Author Topic: Netscreen ISG : traffic required to trigger tunnel  (Read 402 times)

michaelamd

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Netscreen ISG : traffic required to trigger tunnel
« on: October 31, 2016, 08:55:38 pm »
We are configuring VPN with a (right side) Netscreen ISG 1000 device; our left side is natted. Once the handshake floats the port from 500-> 4500, the Netscreen device does not appear to respond. Only initiating a traceroute from Netscreen side causes traffic to return through port 4500, and a complete tunnel negotiation.

us (natted)
<--> Netscreen

Is  this indicative of the right side needing to modify their "establish-tunnels (immediately | on-traffic) " setting, where in the menu could they change this?

Could something else cause this behavior?

T
race of logs (data masked):
 
"myConnection" #2: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
| inserting event EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
| event added at head of queue
...
"myConnection" #3: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
| deleting event for #3
| NAT-T: floating to port 4500
| NAT-T connection has wrong interface definition 173.0.0.224:4500 vs 173.0.0.224:500
| NAT-T: using interface eth0:4500
| sending reply packet to right_side_ip:4500 (from port 4500)
...
// this retries a few times and eventually stays in waiting for pending DDNS
| next event EVENT_PENDING_DDNS in 0 seconds
| *time to handle event
| handling event EVENT_PENDING_DDNS
| event after this is EVENT_PENDING_PHASE2 in 60 seconds
| inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
| event added at head of queue
| next event EVENT_PENDING_DDNS in 60 seconds

...
// finally then they run traceroute, traffic comes through and the tunnel is negotiated

| *received 200 bytes from right_side_ip:4500 on eth0 (port=4500)
...
packet from right_side_ip:4500: ignoring unknown Vendor ID payload [....0000000000000000]
packet from right_side_ip:4500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
packet from right_side_ip:4500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
packet from right_side_ip:4500: received Vendor ID payload [Dead Peer Detection]
packet from right_side_ip:4500: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
...
"myConnection" #4: responding to Main Mode
...


Thanks!