[Vpn-help] Netscreen/Juniper xauth

James Angi jangi at abc6.com
Tue Jan 22 14:13:15 CST 2008


Here are the logs for my problem:

## : IKE Daemon, ver 2.0.3
## : Copyright 2007 Shrew Soft Inc.
## : This product linked OpenSSL 0.9.8e 23 Feb 2007
ii : opened C:\Program Files\ShrewSoft\VPN Client\debug\iked.log'
ii : rebuilding vnet device list ...
ii : device ROOT\VNET\0000 disabled
ii : network process thread begin ...
ii : pfkey process thread begin ...
K< : recv X_SPDDUMP UNSPEC pfkey message
DB : policy added
K< : recv X_SPDDUMP UNSPEC pfkey message
DB : policy added
K< : recv X_SPDDUMP UNSPEC pfkey message
DB : policy added
K< : recv X_SPDDUMP UNSPEC pfkey message
DB : policy added
K< : recv X_SPDDUMP UNSPEC pfkey message
DB : policy added
K< : recv X_SPDDUMP UNSPEC pfkey message
DB : policy added
ii : admin process thread begin ...
<A : peer config add message
DB : peer added
ii : local address 192.168.3.51:500 selected for peer
DB : tunnel added
<A : proposal config message
<A : proposal config message
<A : client config message
<A : xauth username message
<A : xauth password message
<A : local id 'rdp at abc6.com' message
<A : preshared key message
<A : remote resource message
<A : peer tunnel enable message
DB : new phase1 ( ISAKMP initiator )
DB : exchange type is aggressive
DB : 192.168.3.51:500 <-> 24.249.211.98:500
DB : 34ba04c41b14f41b:0000000000000000
DB : phase1 added
>> : security association payload
>> : - proposal #1 payload 
>> : -- transform #1 payload 
>> : key exchange payload
>> : nonce payload
>> : identification payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
-> : send IKE packet 192.168.3.51:500 -> 24.249.211.98:500 ( 404 bytes )
<- : recv IKE packet 24.249.211.98:500 -> 192.168.3.51:500 ( 412 bytes )
DB : phase1 found
<< : security association payload
<< : - propsal #1 payload 
<< : -- transform #1 payload 
ii : matched isakmp proposal #1 transform #1
ii : - transform    = ike
ii : - cipher type  = 3des
ii : - key length   = default
ii : - hash type    = sha1
ii : - dh group     = modp-1024
ii : - auth type    = xauth-initiator-psk
ii : - life seconds = 86400
ii : - life kbytes  = 0
<< : vendor id payload
ii : unknown vendor id ( 28 bytes )
<< : vendor id payload
ii : peer supports XAUTH
<< : vendor id payload
ii : unknown vendor id ( 20 bytes )
<< : key exchange payload
<< : nonce payload
<< : identification payload
ii : phase1 id match ( natt prevents ip match )
ii : phase1 id match ( ipv4-host 24.249.211.98 )
<< : hash payload
<< : vendor id payload
ii : peer supports NAT-T V02
<< : nat discovery payload
<< : nat discovery payload
ii : nat discovery - local address is translated
ii : switching to NAT-T UDP port 4500
== : DH shared secret ( 128 bytes )
== : SETKEYID ( 20 bytes )
== : SETKEYID_d ( 20 bytes )
== : SETKEYID_a ( 20 bytes )
== : SETKEYID_e ( 20 bytes )
== : cipher key ( 40 bytes )
== : cipher iv ( 8 bytes )
== : phase1 hash_i ( computed ) ( 20 bytes )
>> : hash payload
>> : nat discovery payload
>> : nat discovery payload
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 100 bytes )
== : stored iv ( 8 bytes )
-> : send NAT-T:IKE packet 192.168.3.51:4500 -> 24.249.211.98:4500 ( 132
bytes )
== : phase1 hash_r ( computed ) ( 20 bytes )
== : phase1 hash_r ( received ) ( 20 bytes )
