[vpn-help] Simple shrew dialup vpn user with SSG-140 does not works - Please Help

Francisco Javier Morales López de Gamarra fmorales_htw at hotmail.com
Mon Jun 27 02:29:17 CDT 2011


Hi, I am trying to setup a simple dial-up vpn user with shrew and Juniper SSG-140 using the tutorial 
 
http://www.shrew.net/support/wiki/HowtoJuniperSsg
 

but it does not works....
 

I always get the following error:

2011-06-27 09:15:45 info IKE<88.xxxxxxxx>: XAuth login was aborted for gateway <vpnclient_gateway>, username <joe>, retry: 0. 
2011-06-27 09:15:39 info Rejected an IKE packet on ethernet0/9 from 88.xxxxxxxx:58125 to 62.XXx.XXX.XXX:4500 with cookies 429c1915bb026bce and c125368ff8ef5fb4 because a Phase 2 packet arrived while XAuth was still pending. 
2011-06-27 09:15:39 info IKE<88.2.163.210> Phase 1: Completed Aggressive mode negotiations with a <28800>-second lifetime. 
2011-06-27 09:15:39 info IKE<88.xxxxxxxx> Phase 1: Completed for user <vpnclient_ph1id>. 
2011-06-27 09:15:39 info IKE<88.xxxxxxxx> Phase 1: IKE responder has detected NAT in front of the remote device. 
2011-06-27 09:15:39 info IKE<88.xxxxxxxx> Phase 1: IKE responder has detected NAT in front of the local device. 
2011-06-27 09:15:39 info IKE<88.xxxxxxxx> Phase 1: Responder starts AGGRESSIVE mode negotiations. 

 
 
 
Here is my shrew file:
 

n:version:2
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:1
n:network-notify-enable:1
n:client-wins-used:1
n:client-wins-auto:1
n:client-dns-used:1
n:client-dns-auto:1
n:client-splitdns-used:1
n:client-splitdns-auto:1
n:phase1-dhgroup:2
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:0
s:network-host:vpn.XXXXXXXXXXXXX.com
s:client-auto-mode:pull
s:client-iface:virtual
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-psk-xauth
s:ident-client-type:fqdn
s:ident-server-type:fqdn
s:ident-client-data:client.domain.com
s:ident-server-data:vpngw.domain.com
b:auth-mutual-psk:YXQ0d2lyZWxlc3M=
s:phase1-exchange:aggressive
s:phase1-cipher:auto
s:phase1-hash:auto
s:phase2-transform:auto
s:phase2-hmac:auto
s:ipcomp-transform:disabled
n:phase2-pfsgroup:-1
s:policy-level:auto
s:policy-list-include:192.168.12.0 / 255.255.252.0
 
 
And here is my SSG - 140 config file ...
 
