[vpn-help] Netscreen SSG and Wikid two factor disconnects every hour

bryan at bevege.com bryan at bevege.com
Fri Mar 26 15:47:21 CDT 2010 

First of all I love this product! This was one of the last things I  
needed to ditch Windows, now if VMware would just get with the  
program.  Thats another topic.

We are using the shrew vpn client 2.14 linux (ubuntu and fedora core  
12) and windows 7 to connect to Netscreen SSG 520.  Our setup is  
nearly the same as the guide on the Shrew page accept we are using  
Wikid two factor tokens for authentication and freeradius for IP  
assignments. We can connect with no problems initially.

The problem:
We get kicked off every hour.  The logs below shows what happens on  
both the firewall and the local linux client.  I haven't logged a  
Windows 7 box but the exact problem exists.

When using the standard Netscreen client (on XP since there is no  
linux or windows 7 client) we stay connected for 12 hrs. before  
getting kicked off by the time limit setting we have set. I've scoured  
the settings on the Netscreen client and do not see anything  
different.  I browsed around the mailing lists but didn't find much  
info on this topic.

Questions:

1. Does the Shrew VPN client even support Wikid two factor authentication?
2. Does the shrew VPN client suppot any other two factor solutions?
3. Are there any setting on either the Firewall or the Shrew VPN  
client that may correct this?

Thanks for your help and for a great product.
-------------------------------------------------------------------------
Firewall logs

2010-03-25 12:53:03      info      IKE XXX.XXX.XXX Phase 1:  
Retransmission limit has been reached.
2010-03-25 12:52:49     notif     The system clock was updated from  
primary NTP server type XXX.XXX.XXX with an adjustment of 16 ms.  
Authentication was None. Update mode was Automatic
2010-03-25 12:52:29     info     IKE xxx.xxx.xxx: XAuth login expired  
and was terminated for username XXX at 0.0.0.0/0.0.0.0.
2010-03-25 12:52:19     info     IKE xxx.xxx.xxx: XAuth login was  
aborted for gateway VRF-MGT-GATEWAY, username xxx, retry: 1.
2010-03-25 12:52:12     info     IKE xxx.xxx.xxx Phase 1: Completed  
Aggressive mode negotiations with a 28800-second lifetime.
2010-03-25 12:52:12     info     IKE xxx.xxx.xxx Phase 1: Completed  
for user xxx-vrf.
2010-03-25 12:52:12     info     IKE<xxx.xxx.xxx> Phase 1: IKE  
responder has detected NAT in front of the remote device.
2010-03-25 12:52:12     info     IKE xxx.xxx.xxx Phase 1: Responder  
starts AGGRESSIVE mode negotiations.

