[Swan] Aggressive mode not possible with Juniper Netscreen

Elison Niven elison.niven at cyberoam.com
Fri Jan 18 11:41:59 EET 2013


On Wednesday 16 January 2013 10:17:12 PM IST, Paul Wouters wrote:
>
> It seems to match the screen shot configuration apart from that I don't
> see the compress= option or the pfs= option. I recommend setting compress
> to "no". compression can cause weirdness where it works if you
> respond, but not
> when you initiate, due to the extra flexability on the *swan side for
> this. If that still fails, try to _also_ set pfs=no.

I tried with compress=no and then also with pfs=no.
No difference. Still get the same error.

>>> I doubt that it is a configuration error as If I initiate the tunnel
>>> from Libreswan, it gets established successfully.
>
> Which seems to be the reverse of the compress= issue...
>
> Do you have any logs of the netscreen?

Read from bottom to top, Netscreen says it is done with Phase 1.

2013-01-18 21:19:42	info	Rejected an IKE packet on untrust from 
10.103.2.75:500 to 10.103.6.114:500 with cookies ca2acb1d14ef4d95 and 
faac2e39e076cef3 because an unencrypted packet unexpectedly arrived.
2013-01-18 21:19:38	info	Rejected an IKE packet on untrust from 
10.103.2.75:500 to 10.103.6.114:500 with cookies ca2acb1d14ef4d95 and 
faac2e39e076cef3 because an unencrypted packet unexpectedly arrived.
2013-01-18 21:19:38	info	Rejected an IKE packet on untrust from 
10.103.2.75:500 to 10.103.6.114:500 with cookies ca2acb1d14ef4d95 and 
faac2e39e076cef3 because an unencrypted packet unexpectedly arrived.
2013-01-18 21:19:38	info	IKE<10.103.6.114> Phase 2: Initiated 
negotiations.
2013-01-18 21:19:38	info	IKE<10.103.6.114> Phase 1: Completed 
Aggressive mode negotiations with a <28800>-second lifetime.
2013-01-18 21:19:38	info	IKE<10.103.2.75> >> <10.103.6.114> Phase 1: 
Initiated negotiations in aggressive mode.

Any ideas on how I can make this work?

--
Best Regards,
Elison Niven



More information about the Swan mailing list