Sean, Take a look at http://www.vpnc.org/.
They perform all sorts of VPN device interoperability tests, using OpenBSD as the common denominator. They have info on how to set up your Netscreen box to make it work with OpenBSD. -----Original Message----- From: Sean Knox [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 27, 2005 2:50 AM To: Hans-Joerg Hoexer Cc: misc Subject: Re: Phase 2 problem between isakmpd and Netscreen On Wed, 27 Jul 2005, Hans-Joerg Hoexer wrote: > Hi, > > this worked with an older isakmpd version? Is this netscreen box some > kind of appliance or just some windows software? Nope, I've not been able to get isakmpd and the netscreen to finish phase 2. Sorry I wasn't clearer about the type of netscreen...it's a Juniper Netscreen ISG2000. It's a 4u (I think) appliance that runs ScreenOS, Juniper's firewall OS. AFAIK, it runs an "industry standard IPSec implementation." Datasheet/marketing fluff pdf here: http://www.juniper.net/products/integrated/dsheet/110036.pdf > The general problem is, I can only test interoperatibility with open > source vpn solutions on standard hareware. If people need to rely on > interoperability with appliance X and Windows client Y and MacOS > client Z, I need this kind of hardware/software. I understand completely. While I'd love to donate an ISG2000 without serving time in prison or going bankrupt, at the moment all I can do is test. As the smaller netscreen models also run the same OS, I'd imagine it'd be possible to debug with one of those. As mentioned, if my isakmpd logs/pcaps are possibly useful towarda a fix, let me know. I'll continue banging away at this in the meantime (and possibly bugging Juniper for more info). sk > > On Wed, Jul 27, 2005 at 01:35:34AM -0700, Sean Knox wrote: > > (posted a similar message originally on the IPSec list; thought I'd > > post here too) > > > > Hey all- > > > > I almost have a working VPN between isakmpd and a Netscreen box-- > > things fail at phase 2 as the peers enter quick mode. > > > > 64.81.74.226 = isakmpd > > 206.14.210.146 = netscreen > > > > 00:28:11.947907 64.81.74.226.500 > 206.14.210.146.500: [udp sum ok] > > isakmp v1.0 exchange QUICK_MODE > > cookie: eb114e8223bc0965->3aac9200ac79d919 msgid: 9e7ccdd5 len: 284 > > payload: HASH len: 24 > > payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY > > payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4 > > xforms: 1 SPI: 0xadfa06f3 > > payload: TRANSFORM len: 32 > > transform: 1 ID: AES > > attribute LIFE_TYPE = SECONDS > > attribute LIFE_DURATION = 1200 > > attribute ENCAPSULATION_MODE = TUNNEL > > attribute AUTHENTICATION_ALGORITHM = HMAC_SHA > > attribute GROUP_DESCRIPTION = 2 > > attribute KEY_LENGTH = 128 > > payload: NONCE len: 20 > > payload: KEY_EXCH len: 132 > > payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 > > payload: ID len: 12 type: IPV4_ADDR = 130.94.4.65 [ttl 0] (id 1, len > > 312) > > 00:28:12.138720 206.14.210.146.500 > 64.81.74.226.500: [udp sum ok] > > isakmp v1.0 exchange QUICK_MODE > > cookie: eb114e8223bc0965->3aac9200ac79d919 msgid: 9e7ccdd5 len: 300 > > payload: HASH len: 24 > > payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY > > payload: PROPOSAL len: 48 proposal: 1 proto: IPSEC_ESP spisz: 4 > > xforms: 1 SPI: 0x0502a8eb > > payload: TRANSFORM len: 36 > > transform: 1 ID: AES > > attribute LIFE_TYPE = SECONDS > > attribute LIFE_DURATION = 000004b0 > > attribute ENCAPSULATION_MODE = TUNNEL > > attribute AUTHENTICATION_ALGORITHM = HMAC_SHA > > attribute GROUP_DESCRIPTION = 2 > > attribute KEY_LENGTH = 128 > > payload: NONCE len: 24 > > payload: KEY_EXCH len: 132 > > payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 > > payload: ID len: 12 type: IPV4_ADDR = 130.94.4.65 [ttl 0] (id 1, len > > 328) > > 00:28:15.838995 206.14.210.146.500 > 64.81.74.226.500: [udp sum ok] > > isakmp v1.0 exchange QUICK_MODE > > cookie: eb114e8223bc0965->3aac9200ac79d919 msgid: 9e7ccdd5 len: 300 > > payload: HASH len: 24 > > payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY > > payload: PROPOSAL len: 48 proposal: 1 proto: IPSEC_ESP spisz: 4 > > xforms: 1 SPI: 0x0502a8eb > > payload: TRANSFORM len: 36 > > transform: 1 ID: AES > > attribute LIFE_TYPE = SECONDS > > attribute LIFE_DURATION = 000004b0 > > attribute ENCAPSULATION_MODE = TUNNEL > > attribute AUTHENTICATION_ALGORITHM = HMAC_SHA > > attribute GROUP_DESCRIPTION = 2 > > attribute KEY_LENGTH = 128 > > payload: NONCE len: 24 > > payload: KEY_EXCH len: 132 > > payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 > > payload: ID len: 12 type: IPV4_ADDR = 130.94.4.65 [ttl 0] (id 1, len > > 328) > > > > --snip-- > > > > Note the wacky LIFE_DURATION sent by the netscreen. As shown in the > > packet capture the netscreen continues to send quick mode packets > > but isakmpd never responds. I've logs at http://obstacle9.com/isakmpd/ . > > I've tried different transforms and proposal settings but the result > > is the same. This happens on a snapshot from a few days ago. > > > > > > thanks, > > sk This message may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient of this message you may not store, disclose, copy, forward, distribute or use this message or its contents for any purpose. If you have received this communication in error, please notify us immediately by return e-mail and delete the original message and any attachments from your e-mail system. Thank you.
