[Vpn-help] Tunnel to juniper SSG - Shrew thinks it is up but Juniper does not

Daniel Qian daniel.qian at supracanada.com
Thu Jul 2 13:33:36 CDT 2009 

Ok the tunnel is up now. It turned out to be PFS has to be set specifically 
intead of auto. but another issue arises - no traffic is returning from the 
remote device. I tried pinging a host on the remote inside network but no 
reply. Any idea what could be the reason?

Thanks,
Daniel


----- Original Message ----- 
From: "Matthew Grooms" <mgrooms at shrew.net>
To: "Daniel Qian" <daniel.qian at supracanada.com>
Cc: <vpn-help at lists.shrew.net>
Sent: Tuesday, June 30, 2009 11:19 PM
Subject: Re: [Vpn-help] Tunnel to juniper SSG - Shrew thinks it is up but 
Juniper does not


> Daniel Qian wrote:
>>
>> When I tried to ping an IP behind the remote firewall I got this:
>>
>> 2001-07-29 11:31:12    info    IKE x.x.x.x Phase 2 msg ID e3e5cc76:
>> Negotiations have failed.
>> 2001-07-29 11:31:12    info    IKE x.x.x.x Phase 2 msg ID e3e5cc76:
>> Negotiations have failed for user vpn at customer.com.
>
> This is the part of the output that is important ...
>
>> 2001-07-29 11:31:12    info    Rejected an IKE packet on ethernet0/0 from
>> x.x.x.x:28372 to y.y.y.y:4500 with cookies 59cfb0db677d4558 and
>> 04829041c531b49e because There were no acceptable Phase 2 proposals..
>>
>
> Your establishing phase1 and getting caught up on phase2 negotiations.
> Most likely, the netscreen doesn't like the proposal being sent by the
> client. Assuming you followed the howto, if you look at the following
> document section ...
>
> http://www.shrew.net/support/wiki/HowtoJuniperSsg#CreateanAutoKeyIKEGateway
>
> ... you will see how to configure the gateways phase2 parameters for
> vpnclient connections. When the client sends a phase2 proposal, they
> have to match whats configured on the gateway.
>
> For example, if you chose ...
>
> nopfs-esp-3des-md5
> nopfs-esp-3des-md5
> nopfs-esp-aes128-sha
> nopfs-esp-aes128-sha
>
> ... for "Phase 2 proposal" under the advanced parameters section, the
> client has to send one of those combinations exactly. If it doesn't
> match any of them, the gateway will report the error message shown in
> your log output "There were no acceptable Phase 2 proposals". If the
> client has all of its parameters set to 'auto', then it will send a slew
> of likely phase2 proposal combinations in an attempt to match whatever
> is configured on the gateway.
>
> The other possibility is that the connection from the client isn't
> getting matched to the proper "AutoKey IKE Gateway" definition. In the
> example shown in the document, it will use the vpnclient_tunnel as the
> phase2 parameters for any connection that matched vpnclient_gateway
> "AutoKey Advanced / Gateway" for its phase1 parameters. How does your
> connection match "vpn at customer.com" back to your "AutoKey IKE Gateway"?
>
> The client and the gateway both appear to be working properly. This
> looks like a configuration issue. I can assure you that it works with
> juniper products as I have an SSG in my lab that I do regular testing 
> with.
>
> -Matthew
>
>
>

More information about the vpn-help mailing list