[vpn-help] need help: shrew client on windows 7 to Juniper netscreen SSG320
Matthew Grooms
mgrooms at shrew.net
Fri Jul 30 01:18:20 CDT 2010
On 7/29/2010 12:09 AM, Neal Katz wrote:
> Thanks for the help about logging, I did not see that before.
>
> I am using 'ike config push', and PSK+Xauth
>
> It looks like my problem is during the xauth stage,
> I created a new user, type='XAuth' , same problem
> ( question: should my user be part of any group ? )
>
From your previous log, it would appear that you are passing xauth. The
Juniper devices use a bastardized version of modecfg push which wraps
the client configuration ( address, mask, DNS, WINS settings ) inside
the Xauth conversation. So when something goes wrong, it looks like an
Xauth problem.
From what I can tell, the conversation goes something like this ...
1) The gateway asks the client to authenticate
2) The client returns an authentication
3) The gateway pushes configuration attributes to the client
4) The client responds with the attributes it accepted
5) The gateway rejects the response from the client
6) The gateway re-tries the process
7) The client notices that the process has restarted, and bails
Can you please send me the decrypted IKE debug output? I'd like to take
a closer look at the conversation at the packet level.
Thanks,
-Matthew
More information about the vpn-help
mailing list