Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

vpn remote 4621 with juniper

Status
Not open for further replies.

sweetp1808

Technical User
Aug 18, 2004
21
US
I am getting IKE Phase1 no response and cannot seem to get past this no matter what we try, does anyone have any suggestions.

We used the manuals VPNremote for the 4600 Serier IP Telephones rel 2.1 administrator guide and Application notes for configureing avaya VPNremote phone with juniper secure services gateway using policy based IPSec VPN and XAuth enhanced authentication issue 1.0.
 
What vpn-related log messages are you getting on your juniper device?
 
Found some thing to check first;


The most common Phase 1 errors are:

Message: IKE <ip_addr> Phase 1: Retransmission limit has been reached.

Meaning: The initiator has attempted to initiate a VPN connection but has not received a response from the remote peer.

Action: See KB9349 - Possible solutions for Phase 1: Retransmission limit has been reached.



Message: IKE <ip_addr> Phase 1: Rejected an initial Phase 1 packet from an unrecognized peer gateway.

Meaning: The responder did not recognize the incoming request as originating from a valid gateway peer.

Action: On the responder, confirm the following IKE gateway configuration settings are correct:
The Static IP Address specified for the Remote Gateway is correct.
The Peer ID specified for the Remote Gateway is correct.
The outgoing interface is correct. (Unfortunately, you cannot change the IKE Gateway's outgoing interface. Create a new IKE Gateway that points to the correct outgoing interface and then change the AutoKey IKE so that it matches the new gateway.)



Message: IKE <ip_addr> Phase 1: Rejected an IKE packet on ethernet1/2 from <ip_addr>:<port> to <ip_addr>:<port> with cookies <cookie> and <cookie> because Phase 1 negotiations failed. (The preshared keys might not match.)

Meaning: The Phase 1 preshared keys do not match.

Action: On both the initiator and responder, re-enter the Preshared Key in the IKE gateway configuration.



Message: <ip_address> to <ip_address> with cookies <cookie id> and <cookie id> because there were no acceptable Phase 1 proposals.

Meaning: The Phase 1 proposals do not match.

Action: Make sure the parameters for the IKE gateway Phase 1 proposals on both the responder and the initiator match:
Authentication Method (Preshare, RSA-signature, or DSA-signature)
Diffie-Hellman Group Number (Group 1, 2, or 5)
Encryption Algorithm (DES, 3DES, or AES)
Hash Algorithm (MD5 or SHA-1)

Avaya_Red.gif

___________________________________________
It works! Now if only I could remember what I did...
___________________________________________
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top