Output from Ubuntu 9.10 client in debug mode

10/03/25 12:52:14 DB : phase1 found
10/03/25 12:52:14 ii : processing config packet ( 76 bytes )
10/03/25 12:52:14 DB : config found
10/03/25 12:52:14 == : new config iv ( 8 bytes )
10/03/25 12:52:14 =< : cookies b8067ea5e4002a6c:3556df8bd2dfda4c
10/03/25 12:52:14 =< : message 544e220a
10/03/25 12:52:14 =< : decrypt iv ( 8 bytes )
10/03/25 12:52:14 == : decrypt packet ( 76 bytes )
10/03/25 12:52:14 <= : trimmed packet padding ( 4 bytes )
10/03/25 12:52:14 <= : stored iv ( 8 bytes )
10/03/25 12:52:14 << : hash payload
10/03/25 12:52:14 << : attribute payload
10/03/25 12:52:14 == : configure hash_i ( computed ) ( 20 bytes )
10/03/25 12:52:14 == : configure hash_c ( computed ) ( 20 bytes )
10/03/25 12:52:14 ii : configure hash verified
10/03/25 12:52:14 !! : duplicate xauth request, authentication failed
10/03/25 12:52:14 DB : phase1 soft event canceled ( ref count = 3 )
10/03/25 12:52:14 DB : phase1 hard event canceled ( ref count = 2 )
10/03/25 12:52:14 DB : phase1 dead event canceled ( ref count = 1 )
10/03/25 12:52:14 ii : sending peer DELETE message
10/03/25 12:52:14 ii : - xxx.xxx.xxx.xxx:4500 -> xxx.xxx.xxx.xxx:4500
10/03/25 12:52:14 ii : - isakmp spi = b8067ea5e4002a6c:3556df8bd2dfda4c
10/03/25 12:52:14 ii : - data size 0
10/03/25 12:52:14 >> : hash payload
10/03/25 12:52:14 >> : delete payload
10/03/25 12:52:14 == : new informational hash ( 20 bytes )
10/03/25 12:52:14 == : new informational iv ( 8 bytes )
10/03/25 12:52:14 >= : cookies b8067ea5e4002a6c:3556df8bd2dfda4c
10/03/25 12:52:14 >= : message 27292501
10/03/25 12:52:14 >= : encrypt iv ( 8 bytes )
10/03/25 12:52:14 == : encrypt packet ( 80 bytes )
10/03/25 12:52:14 == : stored iv ( 8 bytes )
10/03/25 12:52:14 -> : send NAT-T:IKE packet xxx.xxx.xxx.xxx:4500 ->  
xxx.xxx.xxx.xxx:4500 ( 116 bytes )
10/03/25 12:52:14 DB : config resend event canceled ( ref count = 1 )
10/03/25 12:52:14 DB : config deleted ( obj count = 1 )
10/03/25 12:52:14 ii : phase1 removal before expire time
10/03/25 12:52:14 DB : phase1 deleted ( obj count = 1 )
10/03/25 12:52:14 DB : policy found
10/03/25 12:52:14 ii : removing IPSEC INBOUND policy  
ANY:xxx.xxx.xxx.xxx:* -> ANY:xxx.xxx.xxx.xxx:*
10/03/25 12:52:14 K> : send pfkey X_SPDDELETE2 UNSPEC message
10/03/25 12:52:14 DB : policy found
10/03/25 12:52:14 ii : removing IPSEC OUTBOUND policy  
ANY:xxx.xxx.xxx.xxx:* -> ANY:xxx.xxx.xxx.xxx:*
10/03/25 12:52:14 K> : send pfkey X_SPDDELETE2 UNSPEC message
10/03/25 12:52:14 ii : removed IPSEC policy route for ANY:xxx.xxx.xxx.xxx:*
10/03/25 12:52:14 K< : recv pfkey X_SPDDELETE2 UNSPEC message
10/03/25 12:52:14 DB : policy found
10/03/25 12:52:14 DB : policy deleted ( obj count = 1 )
10/03/25 12:52:14 K< : recv pfkey X_SPDDELETE2 UNSPEC message
10/03/25 12:52:14 DB : policy found
10/03/25 12:52:14 DB : policy deleted ( obj count = 0 )
10/03/25 12:52:15 ii : closed tap device tap0
10/03/25 12:52:15 DB : tunnel dpd event canceled ( ref count = 6 )
10/03/25 12:52:15 DB : tunnel natt event canceled ( ref count = 5 )
10/03/25 12:52:15 DB : tunnel stats event canceled ( ref count = 4 )
10/03/25 12:52:15 DB : removing tunnel config references
10/03/25 12:52:15 DB : config deleted ( obj count = 0 )
10/03/25 12:52:15 DB : removing tunnel phase2 references
10/03/25 12:52:15 DB : phase2 hard event canceled ( ref count = 1 )
10/03/25 12:52:15 DB : phase1 found
10/03/25 12:52:15 ii : sending peer DELETE message
10/03/25 12:52:15 ii : - xxx.xxx.xxx.xxx:4500 -> xxx.xxx.xxx.xxx:4500
10/03/25 12:52:15 ii : - ipsec-esp spi = 0x06fc982e