ii : phase1 sa established
ii : 24.249.211.98:4500 <-> 192.168.3.51:4500
ii : 34ba04c41b14f41b:2ee392556e87724c
ii : sending peer INITIAL-CONTACT notification
ii : - 192.168.3.51:4500 -> 24.249.211.98:4500
ii : - isakmp spi = 34ba04c41b14f41b:2ee392556e87724c
ii : - data size 0
>> : hash payload
>> : notification payload
== : new informational hash ( 20 bytes )
== : new phase2 iv ( 8 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 80 bytes )
== : stored iv ( 8 bytes )
-> : send NAT-T:IKE packet 192.168.3.51:4500 -> 24.249.211.98:4500 ( 116
bytes )
DB : phase2 not found
<- : recv NAT-T:IKE packet 24.249.211.98:4500 -> 192.168.3.51:4500 ( 76
bytes )
DB : phase1 found
DB : config not found
DB : config added
== : new phase2 iv ( 8 bytes )
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 76 bytes )
== : stored iv ( 8 bytes )
<< : hash payload
<< : attribute payload
== : configure hash_i ( computed ) ( 20 bytes )
== : configure hash_c ( computed ) ( 20 bytes )
ii : configure hash verified
ii : received xauth request
>> : hash payload
>> : attribute payload
== : new configure hash ( 20 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 80 bytes )
== : stored iv ( 8 bytes )
-> : send NAT-T:IKE packet 192.168.3.51:4500 -> 24.249.211.98:4500 ( 116
bytes )
ii : sent xauth response for test
DB : config resend event canceled ( ref count = 1 )
DB : config deleted ( config count 0 )
<- : recv NAT-T:IKE packet 24.249.211.98:4500 -> 192.168.3.51:4500 ( 100
bytes )
DB : phase1 found
DB : config not found
DB : config added
== : new phase2 iv ( 8 bytes )
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 100 bytes )
== : stored iv ( 8 bytes )
<< : hash payload
<< : attribute payload
== : configure hash_i ( computed ) ( 20 bytes )
== : configure hash_c ( computed ) ( 20 bytes )
ii : configure hash verified
ii : received config push request
ii : - IP4 Address = 172.27.18.101
ii : - IP4 Netmask = 255.255.255.255
ii : - IP4 DNS Server = 172.27.37.3
ii : - IP4 DNS Server = 172.27.37.4
ii : building config attribute list
ii : - IP4 Address
ii : - IP4 Netamask
ii : - IP4 DNS Server
ii : - DNS Suffix
ii : - Split DNS Domain
ii : - Login Banner
ii : - Save Password
ii : sending config push acknowledge
>> : hash payload
>> : attribute payload
== : new configure hash ( 20 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 88 bytes )
== : stored iv ( 8 bytes )
-> : send NAT-T:IKE packet 192.168.3.51:4500 -> 24.249.211.98:4500 ( 124
bytes )
DB : config resend event canceled ( ref count = 1 )
DB : config deleted ( config count 0 )
<- : recv NAT-T:IKE packet 24.249.211.98:4500 -> 192.168.3.51:4500 ( 68
bytes )
DB : phase1 found
DB : config not found
DB : config added
== : new phase2 iv ( 8 bytes )
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 68 bytes )
== : stored iv ( 8 bytes )
<< : hash payload
<< : attribute payload
== : configure hash_i ( computed ) ( 20 bytes )
== : configure hash_c ( computed ) ( 20 bytes )
ii : configure hash verified
ii : received xauth result
!! : user test authentication failed
DB : config deleted ( config count 0 )
<- : recv NAT-T:IKE packet 24.249.211.98:4500 -> 192.168.3.51:4500 ( 68
bytes )
DB : phase1 found
DB : config not found
DB : config added
== : new phase2 iv ( 8 bytes )
