[Vpn-help] Tunnel to juniper SSG - Shrew thinks it is up but Juniper does not

Matthew Grooms mgrooms at shrew.net
Tue Jun 30 22:19:31 CDT 2009 

Daniel Qian wrote:
> 
> When I tried to ping an IP behind the remote firewall I got this:
> 
> 2001-07-29 11:31:12    info    IKE x.x.x.x Phase 2 msg ID e3e5cc76: 
> Negotiations have failed.
> 2001-07-29 11:31:12    info    IKE x.x.x.x Phase 2 msg ID e3e5cc76: 
> Negotiations have failed for user vpn at customer.com.

This is the part of the output that is important ...

> 2001-07-29 11:31:12    info    Rejected an IKE packet on ethernet0/0 from 
> x.x.x.x:28372 to y.y.y.y:4500 with cookies 59cfb0db677d4558 and 
> 04829041c531b49e because There were no acceptable Phase 2 proposals..
> 

Your establishing phase1 and getting caught up on phase2 negotiations.
Most likely, the netscreen doesn't like the proposal being sent by the
client. Assuming you followed the howto, if you look at the following
document section ...

http://www.shrew.net/support/wiki/HowtoJuniperSsg#CreateanAutoKeyIKEGateway

... you will see how to configure the gateways phase2 parameters for
vpnclient connections. When the client sends a phase2 proposal, they
have to match whats configured on the gateway.

For example, if you chose ...

nopfs-esp-3des-md5
nopfs-esp-3des-md5
nopfs-esp-aes128-sha
nopfs-esp-aes128-sha

... for "Phase 2 proposal" under the advanced parameters section, the
client has to send one of those combinations exactly. If it doesn't
match any of them, the gateway will report the error message shown in
your log output "There were no acceptable Phase 2 proposals". If the
client has all of its parameters set to 'auto', then it will send a slew
of likely phase2 proposal combinations in an attempt to match whatever
is configured on the gateway.

The other possibility is that the connection from the client isn't
getting matched to the proper "AutoKey IKE Gateway" definition. In the
example shown in the document, it will use the vpnclient_tunnel as the
phase2 parameters for any connection that matched vpnclient_gateway
"AutoKey Advanced / Gateway" for its phase1 parameters. How does your
connection match "vpn at customer.com" back to your "AutoKey IKE Gateway"?

The client and the gateway both appear to be working properly. This
looks like a configuration issue. I can assure you that it works with
juniper products as I have an SSG in my lab that I do regular testing with.

-Matthew

More information about the vpn-help mailing list