EFW Support

Hi all


First post here. Before I get into the nitty-gritty, I do not consider myself to be an Endian guru by any means, so please bare with me.

We're trying to configure an Endian <-> IPSec Net-to-Net tunnel, but so far, it's just not working. From Endian (the UI I have access to), it does end up showing as "Connected" eventually, but looking at /var/log/endian/ipsec/ipsec.log though, it does not appear too happy at all.

Before I get to the technical bits and pieces, has anyone ever managed to successfully do an IPSec Endian <-> Juniper Net-to-Net tunnel? If so, can you please advise?


The technical details:

Endian version: 3.0.devel running on 2.6.32 kernel
Authentication type: PSK
IKE encryption: 3DES
IKE group type: DH group 2
IKE version: 1
IKE integrity: SHA1
IKE lifetime: 24 hours
ESP encryption: 3DES
ESP group type: DH group 2
ESP integrity: SHA1
ESP lifetime: 24 hours

As mentioned before, Endian shows this as "connected" eventually, but the connectivity just isn't there. Of the more ominous looking log entries are:

peer not responding, trying again (153/0)
received retransmit of request with ID 2354
357634, but no response to retransmit
received unknown vendor ID:
[IKE] no matching CHILD_SA config found


I've tried all combos of configs I could think of, but I've exhausted my options at this point. I'm thinking that there is either something in the Juniper side that's not quite right (which I cannot confirm as I do not have access to it), or the Endian version we have needs updating, or Endian <-> Juniper IPSec Net-to-Net tunneling is simply not possible.

If there's anyone out there that can perhaps offer any advice, I'd appreciate it.


Thanks in advance.

Hi all


Glad to say that this has been resolved. In short, the Juniper side was specified with ESP having "noPFS".

With Endian, at least version 3.0.devel, it used IPSec version 5.1.1. Since IPSec version 5.0.0 and up, it's impossible to disable PFS. The Juniper side was altered and had PFS enabled, resolving the issue :)