[Vpn-help] Tunnel to juniper SSG - Shrew thinks it is up but Juniper does not
Daniel Qian
daniel.qian at supracanada.com
Sat Jul 4 15:53:53 CDT 2009
----- Original Message -----
From: "Matthew Grooms" <mgrooms at shrew.net>
To: "Daniel Qian" <daniel.qian at supracanada.com>
Cc: <vpn-help at lists.shrew.net>
Sent: Saturday, July 04, 2009 2:31 AM
Subject: Re: [Vpn-help] Tunnel to juniper SSG - Shrew thinks it is up but
Juniper does not
> Daniel Qian wrote:
>> Ok the tunnel is up now. It turned out to be PFS has to be set
>> specifically intead of auto. but another issue arises - no traffic is
>> returning from the remote device. I tried pinging a host on the remote
>> inside network but no reply. Any idea what could be the reason?
>>
>
> Daniel,
>
> Can you do a packet dump from a node inside the network to determine if
> they are reaching the distant host? If you do see the ping packets and
> responses, the next thing to check would be if ESP or UDP port 4500
> packets are being returned from the gateway to the client ( the encrypted
> responses ).
>
> -Matthew
>
>
>
I do not have a packet dump from the host but I do have one from the Juniper
firewall which shows the return traffic to the client. The lines are shown
below and they are the same as those when I am connected with a working
Netscreen-remote client. The interesting thing to note is that Shrew works
right after I reinstall it but stops working after a while for some reasons.
My testing client is behind a natting.
In the dump, 11.11.11.11 is the public IP of the client, 22.22.22.22 is the
remote firewall IP, 10.220.10.21 is the inside host, 172.16.220.1 is the
private IP assiged to the client from the VPN pool.
Thanks,
Daniel
****** 08558.0: <Trust/bgroup0> packet received [60]******
ipid = 30473(7709), @0338a830
packet passed sanity check.
bgroup0:10.220.10.21/1280->172.16.220.1/256,1(0/0)<Root>
existing session found. sess token 3
flow got session.
flow session id 8048
post addr xlation: 10.220.10.21->172.16.220.1.
skipping pre-frag
going into tunnel 40008002.
flow_encrypt: pipeline.
chip info: PIO. Tunnel id 00008002
(vn2) doing ESP encryption and size =64
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec encrypt engine released
ipsec encrypt done
put packet(3622bb8) into flush queue.
remove packet(3622bb8) out from flush queue.
**** jump to packet:22.22.22.22->11.11.11.11
going into tunnel c0008002.
flow_encrypt: enc vector=c8eda0.
out encryption tunnel c0008002 gw:33.33.33.33
no more encapping needed
send out through normal path.
flow_ip_send: 4ef2:22.22.22.22->11.11.11.11,17 => ethernet0/0(128) flag
0x0, vlan 0
mac 0030b880f5a0 in session
**** pak processing end.
****** 08563.0: <Trust/bgroup0> packet received [60]******
ipid = 30474(770a), @0338b030
packet passed sanity check.
bgroup0:10.220.10.21/1280->172.16.220.1/512,1(0/0)<Root>
existing session found. sess token 3
flow got session.
flow session id 8048
post addr xlation: 10.220.10.21->172.16.220.1.
skipping pre-frag
going into tunnel 40008002.
flow_encrypt: pipeline.
chip info: PIO. Tunnel id 00008002
(vn2) doing ESP encryption and size =64
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec encrypt engine released
ipsec encrypt done
put packet(3622bb8) into flush queue.
remove packet(3622bb8) out from flush queue.
**** jump to packet:22.22.22.22->11.11.11.11
going into tunnel c0008002.
flow_encrypt: enc vector=c8eda0.
out encryption tunnel c0008002 gw:33.33.33.33
no more encapping needed
send out through normal path.
flow_ip_send: 4ef4:22.22.22.22->11.11.11.11,17 => ethernet0/0(128) flag
0x0, vlan 0
mac 0030b880f5a0 in session
**** pak processing end.
****** 08569.0: <Trust/bgroup0> packet received [60]******
ipid = 30475(770b), @0338b830
packet passed sanity check.
bgroup0:10.220.10.21/1280->172.16.220.1/768,1(0/0)<Root>
existing session found. sess token 3
flow got session.
flow session id 8048
post addr xlation: 10.220.10.21->172.16.220.1.
skipping pre-frag
going into tunnel 40008002.
flow_encrypt: pipeline.
chip info: PIO. Tunnel id 00008002
(vn2) doing ESP encryption and size =64
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec encrypt engine released
ipsec encrypt done
put packet(3621d90) into flush queue.
remove packet(3621d90) out from flush queue.
**** jump to packet:22.22.22.22->11.11.11.11
going into tunnel c0008002.
flow_encrypt: enc vector=c8eda0.
out encryption tunnel c0008002 gw:33.33.33.33
no more encapping needed
send out through normal path.
flow_ip_send: 4f0b:22.22.22.22->11.11.11.11,17 => ethernet0/0(128) flag
0x0, vlan 0
mac 0030b880f5a0 in session
**** pak processing end.
More information about the vpn-help
mailing list