : IKE<84.194.173.119 > IKE msg done: PKI state<0> IKE state<6/102f>
## 20:54:49 : ms 71050884 rt-timer callback
## 20:54:49 : IKE<0.0.0.0 > coach. sock 64
## 20:54:49 : ms 71050887 rt-timer callback
## 20:54:49 : ms 71050888 rt-timer callback
## 20:54:50 : ms 71051018 rt-timer callback
## 20:54:50 : ms 71051034 rt-timer callback
## 20:54:51 : ms 71052017 rt-timer callback
--- more ---
## 20:54:51 : ms 71052122 rt-timer callback
## 20:54:52 : ms 71053016 rt-timer callback
## 20:54:52 : ms 71053028 rt-timer callback
## 20:54:53 : ms 71054016 rt-timer callback
## 20:54:53 : ms 71054144 rt-timer callback
## 20:54:54 : ms 71055016 rt-timer callback
## 20:54:54 : ms 71055031 rt-timer callback
## 20:54:55 : ms 71056016 rt-timer callback
## 20:54:55 : ms 71056116 rt-timer callback
## 20:54:56 : ms 71057017 rt-timer callback
## 20:54:56 : ms 71057029 rt-timer callback
## 20:54:57 : ms 71058016 rt-timer callback
## 20:54:57 : ms 71058117 rt-timer callback
## 20:54:58 : ms 71059018 rt-timer callback
## 20:54:58 : ms 71059034 rt-timer callback
## 20:54:59 : ms 71060018 rt-timer callback
## 20:54:59 : ms 71060120 rt-timer callback
## 20:55:00 : ms 71061017 rt-timer callback
## 20:55:00 : ms 71061029 rt-timer callback
## 20:55:01 : ms 71062016 rt-timer callback
## 20:55:01 : ms 71062121 rt-timer callback
## 20:55:02 : ms 71063017 rt-timer callback
--- more ---
## 20:55:02 : ms 71063033 rt-timer callback
## 20:55:03 : ms 71064016 rt-timer callback
## 20:55:03 : ms 71064120 rt-timer callback
## 20:55:04 : ms 71065016 rt-timer callback
## 20:55:04 : ms 71065027 rt-timer callback
## 20:55:05 : ms 71066016 rt-timer callback
## 20:55:05 : ms 71066118 rt-timer callback
## 20:55:06 : ms 71067018 rt-timer callback
## 20:55:06 : ms 71067033 rt-timer callback
## 20:55:07 : ms 71068016 rt-timer callback
## 20:55:07 : ms 71068117 rt-timer callback
## 20:55:08 : ms 71069017 rt-timer callback
## 20:55:08 : ms 71069029 rt-timer callback
## 20:55:09 : ms 71070018 rt-timer callback
## 20:55:09 : ms 71070120 rt-timer callback
## 20:55:10 : ms 71071017 rt-timer callback
## 20:55:10 : ms 71071033 rt-timer callback
## 20:55:11 : ms 71072019 rt-timer callback
## 20:55:11 : ms 71072123 rt-timer callback
## 20:55:12 : ms 71073017 rt-timer callback
## 20:55:12 : ms 71073029 rt-timer callback
## 20:55:13 : ms 71074016 rt-timer callback
--- more ---
## 20:55:13 : ms 71074117 rt-timer callback
## 20:55:14 : ms 71075017 rt-timer callback
## 20:55:14 : ms 71075033 rt-timer callback
## 20:55:15 : ms 71076016 rt-timer callback
## 20:55:15 : ms 71076117 rt-timer callback
## 20:55:16 : ms 71077016 rt-timer callback
## 20:55:16 : ms 71077028 rt-timer callback
## 20:55:17 : ms 71078016 rt-timer callback
## 20:55:17 : ms 71078118 rt-timer callback
## 20:55:18 : ms 71079016 rt-timer callback
## 20:55:18 : ms 71079032 rt-timer callback
## 20:55:19 : ms 71080017 rt-timer callback
## 20:55:19 : ms 71080120 rt-timer callback
## 20:55:20 : ms 71081018 rt-timer callback
## 20:55:20 : ms 71081031 rt-timer callback
## 20:55:21 : ms 71082016 rt-timer callback
## 20:55:21 : ms 71082117 rt-timer callback
## 20:55:22 : ms 71083016 rt-timer callback
## 20:55:22 : ms 71083032 rt-timer callback
## 20:55:23 : ms 71084016 rt-timer callback
## 20:55:23 : ms 71084120 rt-timer callback
## 20:55:24 : ms 71085016 rt-timer callback
--- more ---
## 20:55:24 : ms 71085028 rt-timer callback
## 20:55:25 : ms 71086015 rt-timer callback
## 20:55:25 : ms 71086119 rt-timer callback
## 20:55:26 : ms 71087017 rt-timer callback
## 20:55:26 : ms 71087032 rt-timer callback
## 20:55:27 : ms 71088017 rt-timer callback
## 20:55:27 : ms 71088120 rt-timer callback
## 20:55:28 : ms 71089016 rt-timer callback
## 20:55:28 : ms 71089027 rt-timer callback

