[Swan] Aggressive mode not possible with Juniper Netscreen
Elison Niven
elison.niven at cyberoam.com
Fri Jan 18 11:41:59 EET 2013
On Wednesday 16 January 2013 10:17:12 PM IST, Paul Wouters wrote:
>
> It seems to match the screen shot configuration apart from that I don't
> see the compress= option or the pfs= option. I recommend setting compress
> to "no". compression can cause weirdness where it works if you
> respond, but not
> when you initiate, due to the extra flexability on the *swan side for
> this. If that still fails, try to _also_ set pfs=no.
I tried with compress=no and then also with pfs=no.
No difference. Still get the same error.
>>> I doubt that it is a configuration error as If I initiate the tunnel
>>> from Libreswan, it gets established successfully.
>
> Which seems to be the reverse of the compress= issue...
>
> Do you have any logs of the netscreen?
Read from bottom to top, Netscreen says it is done with Phase 1.
2013-01-18 21:19:42 info Rejected an IKE packet on untrust from
10.103.2.75:500 to 10.103.6.114:500 with cookies ca2acb1d14ef4d95 and
faac2e39e076cef3 because an unencrypted packet unexpectedly arrived.
2013-01-18 21:19:38 info Rejected an IKE packet on untrust from
10.103.2.75:500 to 10.103.6.114:500 with cookies ca2acb1d14ef4d95 and
faac2e39e076cef3 because an unencrypted packet unexpectedly arrived.
2013-01-18 21:19:38 info Rejected an IKE packet on untrust from
10.103.2.75:500 to 10.103.6.114:500 with cookies ca2acb1d14ef4d95 and
faac2e39e076cef3 because an unencrypted packet unexpectedly arrived.
2013-01-18 21:19:38 info IKE<10.103.6.114> Phase 2: Initiated
negotiations.
2013-01-18 21:19:38 info IKE<10.103.6.114> Phase 1: Completed
Aggressive mode negotiations with a <28800>-second lifetime.
2013-01-18 21:19:38 info IKE<10.103.2.75> >> <10.103.6.114> Phase 1:
Initiated negotiations in aggressive mode.
Any ideas on how I can make this work?
--
Best Regards,
Elison Niven
More information about the Swan
mailing list