[vpn-help] connecting to a Juniper SRX 210

Alexis La Goutte alexis.lagoutte at gmail.com
Mon Feb 22 12:19:59 CST 2010 

Hi Gauras,

You use the Windows or Linux client?

it is possible to get a trace for connection ? (to get the VID)

Regards,

On Sat, Feb 20, 2010 at 11:39 AM, Gauras Gaurauskas <gaurasg at gmail.com>wrote:

> Hello,
>
> Does anybody tried to use Shrew VPN to establish VPN with Juniper SRX210?
> When i try to connect with Shrew VPN to the SRX210, on Phase1 SRX210 sends
> back message NO-PROPOSAL-CHOSEN.
> In the SRX debug log i see that SRX is not able to recognize a peer
>
> Feb  3 01:16:14 ike_decode_packet: Start
> Feb  3 01:16:14 ike_decode_packet: Start, SA = { 01e4a6ad e1553f43 -
> 41d763a0 0839b3be} / 00000000, nego = -1
> Feb  3 01:16:14 ike_decode_payload_sa: Start
> Feb  3 01:16:14 ike_decode_payload_t: Start, # trans = 3
> Feb  3 01:16:14 ike_st_i_vid: VID[0..8] = 09002689 dfd6b712 ...
> Feb  3 01:16:14 The remote server at 192.168.207.100:500 is
> 'draft-beaulieu-ike-xauth-02.txt'
> Feb  3 01:16:14 ike_st_i_vid: VID[0..16] = 4485152d 18b6bbcd ...
> Feb  3 01:16:14 Setting natt remote version to 2
> Feb  3 01:16:14 The remote server at 192.168.207.100:500 is
> 'draft-ietf-ipsec-nat-t-ike-00'
> Feb  3 01:16:14 ike_st_i_vid: VID[0..16] = 16f6ca16 e4a4066d ...
> Feb  3 01:16:14 The remote server at 192.168.207.100:500 is '16 f6 ca 16
> e4 a4 06 6d 83 82 1a 0f 0a ea a8 62'
> Feb  3 01:16:14 ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
> Feb  3 01:16:14 Setting natt remote version to 3
> Feb  3 01:16:14 The remote server at 192.168.207.100:500 is
> 'draft-ietf-ipsec-nat-t-ike-02'
> Feb  3 01:16:14 ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ...
> Feb  3 01:16:14 The remote server at 192.168.207.100:500 is
> 'draft-ietf-ipsec-nat-t-ike-03'
> Feb  3 01:16:14 ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
> Feb  3 01:16:14 The remote server at 192.168.207.100:500 is '4a 13 1c 81
> 07 03 58 45 5c 57 28 f2 0e 95 45 2f'
> Feb  3 01:16:14 ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
> Feb  3 01:16:14 The remote server at 192.168.207.100:500 is
> 'draft-ietf-ipsec-dpd-00.txt'
> Feb  3 01:16:14 ike_st_i_vid: VID[0..16] = f14b94b7 bff1fef0 ...
> Feb  3 01:16:14 The remote server at 192.168.207.100:500 is 'f1 4b 94 b7
> bf f1 fe f0 27 73 b8 c4 9f ed ed 26'
> Feb  3 01:16:14 ike_st_i_vid: VID[0..20] = 166f932d 55eb64d8 ...
> Feb  3 01:16:14 The remote server at 192.168.207.100:500 is '16 6f 93 2d
> 55 eb 64 d8 e4 df 4f d3 7e 23 13 f0 d0 fd 84 51'
> Feb  3 01:16:14 ike_st_i_vid: VID[0..16] = 8404adf9 cda05760 ...
> Feb  3 01:16:14 The remote server at 192.168.207.100:500 is '84 04 ad f9
> cd a0 57 60 b2 ca 29 2e 4b ff 53 7b'
> Feb  3 01:16:14 ike_st_i_vid: VID[0..16] = 12f5f28c 457168a9 ...
> Feb  3 01:16:14 The remote server at 192.168.207.100:500 is 'CISCO-UNITY'
> Feb  3 01:16:14 ike_st_i_id: Start
