[vpn-help] Client to NetScreen fails xauth when using static configuration

kevin vpn klmlk at hotmail.com
Tue Jan 4 09:41:23 CST 2011


Hi all,

I'm trying to configure Shrew and a NetScreen VPN in the following
manner:  I want to use a static client configuration and XAuth
together. 

Specifically I want to "Use a virtual adapter and assigned address" and
to NOT "Obtain Automatically".  I want to specify the Address and
Netmask manually (DNS too, but that does not seem to be an issue).
However, I also want to use XAuth so that I can use an external
directory for the users and passwords.  The NetScreen unfortunately
requires modecfg to be on when using XAuth, so I also have to set the
Auto Configuration in the Site config to "ike config push".

When I set this up, I cannot connect.  It looks like Shrew does not
like it when the NetScreen wants to proceed with client configuration
despite the fact that Shrew is already configured with an IP address.
The Shrew IKE log reports "user <username> authentication failed":

11/01/04 10:18:05 <- : recv IKE packet x.x.x.x:500 -> y.y.y.y:500 ( 76
bytes ) 11/01/04 10:18:05 DB : phase1 found
11/01/04 10:18:05 DB : phase1 ref increment ( ref count = 4, obj count
= 1 ) 11/01/04 10:18:05 ii : processing config packet ( 76 bytes )
11/01/04 10:18:05 DB : config found
11/01/04 10:18:05 DB : config ref increment ( ref count = 2, obj count
= 1 ) 11/01/04 10:18:05 == : new config iv ( 16 bytes )
11/01/04 10:18:05 =< : cookies ed5ba4bd7d6e6dcd:ea9443aafff8c72b
11/01/04 10:18:05 =< : message 74e3fa6f
11/01/04 10:18:05 =< : decrypt iv ( 16 bytes )
11/01/04 10:18:05 == : decrypt packet ( 76 bytes )
11/01/04 10:18:05 <= : trimmed packet padding ( 16 bytes )
11/01/04 10:18:05 <= : stored iv ( 16 bytes )
11/01/04 10:18:05 << : hash payload
11/01/04 10:18:05 << : attribute payload
11/01/04 10:18:05 == : configure hash_i ( computed ) ( 16 bytes )
11/01/04 10:18:05 == : configure hash_c ( computed ) ( 16 bytes )
11/01/04 10:18:05 ii : configure hash verified
11/01/04 10:18:05 ii : received xauth result - 
11/01/04 10:18:05 !! : user bobjones authentication failed


As soon as I change in the Site configuration to "Obtain Automatically"
the Address and Netmask things work fine.  (The reason why I'm
configuring the clients manually is a long story and probably is not
relevant.)

Does anyone know a workaround or way to tell Shrew to simply ignore the
config parameters that the NetScreen is sending?

The Shrew client is 2.1.7 on WinXP SP3 and the NetScreen is running
6.2.0r7.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: iked-20110104-static-xauth-fail-sanitized.log
Type: text/x-log
Size: 17186 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110104/b550a71b/attachment-0001.bin>


More information about the vpn-help mailing list