set clock ntp
set clock timezone 1
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "TCP-5904" protocol tcp src-port 0-65535 dst-port 5904-5904 
unset alg sql enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth-server "Local" timeout 20
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
set admin user "admin" password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" privilege "all"
set admin manager-ip 192.168.13.90 255.255.255.255
set admin manager-ip 192.168.13.187 255.255.255.255
set admin manager-ip 192.168.14.208 255.255.255.255
set admin manager-ip 192.168.15.201 255.255.255.255
set admin manager-ip 192.168.13.223 255.255.255.255
set admin manager-ip 192.168.13.62 255.255.255.255
set admin port 8080
set admin scs password disable username netscreen
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "Zona Teletrabajadores"
set zone id 101 "Untrust-2"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
unset zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
set zone "DMZ" tcp-rst 
set zone "VLAN" block 
unset zone "VLAN" tcp-rst 
unset zone "Zona Teletrabajadores" tcp-rst 
unset zone "Untrust-2" tcp-rst 
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Untrust"
set interface "ethernet0/8" zone "Trust"
set interface "ethernet0/9" zone "Untrust"
unset interface vlan1 ip
set interface ethernet0/8 ip 192.168.10.1/16
set interface ethernet0/8 route
set interface ethernet0/9 ip 62.XXXXXXXXX/28
set interface ethernet0/9 route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/8 ip manageable
set interface ethernet0/9 ip manageable
set interface ethernet0/9 manage ping
set interface ethernet0/9 manage telnet
set interface ethernet0/9 manage web
set interface ethernet0/9 vip untrust 5904 "TCP-5904" 192.168.13.184 manual
set interface ethernet0/8 dip 4 192.168.10.100 192.168.10.100
set interface ethernet0/8 dot1x max-user 32
set pak-poll p1queue pak-threshold 240
set pak-poll p2queue pak-threshold 80
unset flow no-tcp-seq-check
set flow tcp-syn-check
set domain MyNetwork
set hostname FW-SSG140
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set pki x509 dn country-name "ES"
set pki x509 dn state-name "------"
set pki x509 dn local-name "------"
set pki x509 dn org-name "--------"
set pki x509 dn name "FW-SSG140"
set pki x509 dn email "FW-SSG140xxxxxxxxxx.com"
set dns host dns1 194.179.1.100 src-interface ethernet0/9
set dns host dns2 62.XXX.XXX.XXX src-interface ethernet0/9
set dns host dns3 0.0.0.0
set address "Trust" "192.168.0.0/255.255.0.0" 192.168.0.0 255.255.0.0
set address "Trust" "192.168.13.125/255.255.255.255" 192.168.13.125 255.255.255.255
set address "Trust" "192.168.13.162/255.255.255.255" 192.168.13.162 255.255.255.255
set address "Trust" "192.168.13.223/255.255.255.255" 192.168.13.223 255.255.255.255
set address "Trust" "192.168.162" 192.168.162 
set address "Trust" "192.169.13.130/255.255.255.255" 192.169.13.130 255.255.255.255
set address "Trust" "Red Servidor 192.168.12.0 255.255.252.0
set address "Zona Teletrabajadores" "192.168.13.224/255.255.255.255" 192.168.13.224 255.255.255.255
set ippool "mypool" 192.168.39.1 192.168.39.254
set ippool "IP_Pool" 172.16.16.10 172.16.16.50
set user "joe" uid 108
set user "joe" type  l2tp xauth
set user "joe" remote ippool "mypool"
set user "joe" remote dns1 "192.168.13.114"
set user "joe" remote dns2 "192.168.13.130"
set user "joe" password "BHDBhCY0N24JHwstwVCaNUot52nujMMGRg=="
unset user "joe" type auth
set user "joe" "enable"
set user "vpnclient_ph1id" uid 107
set user "vpnclient_ph1id" ike-id fqdn "client.domain.com" share-limit 1
set user "vpnclient_ph1id" type  ike
set user "vpnclient_ph1id" "enable"
set user-group "vpnclient_group" id 3
set user-group "vpnclient_group" user "vpnclient_ph1id"
set ike gateway "vpnclient_gateway" dialup "vpnclient_ph1id" Aggr local-id "vpngw.domain.com" outgoing-interface "ethernet0/9" preshare "1GK7RhS/NSu5cTsbHqCQOs9mp3n8IZO1bg==" proposal "pre-g2-3des-sha" "pre-g2-3des-md5" "pre-g2-aes128-sha" "pre-g2-aes128-md5"
unset ike gateway "vpnclient_gateway" nat-traversal udp-checksum
set ike gateway "vpnclient_gateway" nat-traversal keepalive-frequency 20
set ike gateway "vpnclient_gateway" xauth server "Local"
unset ike gateway "vpnclient_gateway" xauth do-edipi-auth
set ike gateway "vpnclient_gateway" dpd interval 30
unset ike policy-checking
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set xauth default ippool "mypool"
set xauth default dns1 192.168.13.114
set xauth default dns2 192.168.13.130
set vpn "vpnclient_tunnel" gateway "vpnclient_gateway" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"  "nopfs-esp-3des-md5"  "nopfs-esp-aes128-sha"  "nopfs-esp-aes128-md5" 
set l2tp default dns1 192.168.13.114
set l2tp default dns2 192.168.13.130
set l2tp default ppp-auth chap
set l2tp "l2-tunnel" id 1 outgoing-interface ethernet0/9 keepalive 60
set l2tp "l2-tunnel" remote-setting ippool "mypool" dns1 192.168.13.114
set url protocol websense
exit
set policy id 84 name "vpnclient" from "Untrust" to "Trust"  "Dial-Up VPN" "Red Servidor MyNetwork" "ANY" nat src tunnel vpn "vpnclient_tunnel" id 102 log 
set policy id 84
exit
set policy id 3 from "Trust" to "Untrust"  "Any" "Any" "ANY" deny log 
set policy id 3
exit
set policy id 1 from "Untrust" to "Trust"  "Any" "Any" "ANY" deny log 
set policy id 1
exit
set syslog config "192.168.13.222"
set syslog config "192.168.13.222" facilities local0 local0
set syslog enable
set nsmgmt bulkcli reboot-timeout 60
set nsmgmt bulkcli reboot-wait 0
set ssh version v2
set ssh enable
set scp enable
set config lock timeout 5
set ntp server "130.206.3.166"
set ntp server src-interface "ethernet0/9"
set ntp interval 100
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/9 gateway 62.XXX.XXX.XXX preference 20
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

 
 
Any help would be very appreciated.
 
Thanks 		 	   		  


More information about the vpn-help mailing list