Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

IKE phase 2 negotiation fails when configuring IPSec VPN to Nortel Contivity; debug reports "P2 attributes not supported"

0

0

Article ID: KB12238 KB Last Updated: 23 Jun 2010Version: 3.0
Summary:
Site to site IPsec VPN, from Netscreen ISG-1000 to  Nortel Contivity . IKE phase 2 negotiation failed and could not complete.
Symptoms:
The IKE negotiation Phase 1 completes, but fails during Phase 2, and the debug output reports the message "P2 attributes not supported":

=============================
## 2008-03-03 10:14:52 : IKE<0.0.0.0        >   Check P2 Proposal              
## 2008-03-03 10:14:52 : IKE<5.5.5.5> SA life type = seconds              
## 2008-03-03 10:14:52 : IKE<0.0.0.0        >   SA life duration (TLV) = 0x 00 0
1 51 7f                                                                        
## 2008-03-03 10:14:52 : IKE<0.0.0.0        >   encap mode from peer = 1.      
## 2008-03-03 10:14:52 : IKE<0.0.0.0        >   encap mode after converting it t
o private value = 1.                                                           
## 2008-03-03 10:14:52 : IKE<5.5.5.5> Phase 2 received:                   
## 2008-03-03 10:14:52 : IKE<5.5.5.5> atts<00000003 00000000 00000003 00000
002 00000001 00000000>                                                         
## 2008-03-03 10:14:52 : IKE<5.5.5.5> proto(3)<ESP>, esp(3)<ESP_3DES>, auth
(2)<SHA>, encap(1)<TUNNEL>, group(0)                                           
## 2008-03-03 10:14:52 : IKE<5.5.5.5> P2 proposal [0] selected.           
## 2008-03-03 10:14:52 : IKE<0.0.0.0        >   Check P2 Proposal              
## 2008-03-03 10:14:52 : IKE<5.5.5.5> Warning: Invalid SPI size of 2      
## 2008-03-03 10:14:52 : IKE<5.5.5.5> SA life type = seconds              
## 2008-03-03 10:14:52 : IKE<0.0.0.0        >   SA life duration (TLV) = 0x 00 0
1 51 7f                                                                        
## 2008-03-03 10:14:52 : IKE<5.5.5.5> Phase 2 received:                   
## 2008-03-03 10:14:52 : IKE<5.5.5.5> atts<00000004 00000000 00000003 00000
000 00000000 00000000>                                                         
## 2008-03-03 10:14:52 : IKE<5.5.5.5> P2 attributes not supported.        
## 2008-03-03 10:14:52 : IKE<5.5.5.5> expect [0]:                         
## 2008-03-03 10:14:52 : IKE<5.5.5.5> atts<00000003 00000000 00000003 00000
002 00000001 00000000>                                                         
## 2008-03-03 10:14:52 : IKE<5.5.5.5> proto(3)<ESP>, esp(3)<ESP_3DES>, auth
(2)<SHA>, encap(1)<TUNNEL>, group(0)                                           
## 2008-03-03 10:14:52 : IKE<0.0.0.0        >   Check P2 Proposal              
## 2008-03-03 10:14:52 : IKE<5.5.5.5> SA life type = seconds              
## 2008-03-03 10:14:52 : IKE<0.0.0.0        >   SA life duration (TLV) = 0x 00 0
1 51 7f                                                                        
## 2008-03-03 10:14:52 : IKE<0.0.0.0        >   encap mode from peer = 1.      
## 2008-03-03 10:14:52 : IKE<0.0.0.0        >   encap mode after converting it t
o private value = 1.                                                           
## 2008-03-03 10:14:52 : IKE<5.5.5.5> Phase 2 received:                   
## 2008-03-03 10:14:52 : IKE<5.5.5.5> atts<00000003 00000000 00000003 00000
002 00000001 00000000>                                                         
## 2008-03-03 10:14:52 : IKE<5.5.5.5> proto(3)<ESP>, esp(3)<ESP_3DES>, auth
(2)<SHA>, encap(1)<TUNNEL>, group(0)                                           
## 2008-03-03 10:14:52 : IKE<5.5.5.5> P2 proposal [0] selected.           
## 2008-03-03 10:14:52 : IKE<0.0.0.0        >   add sa list for msg id <cc196a09
>                                                                              
## 2008-03-03 10:14:52 : IKE<0.0.0.0        >   add sa list for msg id <cc196a09
>                                                                              
## 2008-03-03 10:14:52 : IKE<0.0.0.0        >   sa_s already exist sequence<4463
>.                                                                             
## 2008-03-03 10:14:52 : IKE<5.5.5.5> ERROR: add phase 2 sa!              
## 2008-03-03 10:14:52 : IKE<5.5.5.5> (3,r): ERROR:                       
Error: processing quick-mode payloads                         
==========================
Solution:
On the Nortel Contivity, there are two settings enabled by default, which are Nortel proprietary:

1. Compression
2. Vendor ID

When configuring a IPsec VPN from Nortel to a Juniper Firewall, these two settings need to be disabled on Nortel Contivity.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search