[vpn-help] Shrew soft VPN client configuration for juniper SSG

Zigmunds Vītiņš zvitins at tcp.lv
Mon Oct 4 08:13:09 CDT 2010


  Hello,

I have changed PFS option to group 5, but still without any success.
I tried to disable DPD on SrewSoft vpn client, but nothing changed.

This is output log for trace utility:


10/10/04 16:06:16 ## : IKE Daemon, ver 2.1.6
10/10/04 16:06:16 ## : Copyright 2009 Shrew Soft Inc.
10/10/04 16:06:16 ## : This product linked OpenSSL 0.9.8h 28 May 2008
10/10/04 16:06:16 ii : opened 'C:\Program Files\ShrewSoft\VPN 
Client\debug\iked.log'
10/10/04 16:06:16 ii : opened 'C:\Program Files\ShrewSoft\VPN 
Client/debug/dump-ike-decrypt.cap'
10/10/04 16:06:16 ii : opened 'C:\Program Files\ShrewSoft\VPN 
Client/debug/dump-ike-encrypt.cap'
10/10/04 16:06:16 ii : rebuilding vnet device list ...
10/10/04 16:06:16 ii : device ROOT\VNET\0000 disabled
10/10/04 16:06:16 ii : network process thread begin ...
10/10/04 16:06:16 ii : pfkey process thread begin ...
10/10/04 16:06:16 ii : ipc server process thread begin ...
10/10/04 16:06:37 ii : ipc client process thread begin ...
10/10/04 16:06:37 <A : peer config add message
10/10/04 16:06:37 DB : peer added ( obj count = 1 )
10/10/04 16:06:37 ii : local address [local IP address] selected for peer
10/10/04 16:06:37 DB : tunnel added ( obj count = 1 )
10/10/04 16:06:37 <A : proposal config message
10/10/04 16:06:37 <A : proposal config message
10/10/04 16:06:37 <A : client config message
10/10/04 16:06:37 <A : xauth username message
10/10/04 16:06:37 <A : xauth password message
10/10/04 16:06:37 <A : local id 'email at nestcreen.net' message
10/10/04 16:06:37 <A : preshared key message
10/10/04 16:06:37 <A : remote resource message
10/10/04 16:06:37 <A : peer tunnel enable message
10/10/04 16:06:37 DB : new phase1 ( ISAKMP initiator )
10/10/04 16:06:37 DB : exchange type is aggressive
10/10/04 16:06:37 DB : [local IP address]:500 <-> [remote IP address]:500
10/10/04 16:06:37 DB : 68615ac843264076:0000000000000000
10/10/04 16:06:37 DB : phase1 added ( obj count = 1 )
10/10/04 16:06:37 >> : security association payload
10/10/04 16:06:37 >> : - proposal #1 payload
10/10/04 16:06:37 >> : -- transform #1 payload
10/10/04 16:06:37 >> : key exchange payload
10/10/04 16:06:37 >> : nonce payload
10/10/04 16:06:37 >> : identification payload
10/10/04 16:06:37 >> : vendor id payload
10/10/04 16:06:37 ii : local supports XAUTH
10/10/04 16:06:37 >> : vendor id payload
10/10/04 16:06:37 ii : local supports nat-t ( draft v00 )
10/10/04 16:06:37 >> : vendor id payload
10/10/04 16:06:37 ii : local supports nat-t ( draft v01 )
10/10/04 16:06:37 >> : vendor id payload
10/10/04 16:06:37 ii : local supports nat-t ( draft v02 )
10/10/04 16:06:37 >> : vendor id payload
10/10/04 16:06:37 ii : local supports nat-t ( draft v03 )
10/10/04 16:06:37 >> : vendor id payload
10/10/04 16:06:37 ii : local supports nat-t ( rfc )
10/10/04 16:06:37 >> : vendor id payload