> Feb  3 01:16:14 ike_st_i_sa_proposal: Start
> Feb  3 01:16:14 Not doing MM check since initiator=FALSE and exch_type=4
> Feb  3 01:16:14 Unable to find ike gateway as remote peer:192.168.207.100
> is not recognized.
> Feb  3 01:16:14 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1
> [responder] failed for p1_local=ipv4(any:0,[0..3]=84.15.44.82)
> p1_remote=fqdn(any:0,[0..11]=user1.testas)
> Feb  3 01:16:14 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1
> [responder] failed for p1_local=ipv4(any:0,[0..3]=84.15.44.82)
> p1_remote=fqdn(any:0,[0..11]=user1.testas)
> Feb  3 01:16:14 ike_isakmp_sa_reply: Start
>
> I guess that it is because of  last  VENDOR ID, which Shrew VPN client
> sends to the gateway. By default last VID is 'CISCO-UNITY', but it seems
> that SRX  expects 'JNPR IPSec Client'
> When i use Juniper DynamicVPN client to connect to SRX, the last VID send
> by the Juniper client is 'JNPR IPSec Client'.
>
> eb  3 00:37:03 ike_decode_payload_sa: Start
> Feb  3 00:37:03 ike_decode_payload_t: Start, # trans = 1
> Feb  3 00:37:03 ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
> Feb  3 00:37:03 The remote server at 192.168.207.100:1142 is
> 'draft-ietf-ipsec-dpd-00.txt'
> Feb  3 00:37:03 ike_st_i_vid: VID[0..8] = 09002689 dfd6b712 ...
> Feb  3 00:37:03 The remote server at 192.168.207.100:1142 is
> 'draft-beaulieu-ike-xauth-02.txt'
> Feb  3 00:37:03 ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ...
> Feb  3 00:37:03 Setting natt remote version to 3
> Feb  3 00:37:03 The remote server at 192.168.207.100:1142 is
> 'draft-ietf-ipsec-nat-t-ike-03'
> Feb  3 00:37:03 ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
> Feb  3 00:37:03 The remote server at 192.168.207.100:1142 is
> 'draft-ietf-ipsec-nat-t-ike-02'
> Feb  3 00:37:03 ike_st_i_vid: VID[0..18] = 4a4e5052 20495053 ...
> Feb  3 00:37:03 The remote server at 192.168.207.100:1142 is 'JNPR IPSec
> Client'
> Feb  3 00:37:03 ike_st_i_id: Start
> Feb  3 00:37:03 ike_st_i_sa_proposal: Start
> Feb  3 00:37:03 ike_isakmp_sa_reply: Start
> Feb  3 00:37:03 ike_st_i_nonce: Start, nonce[0..64] = a8995644 916c8238 ...
> Feb  3 00:37:03 ike_st_i_cert: Start
> Feb  3 00:37:03 ike_st_i_hash_key: Start, no key_hash
> Feb  3 00:37:03 ike_st_i_ke: Ke[0..192] = 0bfdd989 3383f389 ...
> Feb  3 00:37:03 ike_st_i_cr: Start
> Feb  3 00:37:03 ike_st_i_private: Start
> Feb  3 00:37:03 ike_st_o_sa_values: Start
> Feb  3 00:37:03 ike_st_o_ke: Start
> Feb  3 00:37:03 ike_st_o_nonce: Start
> Feb  3 00:37:03 ike_policy_reply_isakmp_nonce_data_len: Start
> Feb  3 00:37:03 ike_st_o_id: Start
>
> Is it possible to add a new feature to Shrew VPN client similat to "Enable
> Check Point Compatible Vendor ID", which would allow to send 'JNPR IPSec
> Client' VID as last VID?
>
>
>
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20100222/6c159784/attachment-0002.html>

More information about the vpn-help mailing list