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 68 bytes )
== : stored iv ( 8 bytes )
<< : hash payload
<< : attribute payload
== : configure hash_i ( computed ) ( 20 bytes )
== : configure hash_c ( computed ) ( 20 bytes )
ii : configure hash verified
>> : hash payload
>> : attribute payload
== : new configure hash ( 20 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 64 bytes )
== : stored iv ( 8 bytes )
-> : send NAT-T:IKE packet 192.168.3.51:4500 -> 24.249.211.98:4500 ( 100
bytes )
ii : sent xauth acknowledge
DB : config resend event canceled ( ref count = 1 )
DB : config deleted ( config count 0 )
ii : VNET adapter MTU is 1500
ii : enabled adapter ROOT\VNET\0000
ii : creating IPSEC INBOUND policy 172.27.0.0/16 -> 172.27.18.101/32
K> : send X_SPDADD UNSPEC pfkey message
ii : creating IPSEC OUTBOUND policy 172.27.18.101/32 -> 172.27.0.0/16
K> : send X_SPDADD UNSPEC pfkey message
K< : recv X_SPDADD UNSPEC pfkey message
DB : policy added
K< : recv X_SPDADD UNSPEC pfkey message
DB : policy added
ii : created IPSEC policy route for 172.27.0.0/16
DB : policy found
ii : removing IPSEC INBOUND policy 172.27.0.0/16 -> 172.27.18.101/32
K> : send X_SPDDELETE2 UNSPEC pfkey message
DB : policy found
ii : removing IPSEC OUTBOUND policy 172.27.18.101/32 -> 172.27.0.0/16
K> : send X_SPDDELETE2 UNSPEC pfkey message
ii : removed IPSEC policy route for 172.27.0.0/16
K< : recv X_SPDDELETE2 UNSPEC pfkey message
DB : policy found
DB : policy deleted ( policy count = 7 )
K< : recv X_SPDDELETE2 UNSPEC pfkey message
DB : policy found
DB : policy deleted ( policy count = 6 )
ii : disabled adapter ROOT\VNET\0000
DB : removing all tunnel refrences
DB : phase1 natt event canceled ( ref count = 2 )
DB : phase1 hard event canceled ( ref count = 1 )
ii : sending peer DELETE message
ii : - 192.168.3.51:4500 -> 24.249.211.98:4500
ii : - isakmp spi = 34ba04c41b14f41b:2ee392556e87724c
ii : - data size 0
>> : hash payload
>> : delete payload
== : new informational hash ( 20 bytes )
== : new phase2 iv ( 8 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 80 bytes )
== : stored iv ( 8 bytes )
-> : send NAT-T:IKE packet 192.168.3.51:4500 -> 24.249.211.98:4500 ( 116
bytes )
DB : phase1 deleted before expire time ( phase1 count = 0 )
DB : tunnel deleted ( tunnel count = 0 )
DB : peer deleted ( peer count = 0 )
ii : admin process thread exit ...

And from the Netscreen:
2008-01-22 15:20:19 info IKE<68.14.66.45>: XAuth login failed for gateway
<WLNE-RDP GW>, username <test>, retry: 0, timeout: 1. 
2008-01-22 15:20:19 info Rejected an IKE packet on ethernet3 from
68.14.66.45:4500 to 24.249.211.98:4500 with cookies 34ba04c41b14f41b and
2ee392556e87724c because a Phase 2 packet arrived while XAuth was still
pending. 
2008-01-22 15:20:19 info IKE<68.14.66.45> Phase 1: Completed Aggressive mode
negotiations with a <28800>-second lifetime. 
2008-01-22 15:20:19 info IKE<68.14.66.45> Phase 1: Completed for user <RDP>.

2008-01-22 15:20:19 info IKE<68.14.66.45> Phase 1: IKE responder has
detected NAT in front of the remote device. 
2008-01-22 15:20:19 info IKE<68.14.66.45> Phase 1: Responder starts
AGGRESSIVE mode negotiations.

Hope they help...

James Angi
Director of IT
WLNE-TV / ABC6
Global Broadcasting
401.453.8057
jangi at abc6.com





More information about the vpn-help mailing list