10/03/25 12:52:15 ii : - data size 0
10/03/25 12:52:15 >> : hash payload
10/03/25 12:52:15 >> : delete payload
10/03/25 12:52:15 == : new informational hash ( 20 bytes )
10/03/25 12:52:15 == : new informational iv ( 8 bytes )
10/03/25 12:52:15 >= : cookies 5bcf3ec13c9e7e15:df48cad9327c7c42
10/03/25 12:52:15 >= : message 15eb182e
10/03/25 12:52:15 >= : encrypt iv ( 8 bytes )
10/03/25 12:52:15 == : encrypt packet ( 68 bytes )
10/03/25 12:52:15 == : stored iv ( 8 bytes )
10/03/25 12:52:15 -> : send NAT-T:IKE packet xxx.xxx.xxx.xxx:4500 ->  
xxx.xxx.xxx.xxx:4500 ( 100 bytes )
10/03/25 12:52:15 K> : send pfkey DELETE ESP message
10/03/25 12:52:15 K> : send pfkey DELETE ESP message
10/03/25 12:52:15 ii : phase2 removal before expire time
10/03/25 12:52:15 DB : phase2 deleted ( obj count = 0 )
10/03/25 12:52:15 DB : removing tunnel phase1 references
10/03/25 12:52:15 DB : phase1 hard event canceled ( ref count = 2 )
10/03/25 12:52:15 DB : phase1 dead event canceled ( ref count = 1 )
10/03/25 12:52:15 ii : sending peer DELETE message
10/03/25 12:52:15 ii : - xxx.xxx.xxx.xxx:4500 -> xxx.xxx.xxx.xxx:4500
10/03/25 12:52:15 ii : - isakmp spi = 5bcf3ec13c9e7e15:df48cad9327c7c42
10/03/25 12:52:15 ii : - data size 0
10/03/25 12:52:15 >> : hash payload
10/03/25 12:52:15 >> : delete payload
10/03/25 12:52:15 == : new informational hash ( 20 bytes )
10/03/25 12:52:15 == : new informational iv ( 8 bytes )
10/03/25 12:52:15 >= : cookies 5bcf3ec13c9e7e15:df48cad9327c7c42
10/03/25 12:52:15 >= : message caab1d21
10/03/25 12:52:15 >= : encrypt iv ( 8 bytes )
10/03/25 12:52:15 == : encrypt packet ( 80 bytes )
10/03/25 12:52:15 == : stored iv ( 8 bytes )
10/03/25 12:52:15 -> : send NAT-T:IKE packet xxx.xxx.xxx.xxx:4500 ->  
xxx.xxx.xxx.xxx:4500 ( 116 bytes )
10/03/25 12:52:15 ii : phase1 removal before expire time
10/03/25 12:52:15 DB : phase1 deleted ( obj count = 0 )
10/03/25 12:52:15 DB : tunnel deleted ( obj count = 0 )
10/03/25 12:52:15 DB : removing all peer tunnel refrences
10/03/25 12:52:15 DB : peer deleted ( obj count = 0 )
10/03/25 12:52:15 ii : ipc client process thread exit ...
10/03/25 12:52:15 K< : recv pfkey DELETE ESP message
10/03/25 12:52:15 K< : recv pfkey DELETE ESP message
10/03/25 12:52:15 <- : recv NAT-T:IKE packet xxx.xxx.xxx.xxx:4500 ->  
xxx.xxx.xxx.xxx:4500 ( 408 bytes )
10/03/25 12:52:15 DB : phase1 not found
10/03/25 12:52:15 ii : attempting to locate tunnel for peer xxx.xxx.xxx.xxx
10/03/25 12:52:15 DB : tunnel not found
10/03/25 12:52:15 DB : peer not found
10/03/25 12:52:15 ww : ike packet from xxx.xxx.xxx.xxx ignored, no  
matching definition for peer
10/03/25 12:52:19 <- : recv NAT-T:IKE packet xxx.xxx.xxx.xxx:4500 ->  
xxx.xxx.xxx.xxx:4500 ( 408 bytes )
10/03/25 12:52:19 DB : phase1 not found
10/03/25 12:52:19 ii : attempting to locate tunnel for peer xxx.xxx.xxx.xxx
10/03/25 12:52:19 DB : tunnel not found
10/03/25 12:52:19 DB : peer not found
10/03/25 12:52:19 ww : ike packet from xxx.xxx.xxx.xxx ignored, no  
matching definition for peer
10/03/25 12:52:23 <- : recv NAT-T:IKE packet xxx.xxx.xxx.xxx:4500 ->  
xxx.xxx.xxx.xxx:4500 ( 408 bytes )
10/03/25 12:52:23 DB : phase1 not found
10/03/25 12:52:23 ii : attempting to locate tunnel for peer xxx.xxx.xxx.xxx
10/03/25 12:52:23 DB : tunnel not found
10/03/25 12:52:23 DB : peer not found
10/03/25 12:52:23 ww : ike packet from xxx.xxx.xxx.xxx ignored, no  
matching definition for peer
10/03/25 12:52:27 <- : recv NAT-T:IKE packet xxx.xxx.xxx.xxx:4500 ->  
xxx.xxx.xxx.xxx:4500 ( 408 bytes )