ns5xp-> get int tun.x
^-------unknown keyword tun.x

ns5xp-> get route
untrust-vr (0 entries)
--------------------------------------------------------------------------------
C - Connected, S - Static, A - Auto-Exported, I - Imported, R - RIP
trust-vr (3 entries)
--------------------------------------------------------------------------------
ID IP-Prefix Interface Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------
* 4 0.0.0.0/0 untrust 192.168.2.1 C 0 1 Root
* 2 192.168.2.0/24 untrust 0.0.0.0 C 0 0 Root
* 1 192.168.1.0/24 trust 0.0.0.0 C 0 0 Root

ns5xp-> get pol from trust to untrust
ID From To Src-address Dst-address Service Action State ASTLC B
30 Trust Untrust LAN LAN_Arlon ANY Tunnel enabled ---X- X
27 Trust Untrust Any Any dimitri Permit enabled ----- X
16 Trust Untrust MailMarshal Any ANY Permit enabled ---X- X
server
1 Trust Untrust Any Any Default Permit enabled ---X- X
2 Trust Untrust Any Any terminal Permit enabled ----- X
7 Trust Untrust Any Any HTTP Permi~ enabled ---X- X
8 Trust Untrust Any Any HTTPS Permi~ enabled ---X- X
9 Trust Untrust Any Any isabel Permit enabled ----- X
13 Trust Untrust Any Any testaza Permit enabled ----- X
19 Trust Untrust Any Any PC-Anyw~ Permit enabled ----- X
21 Trust Untrust Any Any elink Permit enabled ----- X
4 Trust Untrust Any Any ANY Deny enabled ---X- X
23 Trust Untrust 192.168.1.2~ Any ANY Permit enabled ----- X

ns5xp-> get pol from untrust to trust
ID From To Src-address Dst-address Service Action State ASTLCB
31 Untrust Trust Dial-Up VPN LAN ANY Tunnel enabled ---X-X
29 Untrust Trust LAN_Arlon LAN ANY Tunnel enabled ---X-X
24 Untrust Trust Any Any ANY Permit enabled ---X-X
20 Untrust Trust Any VIP::1 elink Permit enabled -----X
HTTP
MAIL


I hope this is usefull information.

Thanks

Beecky



 
Upvote 0 Downvote
Hi,

It appears to me that your Firewall is not getting a phase 2 reply from the remote end. Can you paste some additional info?

get ike cookie
get sa
get event

I will take another look.

Rgds,

John
 
Upvote 0 Downvote
Hi,

From the logs I understand that the tunnel P1 and P2 are completed succesfully

2006-12-18 17:04:31 info IKE<84.194.173.119> Phase 2 msg ID <ef3dca36>: Completed negotiations with SPI <55ccdd0b>, tunnel ID <5>, and lifetime <3600> seconds/<0> KB.
2006-12-18 17:04:30 info Rejected an IKE packet on untrust from 192.168.2.2:500 to 84.194.173.119:500 with cookies db3753a657298180 and 722f68a84a81ca26 because the IKE INFO exchange mode hash payload was invalid.
2006-12-18 17:04:30 info IKE<84.194.173.119> Phase 2: Initiated negotiations.
2006-12-18 17:04:30 info IKE<84.194.173.119> Phase 1: Completed Aggressive mode negotiations with a <28800>-second lifetime.
2006-12-18 17:04:30 info IKE<192.168.2.2> >> <84.194.173.119> Phase 1: Initiated negotiations in aggressive mode.


