[vpn-help] need help: shrew client on windows 7 to Juniper netscreen SSG320
Matthew Grooms
mgrooms at shrew.net
Wed Aug 4 22:50:55 CDT 2010
On 7/30/2010 1:18 AM, Matthew Grooms wrote:
> On 7/29/2010 12:09 AM, Neal Katz wrote:
>> Thanks for the help about logging, I did not see that before.
>>
>> I am using 'ike config push', and PSK+Xauth
>>
>> It looks like my problem is during the xauth stage,
>> I created a new user, type='XAuth' , same problem
>> ( question: should my user be part of any group ? )
>>
>
> From your previous log, it would appear that you are passing xauth. The
> Juniper devices use a bastardized version of modecfg push which wraps
> the client configuration ( address, mask, DNS, WINS settings ) inside
> the Xauth conversation. So when something goes wrong, it looks like an
> Xauth problem.
>
> From what I can tell, the conversation goes something like this ...
>
> 1) The gateway asks the client to authenticate
> 2) The client returns an authentication
> 3) The gateway pushes configuration attributes to the client
> 4) The client responds with the attributes it accepted
> 5) The gateway rejects the response from the client
> 6) The gateway re-tries the process
> 7) The client notices that the process has restarted, and bails
>
> Can you please send me the decrypted IKE debug output? I'd like to take
> a closer look at the conversation at the packet level.
>
Hi Niel,
What do you have configured for the adapter type? As the SSG howto
implies, you should have the default of "Use a virtual adapter and
assigned address" and have "Obtain Automatically" checked for the
address/netmask. The decrypted packet dump you sent would suggest that
the client is set to not receive an address automatically.
-Matthew
More information about the vpn-help
mailing list