10/03/25 12:52:27 DB : phase1 not found
10/03/25 12:52:27 ii : attempting to locate tunnel for peer xxx.xxx.xxx.xxx
10/03/25 12:52:27 DB : tunnel not found
10/03/25 12:52:27 DB : peer not found
10/03/25 12:52:27 ww : ike packet from xxx.xxx.xxx.xxx ignored, no  
matching definition for peer
10/03/25 12:52:31 <- : recv NAT-T:IKE packet xxx.xxx.xxx.xxx:4500 ->  
xxx.xxx.xxx.xxx:4500 ( 408 bytes )
10/03/25 12:52:31 DB : phase1 not found
10/03/25 12:52:31 ii : attempting to locate tunnel for peer xxx.xxx.xxx.xxx
10/03/25 12:52:31 DB : tunnel not found
10/03/25 12:52:31 DB : peer not found
10/03/25 12:52:31 ww : ike packet from xxx.xxx.xxx.xxx ignored, no  
matching definition for peer
10/03/25 12:52:35 <- : recv NAT-T:IKE packet xxx.xxx.xxx.xxx:4500 ->  
xxx.xxx.xxx.xxx:4500 ( 408 bytes )
10/03/25 12:52:35 DB : phase1 not found
10/03/25 12:52:35 ii : attempting to locate tunnel for peer xxx.xxx.xxx.xxx
10/03/25 12:52:35 DB : tunnel not found
10/03/25 12:52:35 DB : peer not found
10/03/25 12:52:35 ww : ike packet from xxx.xxx.xxx.xxx ignored, no  
matching definition for peer
10/03/25 12:52:39 <- : recv NAT-T:IKE packet xxx.xxx.xxx.xxx:4500 ->  
xxx.xxx.xxx.xxx:4500 ( 408 bytes )
10/03/25 12:52:39 DB : phase1 not found
10/03/25 12:52:39 ii : attempting to locate tunnel for peer xxx.xxx.xxx.xxx
10/03/25 12:52:39 DB : tunnel not found
10/03/25 12:52:39 DB : peer not found
10/03/25 12:52:39 ww : ike packet from xxx.xxx.xxx.xxx ignored, no  
matching definition for peer
10/03/25 12:52:43 <- : recv NAT-T:IKE packet xxx.xxx.xxx.xxx:4500 ->  
xxx.xxx.xxx.xxx:4500 ( 408 bytes )
10/03/25 12:52:43 DB : phase1 not found
10/03/25 12:52:43 ii : attempting to locate tunnel for peer xxx.xxx.xxx.xxx
10/03/25 12:52:43 DB : tunnel not found
10/03/25 12:52:43 DB : peer not found
10/03/25 12:52:43 ww : ike packet from xxx.xxx.xxx.xxx ignored, no  
matching definition for peer
10/03/25 12:52:47 <- : recv NAT-T:IKE packet xxx.xxx.xxx.xxx:4500 ->  
xxx.xxx.xxx.xxx:4500 ( 408 bytes )
10/03/25 12:52:47 DB : phase1 not found
10/03/25 12:52:47 ii : attempting to locate tunnel for peer xxx.xxx.xxx.xxx
10/03/25 12:52:47 DB : tunnel not found
10/03/25 12:52:47 DB : peer not found
10/03/25 12:52:47 ww : ike packet from xxx.xxx.xxx.xxx ignored, no  
matching definition for peer
10/03/25 12:52:51 <- : recv NAT-T:IKE packet xxx.xxx.xxx.xxx:4500 ->  
xxx.xxx.xxx.xxx:4500 ( 408 bytes )
10/03/25 12:52:51 DB : phase1 not found
10/03/25 12:52:51 ii : attempting to locate tunnel for peer xxx.xxx.xxx.xxx
10/03/25 12:52:51 DB : tunnel not found
10/03/25 12:52:51 DB : peer not found
10/03/25 12:52:51 ww : ike packet from xxx.xxx.xxx.xxx ignored, no  
matching definition for peer
  10/03/25 12:52:55 <- : recv NAT-T:IKE packet xxx.xxx.xxx.xxx:4500 ->  
xxx.xxx.xxx.xxx:4500 ( 408 bytes )
10/03/25 12:52:55 DB : phase1 not found
10/03/25 12:52:55 ii : attempting to locate tunnel for peer xxx.xxx.xxx.xxx
10/03/25 12:52:55 DB : tunnel not found
10/03/25 12:52:55 DB : peer not found
10/03/25 12:52:55 ww : ike packet from xxx.xxx.xxx.xxx ignored, no  
matching definition for peer
10/03/25 12:52:59 <- : recv NAT-T:IKE packet xxx.xxx.xxx.xxx:4500 ->  
xxx.xxx.xxx.xxx:4500 ( 408 bytes )
10/03/25 12:52:59 DB : phase1 not found
10/03/25 12:52:59 ii : attempting to locate tunnel for peer xxx.xxx.xxx.xxx
10/03/25 12:52:59 DB : tunnel not found
10/03/25 12:52:59 DB : peer not found
10/03/25 12:52:59 ww : ike packet from xxx.xxx.xxx.xxx ignored, no  
matching definition for peer

More information about the vpn-help mailing list