ns5xp-> get ike cookie

Active: 1, Dead: 0, Total 1

102f/0006, 192.168.2.2:500->84.194.173.119:500, PRESHR/grp2/DES/MD5, xchg(4) (ph1-to-arlon/grp-1/usr-1)
resent-tmr 7182040 lifetime 28800 lt-recv 28800 nxt_rekey 28591 cert-expire 0
initiator, err cnt 0, send dir 1, cond 0x0
nat-traversal map not available
ike heartbeat : disabled
ike heartbeat last rcv time: 143692
ike heartbeat last snd time: 0
XAUTH status: 0


ns5xp-> get sa
total configured sa: 2
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000005< 84.194.173.119 500 esp:3des/md5 55ccdd0c 3485 unlim I/I 29 0
00000005> 84.194.173.119 500 esp:3des/md5 781c0c16 3485 unlim I/I 30 0
00000006< 84.194.173.119 500 esp:3des/md5 55ccda17 expir unlim I/I 31 0
00000006> 84.194.173.119 500 esp:3des/md5 1cd29e3e expir unlim I/I -1 0


ns5xp-> get event
Total event entries = 3070
Date Time Module Level Type Description
2006-12-18 17:08:46 system info 00536 Rejected an IKE packet on untrust from
192.168.2.2:500 to 84.194.173.119:500
with cookies db3753a657298180 and
722f68a84a81ca26 because an
unencrypted packet unexpectedly
arrived.
2006-12-18 17:08:42 system info 00536 Rejected an IKE packet on untrust from
192.168.2.2:500 to 84.194.173.119:500
with cookies db3753a657298180 and
722f68a84a81ca26 because an
unencrypted packet unexpectedly
arrived.
2006-12-18 17:08:38 system info 00536 Rejected an IKE packet on untrust from
192.168.2.2:500 to 84.194.173.119:500
with cookies db3753a657298180 and
722f68a84a81ca26 because an
unencrypted packet unexpectedly
arrived.
2006-12-18 17:08:34 system info 00536 Rejected an IKE packet on untrust from
192.168.2.2:500 to 84.194.173.119:500
--- more ---
with cookies db3753a657298180 and
722f68a84a81ca26 because an
unencrypted packet unexpectedly
arrived.
2006-12-18 17:08:30 system info 00536 Rejected an IKE packet on untrust from
192.168.2.2:500 to 84.194.173.119:500
with cookies db3753a657298180 and
722f68a84a81ca26 because an
unencrypted packet unexpectedly
arrived.
2006-12-18 17:08:30 system info 00536 IKE<84.194.173.119> Phase 2: Initiated
negotiations.
2006-12-18 17:08:21 system notif 00533 VIP server 192.168.1.1 is now alive.
2006-12-18 17:08:20 system info 00536 VPN monitoring for VPN VPN_to_Arlon
has deactivated the SA with ID
0x00000005.
2006-12-18 17:08:19 system crit 00023 VIP server 192.168.1.1 cannot be
contacted.
2006-12-18 17:08:10 system crit 00041 VPN 'VPN_to_Arlon' from 84.194.173.119
is down.
2006-12-18 17:08:09 system notif 00543 Access for firewall user test at
192.168.1.53 (accepted at 12/18/2006
--- more ---
16:28:27 for duration 0:39:42 via
the Local auth server) by policy id 7
is now over



 
Upvote 0 Downvote
John,

Sorry this is teh get event after I send traffic into the tunnel.

ns5xp-> get event
Total event entries = 3070
Date Time Module Level Type Description
2006-12-18 17:11:25 system notif 00533 VIP server 192.168.1.1 is now alive.
2006-12-18 17:11:23 system crit 00023 VIP server 192.168.1.1 cannot be
contacted.
2006-12-18 17:11:17 system notif 00533 VIP server 192.168.1.1 is now alive.
2006-12-18 17:11:15 system crit 00023 VIP server 192.168.1.1 cannot be
contacted.
2006-12-18 17:11:11 system crit 00040 VPN 'VPN_to_Arlon' from 84.194.173.119
is up.
2006-12-18 17:11:10 system info 00536 IKE<84.194.173.119> Phase 2 msg ID
<52af3f27>: Completed negotiations
with SPI <55ccdd0f>, tunnel ID <5>,
and lifetime <3600> seconds/<0> KB.
2006-12-18 17:11:10 system info 00536 IKE<84.194.173.119> Phase 2: Initiated
negotiations.
2006-12-18 17:11:05 system notif 00533 VIP server 192.168.1.1 is now alive.
2006-12-18 17:11:03 system crit 00023 VIP server 192.168.1.1 cannot be
contacted.


