[vpn-help] connecting to a Juniper SRX 210

Gauras Gaurauskas gaurasg at gmail.com
Sat Feb 20 04:39:05 CST 2010 

Hello,

Does anybody tried to use Shrew VPN to establish VPN with Juniper SRX210?
When i try to connect with Shrew VPN to the SRX210, on Phase1 SRX210 sends
back message NO-PROPOSAL-CHOSEN.
In the SRX debug log i see that SRX is not able to recognize a peer

Feb  3 01:16:14 ike_decode_packet: Start
Feb  3 01:16:14 ike_decode_packet: Start, SA = { 01e4a6ad e1553f43 -
41d763a0 0839b3be} / 00000000, nego = -1
Feb  3 01:16:14 ike_decode_payload_sa: Start
Feb  3 01:16:14 ike_decode_payload_t: Start, # trans = 3
Feb  3 01:16:14 ike_st_i_vid: VID[0..8] = 09002689 dfd6b712 ...
Feb  3 01:16:14 The remote server at 192.168.207.100:500 is
'draft-beaulieu-ike-xauth-02.txt'
Feb  3 01:16:14 ike_st_i_vid: VID[0..16] = 4485152d 18b6bbcd ...
Feb  3 01:16:14 Setting natt remote version to 2
Feb  3 01:16:14 The remote server at 192.168.207.100:500 is
'draft-ietf-ipsec-nat-t-ike-00'
Feb  3 01:16:14 ike_st_i_vid: VID[0..16] = 16f6ca16 e4a4066d ...
Feb  3 01:16:14 The remote server at 192.168.207.100:500 is '16 f6 ca 16 e4
a4 06 6d 83 82 1a 0f 0a ea a8 62'
Feb  3 01:16:14 ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
Feb  3 01:16:14 Setting natt remote version to 3
Feb  3 01:16:14 The remote server at 192.168.207.100:500 is
'draft-ietf-ipsec-nat-t-ike-02'
Feb  3 01:16:14 ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ...
Feb  3 01:16:14 The remote server at 192.168.207.100:500 is
'draft-ietf-ipsec-nat-t-ike-03'
Feb  3 01:16:14 ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
Feb  3 01:16:14 The remote server at 192.168.207.100:500 is '4a 13 1c 81 07
03 58 45 5c 57 28 f2 0e 95 45 2f'
Feb  3 01:16:14 ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
Feb  3 01:16:14 The remote server at 192.168.207.100:500 is
'draft-ietf-ipsec-dpd-00.txt'
Feb  3 01:16:14 ike_st_i_vid: VID[0..16] = f14b94b7 bff1fef0 ...
Feb  3 01:16:14 The remote server at 192.168.207.100:500 is 'f1 4b 94 b7 bf
f1 fe f0 27 73 b8 c4 9f ed ed 26'
Feb  3 01:16:14 ike_st_i_vid: VID[0..20] = 166f932d 55eb64d8 ...
Feb  3 01:16:14 The remote server at 192.168.207.100:500 is '16 6f 93 2d 55
eb 64 d8 e4 df 4f d3 7e 23 13 f0 d0 fd 84 51'
Feb  3 01:16:14 ike_st_i_vid: VID[0..16] = 8404adf9 cda05760 ...
Feb  3 01:16:14 The remote server at 192.168.207.100:500 is '84 04 ad f9 cd
a0 57 60 b2 ca 29 2e 4b ff 53 7b'
Feb  3 01:16:14 ike_st_i_vid: VID[0..16] = 12f5f28c 457168a9 ...
Feb  3 01:16:14 The remote server at 192.168.207.100:500 is 'CISCO-UNITY'
Feb  3 01:16:14 ike_st_i_id: Start
Feb  3 01:16:14 ike_st_i_sa_proposal: Start
Feb  3 01:16:14 Not doing MM check since initiator=FALSE and exch_type=4
Feb  3 01:16:14 Unable to find ike gateway as remote peer:192.168.207.100 is
not recognized.
Feb  3 01:16:14 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1
[responder] failed for p1_local=ipv4(any:0,[0..3]=84.15.44.82)
p1_remote=fqdn(any:0,[0..11]=user1.testas)
Feb  3 01:16:14 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1
[responder] failed for p1_local=ipv4(any:0,[0..3]=84.15.44.82)
p1_remote=fqdn(any:0,[0..11]=user1.testas)
Feb  3 01:16:14 ike_isakmp_sa_reply: Start

I guess that it is because of  last  VENDOR ID, which Shrew VPN client sends
to the gateway. By default last VID is 'CISCO-UNITY', but it seems that SRX
expects 'JNPR IPSec Client'
When i use Juniper DynamicVPN client to connect to SRX, the last VID send by
the Juniper client is 'JNPR IPSec Client'.

eb  3 00:37:03 ike_decode_payload_sa: Start
Feb  3 00:37:03 ike_decode_payload_t: Start, # trans = 1
Feb  3 00:37:03 ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
Feb  3 00:37:03 The remote server at 192.168.207.100:1142 is
'draft-ietf-ipsec-dpd-00.txt'
Feb  3 00:37:03 ike_st_i_vid: VID[0..8] = 09002689 dfd6b712 ...
Feb  3 00:37:03 The remote server at 192.168.207.100:1142 is
'draft-beaulieu-ike-xauth-02.txt'
Feb  3 00:37:03 ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ...
Feb  3 00:37:03 Setting natt remote version to 3
Feb  3 00:37:03 The remote server at 192.168.207.100:1142 is
'draft-ietf-ipsec-nat-t-ike-03'
Feb  3 00:37:03 ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
Feb  3 00:37:03 The remote server at 192.168.207.100:1142 is
'draft-ietf-ipsec-nat-t-ike-02'
Feb  3 00:37:03 ike_st_i_vid: VID[0..18] = 4a4e5052 20495053 ...
Feb  3 00:37:03 The remote server at 192.168.207.100:1142 is 'JNPR IPSec
Client'
Feb  3 00:37:03 ike_st_i_id: Start
Feb  3 00:37:03 ike_st_i_sa_proposal: Start
Feb  3 00:37:03 ike_isakmp_sa_reply: Start
Feb  3 00:37:03 ike_st_i_nonce: Start, nonce[0..64] = a8995644 916c8238 ...
Feb  3 00:37:03 ike_st_i_cert: Start
Feb  3 00:37:03 ike_st_i_hash_key: Start, no key_hash
Feb  3 00:37:03 ike_st_i_ke: Ke[0..192] = 0bfdd989 3383f389 ...
Feb  3 00:37:03 ike_st_i_cr: Start
Feb  3 00:37:03 ike_st_i_private: Start
Feb  3 00:37:03 ike_st_o_sa_values: Start
Feb  3 00:37:03 ike_st_o_ke: Start
Feb  3 00:37:03 ike_st_o_nonce: Start
Feb  3 00:37:03 ike_policy_reply_isakmp_nonce_data_len: Start
Feb  3 00:37:03 ike_st_o_id: Start

Is it possible to add a new feature to Shrew VPN client similat to "Enable
Check Point Compatible Vendor ID", which would allow to send 'JNPR IPSec
Client' VID as last VID?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20100220/7bc466f8/attachment-0001.html>

More information about the vpn-help mailing list