If you're only running GRE over IPSEC, try changing the local and remote proxy-ids to /32s (the GRE endpoints) and leave it at that.
On 19/11/2010, at 5:48 AM, Mike Williams wrote: > Hey guys, > > Is anyone doing, or know how to do, IPSec tunnels between Openswan and Junos? > Openswan 2.4 on kernel 2.6 to Junos 10.2R3.10 on a J-series to be precise. > > So far I've got phase 1 to complete, but phase 2 fails like this: > > KMD_PM_P2_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-2 [responder] failed > for p1_local=ipv4(udp:500,[0..3]=85.234.234.118) p1_remote=ipv4(any:0, > [0..3]=81.123.123.98) p2_local=ipv4_subnet(any:0,[0..7]=85.123.123.116/30) > p2_remote=ipv4_subnet(any:0,[0..7]=81.234.234.96/29) > > Yet I have: > > mi...@thejay# show security ipsec vpn mcroffce_vpn > bind-interface st0.0; > ike { > gateway mcroffice_gateway; > proxy-identity { > local 85.234.234.116/30; > remote 81.123.123.96/29; > service any; > } > ipsec-policy ipsec_pol_1; > } > establish-tunnels immediately; > > > Ideally I'd like the tunnel between 118/32 and 98/32 as I'll be routing stuff > down a GRE tunnel over IPSec. > > With no (left|right)subnet defined in Openswan the P2 policy wanted is; > > p1_local=ipv4(udp:500,[0..3]=85.234.234.118) p1_remote=ipv4(any:0, > [0..3]=81.123.123.98) p2_local=ipv4(any:0,[0..3]=85.234.234.118) > p2_remote=ipv4(any:0,[0..3]=81.123.123.98) > > You *have* to specify address/prefix in proxy-identity though, so that > couldn't possibly work as no CIDR mask is given in the request. > > > Could any one possibly enlighten me please? > > > Thanks > > -- > Mike Williams > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp