[vpn-help] need help: shrew client on windows 7 to Juniper netscreen SSG320

Matthew Grooms mgrooms at shrew.net
Fri Jul 30 01:18:20 CDT 2010


On 7/29/2010 12:09 AM, Neal Katz wrote:
> Thanks for the help about logging, I did not see that before.
>
> I am using 'ike config push', and PSK+Xauth
>
> It looks like my problem is during the xauth stage,
> I created a new user, type='XAuth' , same problem
> ( question:  should my user be part of any group ? )
>

 From your previous log, it would appear that you are passing xauth. The 
Juniper devices use a bastardized version of modecfg push which wraps 
the client configuration ( address, mask, DNS, WINS settings ) inside 
the Xauth conversation. So when something goes wrong, it looks like an 
Xauth problem.

 From what I can tell, the conversation goes something like this ...

1) The gateway asks the client to authenticate
2) The client returns an authentication
3) The gateway pushes configuration attributes to the client
4) The client responds with the attributes it accepted
5) The gateway rejects the response from the client
6) The gateway re-tries the process
7) The client notices that the process has restarted, and bails

Can you please send me the decrypted IKE debug output? I'd like to take 
a closer look at the conversation at the packet level.

Thanks,

-Matthew



More information about the vpn-help mailing list