10/10/04 16:06:37 ii : local supports FRAGMENTATION
10/10/04 16:06:37 >> : vendor id payload
10/10/04 16:06:37 ii : local supports DPDv1
10/10/04 16:06:37 >> : vendor id payload
10/10/04 16:06:37 ii : local is SHREW SOFT compatible
10/10/04 16:06:37 >> : vendor id payload
10/10/04 16:06:37 ii : local is NETSCREEN compatible
10/10/04 16:06:37 >> : vendor id payload
10/10/04 16:06:37 ii : local is SIDEWINDER compatible
10/10/04 16:06:37 >> : vendor id payload
10/10/04 16:06:37 ii : local is CISCO UNITY compatible
10/10/04 16:06:37 >= : cookies 68615ac843264076:0000000000000000
10/10/04 16:06:37 >= : message 00000000
10/10/04 16:06:37 -> : send IKE packet [local IP address]:500 -> [remote 
IP address]:500 ( 608 bytes )
10/10/04 16:06:37 DB : phase1 resend event scheduled ( ref count = 2 )
10/10/04 16:06:37 <- : recv IKE packet [remote IP address]:500 -> [local 
IP address]:500 ( 508 bytes )
10/10/04 16:06:37 DB : phase1 found
10/10/04 16:06:37 ii : processing phase1 packet ( 508 bytes )
10/10/04 16:06:37 =< : cookies 68615ac843264076:8b41639c4cae3b4f
10/10/04 16:06:37 =< : message 00000000
10/10/04 16:06:37 << : security association payload
10/10/04 16:06:37 << : - propsal #1 payload
10/10/04 16:06:37 << : -- transform #1 payload
10/10/04 16:06:37 ii : matched isakmp proposal #1 transform #1
10/10/04 16:06:37 ii : - transform    = ike
10/10/04 16:06:37 ii : - cipher type  = aes
10/10/04 16:06:37 ii : - key length   = 256 bits
10/10/04 16:06:37 ii : - hash type    = sha1
10/10/04 16:06:37 ii : - dh group     = modp-1536
10/10/04 16:06:37 ii : - auth type    = xauth-initiator-psk
10/10/04 16:06:37 ii : - life seconds = 28800
10/10/04 16:06:37 ii : - life kbytes  = 0
10/10/04 16:06:37 << : vendor id payload
10/10/04 16:06:37 ii : unknown vendor id ( 28 bytes )
10/10/04 16:06:37 0x : e7a811cf 8de6140e 3adc82fd 7855ff8f f1eadb8f 
00000013 0000061e
10/10/04 16:06:37 << : vendor id payload
10/10/04 16:06:37 ii : peer supports XAUTH
10/10/04 16:06:37 << : vendor id payload
10/10/04 16:06:37 ii : peer supports DPDv1
10/10/04 16:06:37 << : vendor id payload
10/10/04 16:06:37 ii : peer supports HEARTBEAT-NOTIFY
10/10/04 16:06:37 << : key exchange payload
10/10/04 16:06:37 << : nonce payload
10/10/04 16:06:37 << : identification payload
10/10/04 16:06:37 ii : phase1 id target is any
10/10/04 16:06:37 ii : phase1 id match
10/10/04 16:06:37 ii : received = ipv4-host [remote IP address]
10/10/04 16:06:37 << : hash payload
10/10/04 16:06:37 << : vendor id payload
10/10/04 16:06:37 ii : peer supports nat-t ( draft v02 )
10/10/04 16:06:37 << : nat discovery payload
10/10/04 16:06:37 << : nat discovery payload
10/10/04 16:06:37 ii : disabled nat-t ( no nat detected )
10/10/04 16:06:37 == : DH shared secret ( 192 bytes )
10/10/04 16:06:37 == : SETKEYID ( 20 bytes )
10/10/04 16:06:37 == : SETKEYID_d ( 20 bytes )
10/10/04 16:06:37 == : SETKEYID_a ( 20 bytes )
