[Vpn-help] Tunnel to juniper SSG - Shrew thinks it is up but Juniper does not

Daniel Qian daniel.qian at supracanada.com
Sat Jul 4 15:53:53 CDT 2009


----- Original Message ----- 
From: "Matthew Grooms" <mgrooms at shrew.net>
To: "Daniel Qian" <daniel.qian at supracanada.com>
Cc: <vpn-help at lists.shrew.net>
Sent: Saturday, July 04, 2009 2:31 AM
Subject: Re: [Vpn-help] Tunnel to juniper SSG - Shrew thinks it is up but 
Juniper does not


> Daniel Qian wrote:
>> Ok the tunnel is up now. It turned out to be PFS has to be set 
>> specifically intead of auto. but another issue arises - no traffic is 
>> returning from the remote device. I tried pinging a host on the remote 
>> inside network but no reply. Any idea what could be the reason?
>>
>
> Daniel,
>
> Can you do a packet dump from a node inside the network to determine if 
> they are reaching the distant host? If you do see the ping packets and 
> responses, the next thing to check would be if ESP or UDP port 4500 
> packets are being returned from the gateway to the client ( the encrypted 
> responses ).
>
> -Matthew
>
>
>

I do not have a packet dump from the host but I do have one from the Juniper 
firewall which shows the return traffic to the client. The lines are shown 
below and they are the same as those when I am connected with a working 
Netscreen-remote client. The interesting thing to note is that Shrew works 
right after I reinstall it but stops working after a while for some reasons. 
My testing client is behind a natting.

In the dump, 11.11.11.11  is the public IP of the client, 22.22.22.22 is the 
remote firewall IP,  10.220.10.21 is the inside host,  172.16.220.1 is the 
private IP assiged to the client from the VPN pool.

Thanks,
Daniel



****** 08558.0: <Trust/bgroup0> packet received [60]******
  ipid = 30473(7709), @0338a830
  packet passed sanity check.
  bgroup0:10.220.10.21/1280->172.16.220.1/256,1(0/0)<Root>
  existing session found. sess token 3
  flow got session.
  flow session id 8048
  post addr xlation: 10.220.10.21->172.16.220.1.
  skipping pre-frag
  going into tunnel 40008002.
  flow_encrypt: pipeline.
chip info: PIO. Tunnel id 00008002
(vn2)  doing ESP encryption and size =64
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec encrypt engine released
ipsec encrypt done
        put packet(3622bb8) into flush queue.
        remove packet(3622bb8) out from flush queue.

**** jump to packet:22.22.22.22->11.11.11.11
  going into tunnel c0008002.
  flow_encrypt: enc vector=c8eda0.
  out encryption tunnel c0008002 gw:33.33.33.33
  no more encapping needed
  send out through normal path.
  flow_ip_send: 4ef2:22.22.22.22->11.11.11.11,17 => ethernet0/0(128) flag 
0x0, vlan 0
  mac 0030b880f5a0 in session
  **** pak processing end.
****** 08563.0: <Trust/bgroup0> packet received [60]******
  ipid = 30474(770a), @0338b030
  packet passed sanity check.
  bgroup0:10.220.10.21/1280->172.16.220.1/512,1(0/0)<Root>
  existing session found. sess token 3
  flow got session.
  flow session id 8048
  post addr xlation: 10.220.10.21->172.16.220.1.
  skipping pre-frag
  going into tunnel 40008002.
  flow_encrypt: pipeline.
chip info: PIO. Tunnel id 00008002
(vn2)  doing ESP encryption and size =64
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec encrypt engine released
ipsec encrypt done
        put packet(3622bb8) into flush queue.
        remove packet(3622bb8) out from flush queue.

**** jump to packet:22.22.22.22->11.11.11.11
  going into tunnel c0008002.
  flow_encrypt: enc vector=c8eda0.
  out encryption tunnel c0008002 gw:33.33.33.33
  no more encapping needed
  send out through normal path.
  flow_ip_send: 4ef4:22.22.22.22->11.11.11.11,17 => ethernet0/0(128) flag 
0x0, vlan 0
  mac 0030b880f5a0 in session
  **** pak processing end.
****** 08569.0: <Trust/bgroup0> packet received [60]******
  ipid = 30475(770b), @0338b830
  packet passed sanity check.
  bgroup0:10.220.10.21/1280->172.16.220.1/768,1(0/0)<Root>
  existing session found. sess token 3
  flow got session.
  flow session id 8048
  post addr xlation: 10.220.10.21->172.16.220.1.
  skipping pre-frag
  going into tunnel 40008002.
  flow_encrypt: pipeline.
chip info: PIO. Tunnel id 00008002
(vn2)  doing ESP encryption and size =64
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec encrypt engine released
ipsec encrypt done
        put packet(3621d90) into flush queue.
        remove packet(3621d90) out from flush queue.

**** jump to packet:22.22.22.22->11.11.11.11
  going into tunnel c0008002.
  flow_encrypt: enc vector=c8eda0.
  out encryption tunnel c0008002 gw:33.33.33.33
  no more encapping needed
  send out through normal path.
  flow_ip_send: 4f0b:22.22.22.22->11.11.11.11,17 => ethernet0/0(128) flag 
0x0, vlan 0
  mac 0030b880f5a0 in session
  **** pak processing end. 




More information about the vpn-help mailing list