[vpn-help] SAs expire immediately, connecting to Juniper SSG via Shrew
Kevin VPN
kvpn at live.com
Thu Dec 1 21:15:25 CST 2011
On 11/21/2011 05:05 PM, Tim Keane wrote:
> Kevin VPN<kvpn at ...> writes:
>>
>> Double-check your Phase 2, proxy and/or policy settings to be sure they
>> are the same on both the client and gateway.
>>
>
> I've double-checked them, and I can't find any discrepancy. If I watch the
> Security Associations tab of the VPN Trace utility, I see two mature SAs
> momentarily displayed. The logs of the Juniper seem to indicate that it's happy
> with the completion of the VPN tunnel as well. I think my phase2 parameters
> have to match, because the tunnel is up for a moment.
>
> Any help with this would be much appreciated. It's currently holding up our VPN
> rollout, because I'd much rather get Shrew working than pay NCP's exhorbitant
> prices for a client. Thanks for anyone's help with this!
>
>
> Here is the part of the log in question:
>
...
> 11/11/21 16:25:27<- : recv IKE packet 1.2.3.8:500 -> 1.2.3.112:500 ( 76 bytes )
> 11/11/21 16:25:27 DB : phase1 found
> 11/11/21 16:25:27 ii : processing phase2 packet ( 76 bytes )
> 11/11/21 16:25:27 DB : phase2 found
> 11/11/21 16:25:27 !! : phase2 packet ignored, resending last packet ( phase2
> already mature )
> 11/11/21 16:25:27 -> : resend 1 phase2 packet(s) [0/2] 1.2.3.112:500 ->
> 1.2.3.8:500
> 11/11/21 16:25:27<- : recv IKE packet 1.2.3.8:500 -> 1.2.3.112:500 ( 76 bytes )
> 11/11/21 16:25:27 DB : phase1 found
> 11/11/21 16:25:27 ii : processing phase2 packet ( 76 bytes )
> 11/11/21 16:25:27 DB : phase2 found
> 11/11/21 16:25:27 !! : phase2 packet ignored, resending last packet ( phase2
> already mature )
> 11/11/21 16:25:27 -> : resend 1 phase2 packet(s) [1/2] 1.2.3.112:500 ->
> 1.2.3.8:500
> 11/11/21 16:25:27<- : recv IKE packet 1.2.3.8:500 -> 1.2.3.112:500 ( 76 bytes )
> 11/11/21 16:25:27 DB : phase1 found
> 11/11/21 16:25:27 ii : processing phase2 packet ( 76 bytes )
> 11/11/21 16:25:27 DB : phase2 found
> 11/11/21 16:25:27 !! : phase2 packet ignored, resending last packet ( phase2
> already mature )
> 11/11/21 16:25:27 -> : resend 1 phase2 packet(s) [2/2] 1.2.3.112:500 ->
> 1.2.3.8:500
> 11/11/21 16:25:27 K< : recv pfkey UPDATE ESP message
> 11/11/21 16:25:27<- : recv IKE packet 1.2.3.8:500 -> 1.2.3.112:500 ( 76 bytes )
> 11/11/21 16:25:27 DB : phase1 found
> 11/11/21 16:25:27 ii : processing phase2 packet ( 76 bytes )
> 11/11/21 16:25:27 DB : phase2 found
> 11/11/21 16:25:27 !! : phase2 packet ignored, resending last packet ( phase2
> already mature )
> 11/11/21 16:25:27 ii : resend limit exceeded for phase2 exchange
> 11/11/21 16:25:27 DB : phase2 soft event canceled ( ref count = 2 )
> 11/11/21 16:25:27 DB : phase2 hard event canceled ( ref count = 1 )
> 11/11/21 16:25:27 DB : phase1 found
> 11/11/21 16:25:27 ii : sending peer DELETE message
>
This phase2 loop suggests to me that something still isn't right with
phase2.
You say you're using Juniper and can see the logs. Does it report a
"completed negotiations" message in the event log? It will list the the
lifetime so you can see if it matches what Shrew reports.
There's also a 'debug ike' command you can run at the CLI that may also
shed some light on things.
More information about the vpn-help
mailing list