VPN tunnel between Netscreen and Cisco

Recently I had some troubles setting up a VPN between a Netscreen and a Cisco device from the remote party.

We had agreed upon a Preshared Key and 3DES/SHA1 encryption/hash algorithms using main mode and DH group 2. The Cisco side had added group 2 to their isamkp setting but they could not add the same group command to the transform command so my Phase2 had NOPFS set while my Phase1 was DH group 2.

The tunnel still did not come up, debugging was not useful as it was the Netscreen that initiated the tunnel every time and the log just showed an answer from the Cisco with “no proposal chosen”. After looking into their config and a hint on the internet, I configured the proxyID on the tunnel with local address = my WAN IP and remote address = their WAN IP. And that did the trick, tunnel was up.

Leave a Reply