10/10/04 16:06:37 == : SETKEYID_e ( 20 bytes )
10/10/04 16:06:37 == : cipher key ( 32 bytes )
10/10/04 16:06:37 == : cipher iv ( 16 bytes )
10/10/04 16:06:37 == : phase1 hash_i ( computed ) ( 20 bytes )
10/10/04 16:06:37 >> : hash payload
10/10/04 16:06:37 >> : nat discovery payload
10/10/04 16:06:37 >> : nat discovery payload
10/10/04 16:06:37 >= : cookies 68615ac843264076:8b41639c4cae3b4f
10/10/04 16:06:37 >= : message 00000000
10/10/04 16:06:37 >= : encrypt iv ( 16 bytes )
10/10/04 16:06:37 == : encrypt packet ( 100 bytes )
10/10/04 16:06:37 == : stored iv ( 16 bytes )
10/10/04 16:06:37 DB : phase1 resend event canceled ( ref count = 1 )
10/10/04 16:06:37 -> : send IKE packet [local IP address]:500 -> [remote 
IP address]:500 ( 136 bytes )
10/10/04 16:06:37 == : phase1 hash_r ( computed ) ( 20 bytes )
10/10/04 16:06:37 == : phase1 hash_r ( received ) ( 20 bytes )
10/10/04 16:06:37 ii : phase1 sa established
10/10/04 16:06:37 ii : [remote IP address]:500 <-> [local IP address]:500
10/10/04 16:06:37 ii : 68615ac843264076:8b41639c4cae3b4f
10/10/04 16:06:37 ii : sending peer INITIAL-CONTACT notification
10/10/04 16:06:37 ii : - [local IP address]:500 -> [remote IP address]:500
10/10/04 16:06:37 ii : - isakmp spi = 68615ac843264076:8b41639c4cae3b4f
10/10/04 16:06:37 ii : - data size 0
10/10/04 16:06:37 >> : hash payload
10/10/04 16:06:37 >> : notification payload
10/10/04 16:06:37 == : new informational hash ( 20 bytes )
10/10/04 16:06:37 == : new informational iv ( 16 bytes )
10/10/04 16:06:37 >= : cookies 68615ac843264076:8b41639c4cae3b4f
10/10/04 16:06:37 >= : message 0f7dbe32
10/10/04 16:06:37 >= : encrypt iv ( 16 bytes )
10/10/04 16:06:37 == : encrypt packet ( 80 bytes )
10/10/04 16:06:37 == : stored iv ( 16 bytes )
10/10/04 16:06:37 -> : send IKE packet [local IP address]:500 -> [remote 
IP address]:500 ( 120 bytes )
10/10/04 16:06:37 DB : phase2 not found
10/10/04 16:06:37 <- : recv IKE packet [remote IP address]:500 -> [local 
IP address]:500 ( 76 bytes )
10/10/04 16:06:37 DB : phase1 found
10/10/04 16:06:37 ii : processing config packet ( 76 bytes )
10/10/04 16:06:37 DB : config not found
10/10/04 16:06:37 DB : config added ( obj count = 1 )
10/10/04 16:06:37 == : new config iv ( 16 bytes )
10/10/04 16:06:37 =< : cookies 68615ac843264076:8b41639c4cae3b4f
10/10/04 16:06:37 =< : message 5a3b4995
10/10/04 16:06:37 =< : decrypt iv ( 16 bytes )
10/10/04 16:06:37 == : decrypt packet ( 76 bytes )
10/10/04 16:06:37 <= : trimmed packet padding ( 4 bytes )
10/10/04 16:06:37 <= : stored iv ( 16 bytes )
10/10/04 16:06:37 << : hash payload
10/10/04 16:06:37 << : attribute payload
10/10/04 16:06:37 == : configure hash_i ( computed ) ( 20 bytes )
10/10/04 16:06:37 == : configure hash_c ( computed ) ( 20 bytes )
10/10/04 16:06:37 ii : configure hash verified
10/10/04 16:06:37 ii : - xauth authentication type
10/10/04 16:06:37 ii : - xauth username
10/10/04 16:06:37 ii : - xauth password