Although ping is not responding.

Greetz Beecky
 
Upvote 0 Downvote
Hi,

Your get sa indicates that your VPN is inactive and that the VPN monitor is the same. Are you using VPN monitor with this VPN? If so, what is the IP your are using to monitor? I think the internal IP at the remote end is best, but I would make sure it's able to responde to ICMP.

The "'VPN_to_Arlon' from 84.194.173.119 is up" message from your event log indicates that your VPN is up. Can you run a "get sa" after this occurs? Please paste the info. Once the "get sa" indicates "A" for active, we will need to run another debug to see if your ICMP packets are being routed, permitted and encrypted.

If the get sa is showing an active state, try the following:

unset ff 0 (repeate this for each flow filter)
set ff dst-ip x.x.x.x (internal IP of remote firewall)
debug flow basic
clear db
ping x.x.x.x from trust (internal IP of remote firewall)
undebug all
get db str (paste results to post)

Please keep me posted.


Rgds,

John
 
Upvote 0 Downvote
John,

The monitor IP is the inside IP of the other vpn end. And this interface is pingable. The monitor interface source is trust.

ns5xp-> get sa
total configured sa: 2
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000005< 84.194.173.119 500 esp:3des/md5 55ccdfb9 3527 unlim A/U 29 0
00000005> 84.194.173.119 500 esp:3des/md5 30d80df6 3527 unlim A/U 30 0
00000006< 84.194.173.119 500 esp:3des/md5 55ccda17 expir unlim I/I 31 0
00000006> 84.194.173.119 500 esp:3des/md5 1cd29e3e expir unlim I/I -1 0
ns5xp-> unset ff 0
filter 0 removed
ns5xp-> set ff dst-ip 192.168.119.1
filter added
ns5xp-> debug flow basic
ns5xp-> clear db
ns5xp-> ping 192.168.119.1 from trust
Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 192.168.119.1, timeout is 2 seconds from trust
.....
Success Rate is 0 percent (0/5),
ns5xp-> undebug all
ns5xp-> get db str
MSS found 0x057e
MSS found 0x05b4
MSS found 0x057e
MSS found 0x05b4


I hope this helps

David



 
Upvote 0 Downvote
Hi,

The debug indicates that either your traffic is not reaching the Firewall or your test was from a PC (not the firewall). Do you mind trying another debug? This should help us capture the flow before and after the encapsulation.

unset ff 0
set ff src-ip x.x.x.x ip-port 1 (x.x.x.x = IP of test machine)
debug flow basic
clear db
<ping test from test PC>
undebug all
get db str



Rgds,

John
 
Upvote 0 Downvote
John,

I don't have access to a PC behind the netscreen. I can start a ping from behind the netscreen, is that also ok ?



Regards Beecky
 
Upvote 0 Downvote
Hi,

Sure, try the new Flow Filter and debug with a new test. Hopefully, we will get more info in the debug. Keep me posted.

Rgds,

John
 
Upvote 0 Downvote
John,

The tunnel are up. The first one is the Branch office, the other is an Mobile User

ns5xp-> get sa
total configured sa: 2
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000005< 84.194.173.119 500 esp:3des/md5 55cce06f 3580 unlim A/U 29 0
00000005> 84.194.173.119 500 esp:3des/md5 721a0e7a 3580 unlim A/U 30 0
00000006< 81.243.162.66 500 esp:3des/md5 55cce05c 2952 unlim A/- 31 0
00000006> 81.243.162.66 500 esp:3des/md5 5bb23fd5 2952 unlim A/- -1 0


ns5xp-> unset ff 0
filter 0 removed
ns5xp-> set ff dst-ip 192.168.119.1
filter added
ns5xp-> debug flow basic
ns5xp-> clear db
ns5xp-> ping 192.168.119.1 from trust
Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 192.168.119.1, timeout is 2 seconds from trust
.....
Success Rate is 0 percent (0/5),
ns5xp-> undebug all
ns5xp-> get db str
MSS found 0x05ac
MSS found 0x05b4
MSS found 0x05b4
MSS found 0x05b4

I hope this helps.

