[Vpn-help] Tunnel to juniper SSG - Shrew thinks it is up but Juniper does not
Daniel Qian
daniel.qian at supracanada.com
Tue Jun 30 14:49:25 CDT 2009
The following is the output from Shrew trying to connect:
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
pre-shared key configured
bringing up tunnel ...
network device configured
tunnel enabled
And this is the log message from the SSG device:
2001-07-29 11:04:23 info IKE x.x.x.x: XAuth login was passed for
gateway VPN Client, username daniel, retry: 0, Client IP Addr 10.220.11.1,
IPPool name: rapool, Session-Timeout: 0s,
Idle-Timeout: 0s.
2001-07-29 11:04:23 info IKE x.x.x.x: XAuth login was refreshed for
username daniel at 10.220.11.1/255.255.255.255.
2001-07-29 11:04:23 info Rejected an IKE packet on ethernet0/0 from
x.x.x.x:28372 to y.y.y.y:4500 with cookies 59cfb0db677d4558 and
04829041c531b49e because A Phase 2 packet
arrived while XAuth was still pending.
2001-07-29 11:04:23 info IKE x.x.x.x Phase 1: Completed Aggressive
mode negotiations with a 28800-second lifetime.
2001-07-29 11:04:23 info IKE x.x.x.x Phase 1: Completed for user
vpn at customer.com.
2001-07-29 11:04:23 info IKE<x.x.x.x> Phase 1: IKE responder has
detected NAT in front of the remote device.
2001-07-29 11:04:23 info IKE<x.x.x.x> Phase 1: IKE responder has
detected NAT in front of the local device.
2001-07-29 11:04:23 info IKE x.x.x.x Phase 1: Responder starts
AGGRESSIVE mode negotiations.
---------------------------------------------------------------------------
When I tried to ping an IP behind the remote firewall I got this:
2001-07-29 11:31:12 info IKE x.x.x.x Phase 2 msg ID e3e5cc76:
Negotiations have failed.
2001-07-29 11:31:12 info IKE x.x.x.x Phase 2 msg ID e3e5cc76:
Negotiations have failed for user vpn at customer.com.
2001-07-29 11:31:12 info Rejected an IKE packet on ethernet0/0 from
x.x.x.x:28372 to y.y.y.y:4500 with cookies 59cfb0db677d4558 and
04829041c531b49e because There were no acceptable Phase 2 proposals..
2001-07-29 11:31:12 info IKE x.x.x.x Phase 2 msg ID e3e5cc76:
Responded to the peer's first message from user vpn at customer.com.
---------------------------------------------------------------------------
Apparently the two sides do NOT agree on the status of the tunnel. The
explanation quoted from Juniper seems to imply this is usually a client side
issue:
This can happen if the last XAuth packet that the remote peer sends does not
reach the local NetScreen device. If this event occurred once, you can
safely disregard this message. However, if this occurs repeatedly,
investigate the problem locally, and contact the peer to investigate the
problem at that end.When investigating, check for any reason why the
NetScreen device might repeatedly drop packets, such as heavy network
traffic or high CPU usage.Alternatively, there be a compatibility issue
between the remote device and the local NetScreen device,possibly because
the remote peer’s VPN implementation does not conform to the IKE-related
RFCs or interprets the RFCs differently than NetScreen d
This can happen if the last XAuth packet that the remote peer sends does not
reach the local NetScreen
device. If this event occurred once, you can safely disregard this message.
However, if this occurs
repeatedly, investigate the problem locally, and contact the peer to
investigate the problem at that end.
When investigating, check for any reason why the NetScreen device might
repeatedly drop packets, such
as heavy network traffic or high CPU usage.
Alternatively, there be a compatibility issue between the remote device and
the local NetScreen device,
possibly because the remote peer’s VPN implementation does not conform to
the IKE-related RFCs or
interprets the RFCs differently than NetScreen does
----------------------------------------------------------------------------------------------------------------------
Does anyone know of a solution to this?
Best Regards,
Daniel
More information about the vpn-help
mailing list