[Vpn-help] Juniper Netscreen Support

Stefan Bauer Bauer at puhlmann.net
Tue Dec 11 03:23:34 CST 2007 

Hi Matthew,

Thank you for your fast reply. I could work it out but a small loss persists. NAT-T.
I activate the NAT-T option for my user in the netscreen webconfiguration and select nat-traversal enable in the shrewsoft vpn client (v. 2.0.3)

The connection gets established but no further bytes go through the vpn.

Please see the Shrew Soft VPN Trace log attached:

## : IKE Daemon, ver 2.0.3
## : Copyright 2007 Shrew Soft Inc.
## : This product linked OpenSSL 0.9.8e 23 Feb 2007
ii : opened C:\Program Files\ShrewSoft\VPN Client\debug\iked.log'
ii : opened C:\Program Files\ShrewSoft\VPN Client/debug/dump-ike.cap'
ii : opened C:\Program Files\ShrewSoft\VPN Client/debug/dump-pub.cap'
ii : rebuilding vnet device list ...
ii : device ROOT\VNET\0000 disabled
ii : network process thread begin ...
ii : pfkey process thread begin ...
ii : admin process thread begin ...
<A : peer config add message
DB : peer added
ii : local address 192.168.1.12:500 selected for peer
DB : tunnel added
<A : proposal config message
<A : proposal config message
<A : client config message
<A : local id 'sb at puhlmann.net' message
<A : preshared key message
<A : peer tunnel enable message
DB : new phase1 ( ISAKMP initiator )
DB : exchange type is aggressive
DB : 192.168.1.12:500 <-> 62.245.200.not-public:500
DB : 6315d1febce8b507:0000000000000000
DB : phase1 added
>> : security association payload
>> : - proposal #1 payload 
>> : -- transform #1 payload 
>> : key exchange payload
>> : nonce payload
>> : identification payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
-> : send IKE packet 192.168.1.12:500 -> 62.245.200.not-public:500 ( 407 bytes )
<- : recv IKE packet 62.245.200.not-public:500 -> 192.168.1.12:500 ( 344 bytes )
DB : phase1 found
<< : security association payload
<< : - propsal #1 payload 
<< : -- transform #1 payload 
ii : matched isakmp proposal #1 transform #1
ii : - transform    = ike
ii : - cipher type  = 3des
ii : - key length   = default
ii : - hash type    = sha1
ii : - dh group     = modp-1024
ii : - auth type    = psk
ii : - life seconds = 86400
ii : - life kbytes  = 512
<< : vendor id payload
ii : unknown vendor id ( 28 bytes )
<< : vendor id payload
ii : unknown vendor id ( 20 bytes )
<< : key exchange payload
<< : nonce payload
<< : identification payload
ii : phase1 id match ( natt prevents ip match )
ii : phase1 id match ( ipv4-host 62.245.200.not-public )
<< : hash payload
== : DH shared secret ( 128 bytes )
== : SETKEYID ( 20 bytes )
== : SETKEYID_d ( 20 bytes )
== : SETKEYID_a ( 20 bytes )
== : SETKEYID_e ( 20 bytes )
== : cipher key ( 40 bytes )
== : cipher iv ( 8 bytes )
== : phase1 hash_i ( computed ) ( 20 bytes )
>> : hash payload
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 52 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet 192.168.1.12:500 -> 62.245.200.not-public:500 ( 80 bytes )
== : phase1 hash_r ( computed ) ( 20 bytes )
== : phase1 hash_r ( received ) ( 20 bytes )
ii : phase1 sa established
ii : 62.245.200.not-public:500 <-> 192.168.1.12:500
ii : 6315d1febce8b507:a4b2feb93b3e11df
ii : sending peer INITIAL-CONTACT notification
ii : - 192.168.1.12:500 -> 62.245.200.not-public:500
ii : - isakmp spi = 6315d1febce8b507:a4b2feb93b3e11df
ii : - data size 0
>> : hash payload
>> : notification payload
== : new informational hash ( 20 bytes )
== : new phase2 iv ( 8 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 80 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet 192.168.1.12:500 -> 62.245.200.not-public:500 ( 112 bytes )
DB : config added
ii : xauth is not required
ii : building config attribute list
ii : excluding unity attribute set
ii : config is not required
DB : config deleted ( config count 0 )
DB : phase2 not found
ii : VNET adapter MTU is 1500
ii : enabled adapter ROOT\VNET\0000
ii : creating NONE INBOUND policy 62.245.200.not-public/32 -> 192.168.1.12/32
K> : send X_SPDADD UNSPEC pfkey message
ii : creating NONE OUTBOUND policy 192.168.1.12/32 -> 62.245.200.not-public/32
K> : send X_SPDADD UNSPEC pfkey message
K< : recv X_SPDADD UNSPEC pfkey message
DB : policy added
K< : recv X_SPDADD UNSPEC pfkey message
DB : policy added
ii : created NONE policy route for 62.245.200.not-public/32
ii : creating IPSEC INBOUND policy 0.0.0.0 -> 192.168.11.212/32
K> : send X_SPDADD UNSPEC pfkey message
ii : creating IPSEC OUTBOUND policy 192.168.11.212/32 -> 0.0.0.0
K> : send X_SPDADD UNSPEC pfkey message
ii : created IPSEC policy route for 0.0.0.0
K< : recv X_SPDADD UNSPEC pfkey message
DB : policy added
K< : recv X_SPDADD UNSPEC pfkey message
DB : policy added
K< : recv ACQUIRE UNSPEC pfkey message
DB : policy found
DB : policy found
DB : tunnel found
DB : new phase2 ( IPSEC initiator )
DB : phase2 added
K> : send GETSPI ESP pfkey message
K< : recv GETSPI ESP pfkey message
DB : phase2 found
ii : updated spi for 1 ipsec-esp proposal
DB : phase1 found
>> : hash payload
>> : security association payload
>> : - proposal #1 payload 
>> : -- transform #1 payload 
>> : nonce payload
>> : key exchange payload
>> : identification payload
>> : identification payload
== : phase2 hash_i ( input ) ( 244 bytes )
== : phase2 hash_i ( computed ) ( 20 bytes )
== : new phase2 iv ( 8 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 292 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet 192.168.1.12:500 -> 62.245.200.not-public:500 ( 320 bytes )
ii : resending 1 exchange packet(s)


Thanks in advance

Stefan Bauer

--
Haiko Puhlmann, Beratung + Konzeption
EDV-Systeme und -Kommunikation
Georgenschwaigstraße 4
80807 München
Tel: +49-89-3536960-0
Fax: +49-89-3536960-9

More information about the vpn-help mailing list