What is your email address ?

Thanks

Beecky

 
Upvote 0 Downvote
Can you provide me with the output from:

"get route ip 192.168.119.1"

Also, is your VPN bound to a tunnel interface?

Rgds,

John
 
Upvote 0 Downvote
Hi Jonh,

ns5xp-> get route ip 192.168.119.1
Destination Routes for 192.168.119.1
---------------------
trust-vr : => 0.0.0.0/0 (id=4) via 192.168.2.1 (vr: trust-vr)
Interface untrust , metric 1


Maybe the tunnel interface is the problem. I thought tunnel interfaces are only needed for route-based vpns.
In my rulebase I have

29 Untrust Trust LAN_Arlon LAN ANY Tunnel enabled ---X-X
30 Trust Untrust LAN LAN_Arlon ANY Tunnel enabled ---X-X

thanks

David
 
Upvote 0 Downvote
Hi,

I would remove the tunnel interface from the VPN and bind it to the "untrust-tun". Since this is a policy based VPN, we should simply route to untrust, permit via policy and encrypt/encap accordingly. Keep me posted.

Rgds,

John
 
Upvote 0 Downvote
John,

Still no success. I have changed the "BIND TO" from none to tunnel zone "untrust tunnel".
Phase1 and Phase 2 are completed succesfully, but stil no replies to ping.

ns5xp-> get route
untrust-vr (0 entries)
--------------------------------------------------------------------------------
C - Connected, S - Static, A - Auto-Exported, I - Imported, R - RIP
trust-vr (4 entries)
--------------------------------------------------------------------------------
ID IP-Prefix Interface Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------
* 4 0.0.0.0/0 untrust 192.168.2.1 C 0 1 Root
* 2 192.168.2.0/24 untrust 0.0.0.0 C 0 0 Root
* 1 192.168.1.0/24 trust 0.0.0.0 C 0 0 Root
6 192.168.119.0/24 tunnel.1 0.0.0.0 C 0 0 Root
ns5xp-> get route ip 192.168.119.1
Destination Routes for 192.168.119.1
---------------------
trust-vr : => 0.0.0.0/0 (id=4) via 192.168.2.1 (vr: trust-vr)
Interface untrust , metric 1

rgds

Beecky
 
Upvote 0 Downvote
OK, since this is a policy based VPN and phase one and two have completed, we simply need to add a route via Untrust and make sure the Policy is configured in each directon. This should permit and encap/encrypt the traffic and should show up in the debug. Try the following.

unset route 192.168.119.0/24
set route 192.168.119/0/24 int untrust

Upon completion, run a set and send the output from:

get ike cookie
get sa
get route
get event (2 screens)

Sorry we keep going back, but it's never easy when using other vendors. Let me know.

Rgds,

John
 
Upvote 0 Downvote
Hi John,

I affraid that we are missing something basically. I have never configured a vpn on a netscreen so I don't know all the parameters. I have allready configured lots on watchguard an checkpoint, and the always worked. From what I see in the netscreen is that the packets to the destination network are leaving on the untrust interface but they are not encrypted (and I don't see why).

These are the logs you requested

ns5xp-> unset route 192.168.119.0/24
total routes deleted = 1
ns5xp-> set route 192.168.119.0/24 int untrust
ns5xp-> get ike cookie