10/10/04 16:06:37 ii : received basic xauth request -
10/10/04 16:06:37 ii : - standard xauth username
10/10/04 16:06:37 ii : - standard xauth password
10/10/04 16:06:37 ii : sending xauth response for test test
10/10/04 16:06:37 >> : hash payload
10/10/04 16:06:37 >> : attribute payload
10/10/04 16:06:37 == : new configure hash ( 20 bytes )
10/10/04 16:06:37 >= : cookies 68615ac843264076:8b41639c4cae3b4f
10/10/04 16:06:37 >= : message 5a3b4995
10/10/04 16:06:37 >= : encrypt iv ( 16 bytes )
10/10/04 16:06:37 == : encrypt packet ( 92 bytes )
10/10/04 16:06:37 == : stored iv ( 16 bytes )
10/10/04 16:06:37 -> : send IKE packet [local IP address]:500 -> [remote 
IP address]:500 ( 120 bytes )
10/10/04 16:06:37 DB : config resend event scheduled ( ref count = 2 )
10/10/04 16:06:37 <- : recv IKE packet [remote IP address]:500 -> [local 
IP address]:500 ( 76 bytes )
10/10/04 16:06:37 DB : phase1 found
10/10/04 16:06:37 ii : processing config packet ( 76 bytes )
10/10/04 16:06:37 DB : config found
10/10/04 16:06:37 == : new config iv ( 16 bytes )
10/10/04 16:06:37 =< : cookies 68615ac843264076:8b41639c4cae3b4f
10/10/04 16:06:37 =< : message d3063c03
10/10/04 16:06:37 =< : decrypt iv ( 16 bytes )
10/10/04 16:06:37 == : decrypt packet ( 76 bytes )
10/10/04 16:06:37 <= : trimmed packet padding ( 12 bytes )
10/10/04 16:06:37 <= : stored iv ( 16 bytes )
10/10/04 16:06:37 << : hash payload
10/10/04 16:06:37 << : attribute payload
10/10/04 16:06:37 == : configure hash_i ( computed ) ( 20 bytes )
10/10/04 16:06:37 == : configure hash_c ( computed ) ( 20 bytes )
10/10/04 16:06:37 ii : configure hash verified
10/10/04 16:06:37 ii : received xauth result -
10/10/04 16:06:37 ii : user test test authentication succeeded
10/10/04 16:06:37 ii : sending xauth acknowledge
10/10/04 16:06:37 >> : hash payload
10/10/04 16:06:37 >> : attribute payload
10/10/04 16:06:37 == : new configure hash ( 20 bytes )
10/10/04 16:06:37 >= : cookies 68615ac843264076:8b41639c4cae3b4f
10/10/04 16:06:37 >= : message d3063c03
10/10/04 16:06:37 >= : encrypt iv ( 16 bytes )
10/10/04 16:06:37 == : encrypt packet ( 60 bytes )
10/10/04 16:06:37 == : stored iv ( 16 bytes )
10/10/04 16:06:37 DB : config resend event canceled ( ref count = 1 )
10/10/04 16:06:37 -> : send IKE packet [local IP address]:500 -> [remote 
IP address]:500 ( 88 bytes )
10/10/04 16:06:37 DB : config resend event scheduled ( ref count = 2 )
10/10/04 16:06:37 ii : building config attribute list
10/10/04 16:06:37 ii : - IP4 Address
10/10/04 16:06:37 ii : - Address Expiry
10/10/04 16:06:37 ii : - IP4 Netamask
10/10/04 16:06:37 ii : - IP4 DNS Server
10/10/04 16:06:37 ii : - IP4 WINS Server
10/10/04 16:06:37 ii : sending config push acknowledge
10/10/04 16:06:37 >> : hash payload
10/10/04 16:06:37 >> : attribute payload
10/10/04 16:06:37 == : new configure hash ( 20 bytes )
10/10/04 16:06:37 >= : cookies 68615ac843264076:8b41639c4cae3b4f
10/10/04 16:06:37 >= : message d3063c03
10/10/04 16:06:37 >= : encrypt iv ( 16 bytes )
10/10/04 16:06:37 == : encrypt packet ( 80 bytes )
10/10/04 16:06:37 == : stored iv ( 16 bytes )
10/10/04 16:06:37 DB : config resend event canceled ( ref count = 1 )
10/10/04 16:06:37 -> : send IKE packet [local IP address]:500 -> [remote 
IP address]:500 ( 120 bytes )
10/10/04 16:06:37 DB : config resend event scheduled ( ref count = 2 )
10/10/04 16:06:42 -> : resend 1 config packet(s) [local IP address]:500 
-> [remote IP address]:500
10/10/04 16:06:47 -> : resend 1 config packet(s) [local IP address]:500 
-> [remote IP address]:500
10/10/04 16:06:52 DB : phase1 found
10/10/04 16:06:52 ii : sending peer DPDV1-R-U-THERE notification
10/10/04 16:06:52 ii : - [local IP address]:500 -> [remote IP address]:500
10/10/04 16:06:52 ii : - isakmp spi = 68615ac843264076:8b41639c4cae3b4f
10/10/04 16:06:52 ii : - data size 4
10/10/04 16:06:52 >> : hash payload
10/10/04 16:06:52 >> : notification payload
10/10/04 16:06:52 == : new informational hash ( 20 bytes )
10/10/04 16:06:52 == : new informational iv ( 16 bytes )
10/10/04 16:06:52 >= : cookies 68615ac843264076:8b41639c4cae3b4f
10/10/04 16:06:52 >= : message 947d53a5
10/10/04 16:06:52 >= : encrypt iv ( 16 bytes )
10/10/04 16:06:52 == : encrypt packet ( 84 bytes )
10/10/04 16:06:52 == : stored iv ( 16 bytes )
10/10/04 16:06:52 -> : send IKE packet [local IP address]:500 -> [remote 
IP address]:500 ( 120 bytes )
10/10/04 16:06:52 ii : DPD ARE-YOU-THERE sequence 3cb10f3b requested
10/10/04 16:06:52 -> : resend 1 config packet(s) [local IP address]:500 
-> [remote IP address]:500
10/10/04 16:06:52 <- : recv IKE packet [remote IP address]:500 -> [local 
IP address]:500 ( 92 bytes )
10/10/04 16:06:52 DB : phase1 found
10/10/04 16:06:52 ii : processing informational packet ( 92 bytes )
10/10/04 16:06:52 == : new informational iv ( 16 bytes )
10/10/04 16:06:52 =< : cookies 68615ac843264076:8b41639c4cae3b4f
10/10/04 16:06:52 =< : message 13cdc54c
10/10/04 16:06:52 =< : decrypt iv ( 16 bytes )
10/10/04 16:06:52 == : decrypt packet ( 92 bytes )
10/10/04 16:06:52 <= : trimmed packet padding ( 8 bytes )
10/10/04 16:06:52 <= : stored iv ( 16 bytes )
10/10/04 16:06:52 << : hash payload
10/10/04 16:06:52 << : notification payload
10/10/04 16:06:52 == : informational hash_i ( computed ) ( 20 bytes )
10/10/04 16:06:52 == : informational hash_c ( received ) ( 20 bytes )
10/10/04 16:06:52 ii : informational hash verified
10/10/04 16:06:52 ii : received peer DPDV1-R-U-THERE-ACK notification
10/10/04 16:06:52 ii : - [remote IP address]:500 -> [local IP address]:500
10/10/04 16:06:52 ii : - isakmp spi = 68615ac843264076:8b41639c4cae3b4f
10/10/04 16:06:52 ii : - data size 4
10/10/04 16:06:52 ii : DPD ARE-YOU-THERE-ACK sequence 3cb10f3b accepted
10/10/04 16:06:52 ii : next tunnel DPD request in 15 secs for peer 
[remote IP address]:500
10/10/04 16:06:57 ii : resend limit exceeded for config exchange
10/10/04 16:06:57 DB : config deleted ( obj count = 0 )
10/10/04 16:07:07 DB : phase1 found
10/10/04 16:07:07 ii : sending peer DPDV1-R-U-THERE notification
10/10/04 16:07:07 ii : - [local IP address]:500 -> [remote IP address]:500
10/10/04 16:07:07 ii : - isakmp spi = 68615ac843264076:8b41639c4cae3b4f
10/10/04 16:07:07 ii : - data size 4
10/10/04 16:07:07 >> : hash payload
10/10/04 16:07:07 >> : notification payload
10/10/04 16:07:07 == : new informational hash ( 20 bytes )
10/10/04 16:07:07 == : new informational iv ( 16 bytes )
10/10/04 16:07:07 >= : cookies 68615ac843264076:8b41639c4cae3b4f
10/10/04 16:07:07 >= : message 03607079
10/10/04 16:07:07 >= : encrypt iv ( 16 bytes )
10/10/04 16:07:07 == : encrypt packet ( 84 bytes )
10/10/04 16:07:07 == : stored iv ( 16 bytes )
10/10/04 16:07:07 -> : send IKE packet [local IP address]:500 -> [remote 
IP address]:500 ( 120 bytes )
10/10/04 16:07:07 ii : DPD ARE-YOU-THERE sequence 3cb10f3c requested
10/10/04 16:07:07 <- : recv IKE packet [remote IP address]:500 -> [local 
IP address]:500 ( 92 bytes )
10/10/04 16:07:07 DB : phase1 found
10/10/04 16:07:07 ii : processing informational packet ( 92 bytes )
10/10/04 16:07:07 == : new informational iv ( 16 bytes )
10/10/04 16:07:07 =< : cookies 68615ac843264076:8b41639c4cae3b4f
10/10/04 16:07:07 =< : message d6e7d03e
10/10/04 16:07:07 =< : decrypt iv ( 16 bytes )
10/10/04 16:07:07 == : decrypt packet ( 92 bytes )
10/10/04 16:07:07 <= : trimmed packet padding ( 8 bytes )
10/10/04 16:07:07 <= : stored iv ( 16 bytes )
10/10/04 16:07:07 << : hash payload
10/10/04 16:07:07 << : notification payload
10/10/04 16:07:07 == : informational hash_i ( computed ) ( 20 bytes )
10/10/04 16:07:07 == : informational hash_c ( received ) ( 20 bytes )
10/10/04 16:07:07 ii : informational hash verified
10/10/04 16:07:07 ii : received peer DPDV1-R-U-THERE-ACK notification
10/10/04 16:07:07 ii : - [remote IP address]:500 -> [local IP address]:500
10/10/04 16:07:07 ii : - isakmp spi = 68615ac843264076:8b41639c4cae3b4f
10/10/04 16:07:07 ii : - data size 4
10/10/04 16:07:07 ii : DPD ARE-YOU-THERE-ACK sequence 3cb10f3c accepted
10/10/04 16:07:07 ii : next tunnel DPD request in 15 secs for peer 
[remote IP address]:500


Thanks!
Zigmunds




On 10/1/2010 9:15 PM, Matthew Grooms wrote:
> On 9/29/2010 5:30 AM, Zigmunds Vītiņš wrote:
>>
>>
>> Hello,
>>
>> at this moment all clients successfully can use NetscreenRemote, but on
>> one pc are windows7 and for this pc, I plan to use ShrewSoft VPN client.
>>
>
> Looks like you have the PFS DH group set to 5 on your Netscreen and 
> PFS set to group 2 on the Shrew Soft client. That could cause an 
> issue. My guess is that if you look at the VPN Trace debug log output, 
> the client is trying to negotiation a phase2 IPsec SA, but its being 
> rejected by the gateway.
>
> http://www.shrew.net/support/wiki/BugReportVpnWindows
>
> -Matthew



More information about the vpn-help mailing list