NetScreenJuniper NetScreen-Remote Log Viewer 出现 Cannot match Policy Entry for received Phase 1 ID 解决方法
由 wzknet@hotmail.com 原创 ID: JNCISJuniper ID:JPR29525 JNCIS-FWV
ISG-1000: 3010(0)NetScreen ISG-1000:Hardware Version: 3010(0)-(04), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0) Version: Software Version: 5.3.0r10.0, Type: Firewall+VPN NetScreen-Remote: NetScreen-Remote:SafeNet SoftRemote 8.0.0 (Build 14)
故障现象如下: ),查看到 故障现象如下:客户配置拨号 VPN(IKE+Xauth)无法连接到 Netscreen Gateway(Juniper NetScreen ISG-1000),查看到 ( ) ( ), NetScreen-Remote Log Viewer 中日志: 中日志:
Initiating IKE Phase 1 (IP ADDR=211.xxx.xxx.xx)
SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID, VID)
RECEIVED<<>>> ISAKMP OAK INFO (HASH, NOTIFY:INVALID_ID_INFO)
Discarding IKE SA negotiation
MY COOKIE 42 35 97 2 f4 c6 35 15
HIS COOKIE da e5 29 34 45 72 dc a3
RECEIVED<<< ISAKMP OAK AG (SA, VID, VID, VID, VID, KE, NON, ID, HASH, VID, NAT-D, NAT-D)
Received message for non-active SA
wzknet@hotmail.com
http://k968888.blog.sohu.com
Juniper NetScreen ISG-1000 上查看到相关日志: 上查看到相关日志:
system info 00536 Rejected an IKE packet on ethernet1/1 from 121.201.217.55:500 to 211.xxx.xxx.xx:500 with cookies 6e341f52b69875ab and 6130c3fe4410810e because the peer sent a packet with a message ID before Phase 1 authentication was done. #...第一阶段认证未完成 第一阶段认证未完成
system info 00536 IKE Phase 1: Responder starts AGGRESSIVE mode negotiations.
信息: 查看 NetScreen Gateway 端相应的 ike gateway 信息:
netscreen_isg1000-> get config | in gateway
set ike gateway "ikexauth_Gateway" dialup "ikexauth_group" Main local-id "IKEXAUTH" outgoing-interface "ethernet1/1" preshare "AsdENyaFnEUVn3swhLCcxjD7TdndgeSJoB==" proposal "pre-g2-3des-sha"
由上可知,Server 端配置了 Domain Name(即:local-id)为 IKEXAUTH.
查看 NetScreen-Remote 端配置,发现没有配置 Domain Name:
wzknet@hotmail.com
http://k968888.blog.sohu.com
经过以下修改后 VPN 即可正常工作:
更多原创文档请访问: 更多原创文档请访问:http://k968888.blog.sohu.com 申明: 申明:转载请注明原始出自 http://k968888.blog.sohu.com 2008 年 5 月 6 日 广州

下一页