[vpn-help] Verizon 4G
Mark Mondor
mmondor at MDSIF.STATE.MD.US
Tue Jul 12 10:52:30 CDT 2011
I'm having trouble completing Phase1 of an IPSec tunnel from a Shrew client v2.1.7 to a Juniper Netscreen 5gt configured as Mutual PSK + Xauth. NAT-T is enabled and Exchange type is Aggressive, DH Group2. A negotiation timeout occurs. This configuration works fine with other PCs that access the internet via NATing firewalls or direct connection to internet.
It only doesn't work with a Verizon 4G USB Modem (Pantech UML290) that creates a Local Area Connection on the PC with a private IP (10.x.x.x/30) and is somehow NATing to a public address in Verizon network. From the IKE debug logs on the Netscreen I can see the IKE UDP:500 connection and the Netscreen sends a response to the client's public address using the PATed 500 port, but the Shrew software never sees it and continues to resend original request. Ex: ClientPublic:45213àNetscreenPublic:500. NetscreenPublic:500àClientPublic:45213
I have the Shrew trace utility running in debug mode, and it just continues to resend the phase 1 packets on port 500. The trace Firewall Rules tab shows the RECV DIVERT rule for the appropriate IP addresses, but never gets any hits. I can see from Wireshark that the PC is receiving the packets from the Netscreen and it includes both initiator and responder cookies and the NAT-D payload but for some reason the Shrew client doesn't acknowledge the packets.
Again, this is only a problem on the Verizon 4G network. Has anyone seen behavior like this or have any ideas?
Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110712/e8695f9e/attachment-0001.html>
More information about the vpn-help
mailing list