Active: 2, Dead: 0, Total 2

102f/0006, 192.168.2.2:500->84.194.173.119:500, PRESHR/grp2/DES/MD5, xchg(4) (ph1-to-arlon/grp-1/usr-1)
resent-tmr 7182040 lifetime 28800 lt-recv 28800 nxt_rekey 28598 cert-expire 0
initiator, err cnt 0, send dir 1, cond 0x0
nat-traversal map not available
ike heartbeat : disabled
ike heartbeat last rcv time: 344436
ike heartbeat last snd time: 0
XAUTH status: 0
17182f/0006, 81.244.33.2:500->192.168.2.2:500, PRESHR/grp2/DES/MD5, xchg(4) (arlon/grp-1/usr1)
resent-tmr 7182040 lifetime 28800 lt-recv 28800 nxt_rekey 18950 cert-expire 0
responder, err cnt 0, send dir 1, cond 0x0
nat-traversal map:
keepalive frequency 0 sec
nat-t udp checksum enabled
local pri ip 192.168.2.2
local pri ike port 500
local pub ip 0.0.0.0
local pub ike port 0
remote pri ip 0.0.0.0
--- more ---
remote pri ike port 500
remote pub ip 81.244.33.2
remote pub ike port 500
internal ip 0.0.0.0
internal port 0
natt proto 17
ike heartbeat : disabled
ike heartbeat last rcv time: 0
ike heartbeat last snd time: 0
XAUTH status: 0
ns5xp-> get sa
total configured sa: 2
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000005< 84.194.173.119 500 esp:3des/md5 55cce5f9 3495 unlim A/D 29 0
00000005> 84.194.173.119 500 esp:3des/md5 43d905a2 3495 unlim A/D 30 0
00000007< 81.244.33.2 500 esp:3des/md5 55cce5e4 1553 unlim A/- 31 0
00000007> 81.244.33.2 500 esp:3des/md5 942bdd58 1553 unlim A/- -1 0
ns5xp-> get route
untrust-vr (0 entries)
--------------------------------------------------------------------------------
C - Connected, S - Static, A - Auto-Exported, I - Imported, R - RIP
trust-vr (4 entries)
--------------------------------------------------------------------------------
ID IP-Prefix Interface Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------
* 4 0.0.0.0/0 untrust 192.168.2.1 C 0 1 Root
* 2 192.168.2.0/24 untrust 0.0.0.0 C 0 0 Root
* 1 192.168.1.0/24 trust 0.0.0.0 C 0 0 Root
* 8 192.168.119.0/24 untrust 192.168.2.1 S 20 1 Root
ns5xp-> get event
Total event entries = 3070
Date Time Module Level Type Description
2006-12-21 00:54:26 system crit 00040 VPN 'VPN_to_Arlon' from 84.194.173.119
is up.
2006-12-21 00:54:25 system info 00536 IKE<84.194.173.119> Phase 2 msg ID
<1908ca2b>: Completed negotiations
with SPI <55cce5fb>, tunnel ID <5>,
and lifetime <3600> seconds/<0> KB.
2006-12-21 00:54:25 system info 00536 IKE<84.194.173.119> Phase 2 msg ID
<1908ca2b>: Responded to the peer's
first message.
2006-12-21 00:54:25 system info 00536 Rejected an IKE packet on untrust from
84.194.173.119:500 to 192.168.2.2:500
with cookies e3bbc0d02bc7cfb8 and
35f5e22bfd607cc5 because the IKE INFO
exchange mode hash payload was
invalid.
2006-12-21 00:54:25 system info 00536 IKE<84.194.173.119> Phase 1: Completed
Aggressive mode negotiations with a
<28800>-second lifetime.
2006-12-21 00:54:24 system info 00536 IKE<84.194.173.119> Phase 1: Responder
starts AGGRESSIVE mode negotiations.
--- more ---
2006-12-21 00:54:22 system info 00536 Rejected an IKE packet on untrust from
192.168.2.2:500 to 84.194.173.119:500
with cookies a858f808b2bd0887 and
40f38852162f9c93 because an
unencrypted packet unexpectedly
arrived.
2006-12-21 00:54:18 system info 00536 Rejected an IKE packet on untrust from
192.168.2.2:500 to 84.194.173.119:500
with cookies a858f808b2bd0887 and
40f38852162f9c93 because an
unencrypted packet unexpectedly
arrived.
2006-12-21 00:54:14 system info 00536 Rejected an IKE packet on untrust from
192.168.2.2:500 to 84.194.173.119:500
with cookies a858f808b2bd0887 and
40f38852162f9c93 because an
unencrypted packet unexpectedly
arrived.
2006-12-21 00:54:14 system info 00536 IKE<84.194.173.119> Phase 2: Initiated
negotiations.
2006-12-21 00:54:12 system notif 00533 VIP server 192.168.1.1 is now alive.
2006-12-21 00:54:10 system crit 00023 VIP server 192.168.1.1 cannot be
--- more ---

rgds

Beecky
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
140
Sameer258
Sameer258
ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
97
hairlessupportmonkey
hairlessupportmonkey
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
146
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
70
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
169
Shmid
Shmid

Part and Inventory Search

Sponsor

Back
Top