[vpn-help] SAs expire immediately, connecting to Juniper SSG via Shrew
Tim Keane
tim.keane at vitac.com
Thu Dec 15 12:52:47 CST 2011
Kevin VPN <kvpn at ...> writes:
>
> On 12/08/2011 03:18 PM, Tim Keane wrote:
> >
> > Yes, I am seeing the 'completed negotiations' message in the Juniper
> > event log. The lifetime of 3600 s / 0 KB matches the parameters in the
> > Shrew client's configuration.
> >
> > I've been examining the debug ike output, but I'm pretty much seeing the same
> > thing. The connection seems to be made, the Shrew client continues to send
> > Phase2 packets, eventually hitting its resend limit, at which point it
> > sends a peer delete message.
> >
>
> Are you using a policy-based or route-based VPN on the Juniper? Have
> you also done flow filters and/or snoops in conjunction with the debug ike?
>
> If you want, you can send me the get db str output and I can take a look
> at it (feel free to anonymize IPs/usernames).
>
I think I figured this out. One line in my Juniper configuration seems to have
been preventing the remote VPN connection:
set ike responder-set-commit
After removing that line from my config, I can successfully make remote
connections. Thanks to Kevin for leading me down the right path.
More information about the vpn-help
mailing list