Problem getting vpn to work between netscreen 208 and cisco 1721

[Esger Abbink <esger () vesc nl>]

Hello,

I'm having quite a bit of trouble getting these two devices to 'vpn' well 
together and I'm currently grasping for straws, hence the post to this list.

The situation is as follows:

internal net is 192.0.0.0/24 protected by ns208
external net is 10.1.1.0/24 protected by 1721

transit networks are 20.1.1.0/24 (ethernet) and 192.168.80.0/24 (ISDN). The 
isdn dialup is done by an other cisco router.

the VPN is supposed to run between the ns208 and the 1721.

With some digging through documentation I've configured both devices and when 
initiated by traffic they negotiate a vpn link.

The problem is that when a packet is actually received on the cisco it 
discards it with the following error message:

02:23:38: %CRYPTO-4-RECVD_PKT_INV_IDENTITY: identity doesn't match negotiated
identity
        (ip) dest_addr= 192.168.80.10, src_addr= 20.1.1.2, prot= 1
        (ident) local=192.168.80.10, remote=20.1.1.2
         local proxy=10.1.1.10/255.255.255.255/0/0,
         remote_proxy=192.0.0.0/255.255.255.0/0/0
02:23:38: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
02:23:49: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
02:24:00: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
02:24:10: IPSEC(epa_des_crypt): decrypted packet failed SA identity check

the netscreen displays no errors and thinks the vpn is up although it does 
change that opinion after a while to 'down'.

the netscreen has OS release 4.0.0r1, the cisco has 12.2(8)T5.

At the moment I'm quite stuck with this. I've been in touch with both support 
desks and although they are working on it (for several days already) they 
both think their respective configs are fine and dont understand why its not 
working. :(

I've included the config of both devices below.

If there's anyone who could offer some assistence or better yet has a similar 
set-up in operation and is willing to provide working configs that would be 
very much appreciated!

thanks in advance,

Esger



cisco config:

Current configuration : 1625 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 1721B
!
enable secret 5 $1$nNH6$E4BctAYoaohhGO1A3jzi40
enable password XXXXXXXX
!
username 1721A password 0 XXXXXXXXX
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
!
ip audit notify log
isdn switch-type basic-net3
!
crypto isakmp policy 25
 encr 3des
 authentication pre-share
 lifetime 28800
crypto isakmp key XXXXXX address 20.1.1.2
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set paalA esp-3des esp-sha-hmac
!
crypto map tunnelmap 10 ipsec-isakmp
 set peer 20.1.1.2
 set transform-set paalA
 set pfs group1

 match address 101
!
!
!
!
interface BRI0
 no ip address
 encapsulation ppp
 no ip mroute-cache
 dialer pool-member 1
 isdn switch-type basic-net3
 isdn spid1 25
 isdn spid2 26
 isdn answer1 25
 isdn answer2 26
 no cdp enable
 ppp authentication chap
!
interface FastEthernet0
 ip address 10.1.1.10 255.255.255.0
 no ip mroute-cache
 speed auto
 half-duplex
!
interface Dialer1
 ip address 192.168.80.10 255.255.255.0
 encapsulation ppp
 authentication chap
 dialer pool 1
 dialer idle-timeout 3600
 no cdp enable
 crypto map tunnelmap
!
ip classless
ip route 20.1.1.0 255.255.255.0 192.168.80.1
no ip http server
ip pim bidir-enable
!
!
access-list 1 permit any
access-list 2 permit any
access-list 3 permit any
access-list 101 permit ip 10.1.1.0 0.0.0.255 192.0.0.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
line con 0
line aux 0
line vty 0 4
 password makkie1
 login
!
no scheduler allocate
end


netscreen config:

set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth-server "DefL2TPAuthServer" id 1
set auth-server "DefL2TPAuthServer" account-type l2tp
set auth default auth server "Local"
set clock "timezone" 1
set admin format dos
set admin name "netscreen"
set admin password nKVUM2rwMUzPcrkG5sWIHdCtqkAibn
set admin auth timeout 10
set admin auth server "Local"
unset vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set zone id 1000 "3rdparty"
set zone id 1001 "IA_palen"
set zone "Trust" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" vrouter "untrust-vr"
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "DMZ" vrouter "untrust-vr"
set zone "DMZ" tcp-rst
set zone "MGT" block
set zone "MGT" tcp-rst
set zone "3rdparty" vrouter "trust-vr"
set zone "3rdparty" block
set zone "3rdparty" tcp-rst
set zone "IA_palen" vrouter "trust-vr"
set zone "IA_palen" block
set zone "IA_palen" tcp-rst
set zone Untrust screen tear-drop
set zone Untrust screen syn-flood
set zone Untrust screen ping-death
set zone Untrust screen ip-filter-src
set zone Untrust screen land
set zone V1-Untrust screen tear-drop
set zone V1-Untrust screen syn-flood
set zone V1-Untrust screen ping-death
set zone V1-Untrust screen ip-filter-src
set zone V1-Untrust screen land
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "3rdparty"
set interface "ethernet3" zone "Untrust"
set interface "ethernet5" zone "Trust"
set interface vlan1 ip 192.0.0.2/24
set interface ethernet1 ip 192.0.0.2/24
set interface ethernet1 route
set interface ethernet2 ip 20.1.1.2/24
set interface ethernet2 route
unset interface ethernet3 ip manageable
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet3 manage-ip 192.168.1.1
set interface ethernet2 manage ping
set address Trust "192.0.0.0/24" 192.0.0.0 255.255.255.0
set address Trust "192.0.0.12" 192.0.0.12 255.255.255.255
set address 3rdparty "10.1.1.0/24" 10.1.1.0 255.255.255.0
set address 3rdparty "1721" 192.168.80.10 255.255.255.255
set firewall log-self
set snmp name "ns208"
set ike p1-proposal "pre-g1-3des-sha" Preshare Group1 esp 3DES SHA-1 second 
28800
set ike p2-proposal "g1-esp-3des-sha" Group1 ESP 3DES SHA-1 second 28800
set ike gateway "1721B" ip 192.168.80.10 Main outgoing-interface "ethernet2" 
preshare "secret" proposal "pre-g1-3
des-sha"
unset ike policy-checking
set ike respond-bad-spi 1
set vpn "IA-vpn" id 6 gateway "1721B" replay tunnel idletime 0 proposal 
"g1-esp-3des-sha"
set vpn "IA-vpn" monitor
set ike id-mode subnet
set xauth lifetime 480
set xauth default auth server Local
set policy id 0 name "vpn-test" from "Trust" to "3rdparty"  "192.0.0.0/24" 
"10.1.1.0/24" "ANY" Tunnel vpn "IA-vpn
" id 9 pair-policy 1 no-session-backup
set policy id 1 name "vpn-test" from "3rdparty" to "Trust"  "10.1.1.0/24" 
"192.0.0.0/24" "ANY" Tunnel vpn "IA-vpn" id 9 pair-policy 0 no-session-backup
unset global-pro policy-manager primary outgoing-interface
unset global-pro policy-manager secondary outgoing-interface
set nsrp track-ip ip
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
set add-default-route vrouter untrust-vr
set route 192.168.80.0/24 interface ethernet2 gateway 20.1.1.20
set route 10.1.1.0/24 interface ethernet2
exit
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards