[vpn-help] Shrew soft VPN client configuration for juniper SSG

Zigmunds Vītiņš zvitins at tcp.lv
Wed Sep 29 05:30:09 CDT 2010



Hello,

at this moment all clients successfully can use NetscreenRemote, but on one pc are windows7 and for this pc, I plan to use ShrewSoft VPN client.

Configuration on NetscreenRemote are:

Connection security: secure
Remote Party Identing ...
ID Type: IP subnet
subnet: 10.200.0.0
mask: 255.255.255.0
Protocol: all
use: Secure Gateway Tunnel
ID type: IP address
x.x.x.x
My Identity
ID Type: e-mail address
email at netscreen.lv

Security Policy

aggresive mode
Enable PFS
DH group 5

phase1
Preshared Key; Extended Authentication

Encrypt alg: AES-256
Hash alg: sha-1
sa life: unspecified

Key group: DH group5

phase2
sa life: unspecified
ESP
Encrypt alg: AES-256
Hash alg: sha-1
Encapsulation: Tunnel

on Srewsoft VPN client I configure:

n:version:2
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:1
n:network-notify-enable:1
n:client-wins-used:1
n:client-wins-auto:1
n:client-dns-used:1
n:client-dns-auto:1
n:client-splitdns-used:1
n:client-splitdns-auto:1
n:phase1-dhgroup:5
n:phase1-keylen:256
n:phase1-life-secs:28800
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-keylen:256
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:1
n:policy-list-auto:0
s:client-saved-username:test test
s:network-host:1.1.1.1
s:client-auto-mode:push
s:client-iface:virtual
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-psk-xauth
s:ident-client-type:ufqdn
s:ident-server-type:any
s:ident-client-data:email at netscreen.lv
b:auth-mutual-psk:xxxxxx
s:phase1-exchange:aggressive
s:phase1-cipher:aes
s:phase1-hash:sha1
s:phase2-transform:esp-aes
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
n:phase2-pfsgroup:2
s:policy-level:require
s:policy-list-include:10.200.0.0 / 255.255.255.0

In juniper ssg logs I can see:

IKE 2.2.2.2: XAuth login was passed for gateway RemoteAccess, username test test, retry: 0, Client IP Addr 0.0.0.0, IPPool name: , Session-Timeout: 0s, Idle-Timeout: 0s.
IKE 2.2.2.2: XAuth login was refreshed for username test test at 0.0.0.0/0.0.0.0.
Rejected an IKE packet on ethernet0/0 from 2.2.2.2:500 to 1.1.1.1:500 with cookies 0b6fbe51fb380f32 and da0394185ea91f60 because A Phase 2 packet arrived while XAuth was still pending.
IKE 2.2.2.2 Phase 1: Completed Aggressive mode negotiations with a 28800-second lifetime.

As I understand phase2 don't start.
In Domain Controller security logs, I see that authentication was successful for user test test.

what should I change in Shrewsoft configuration to make this VPN client to work?

Many Thanks.

Zigmunds







More information about the vpn-help mailing list