[vpn-help] Simple shrew dialup vpn user with SSG-140 does not works - Please Help
Francisco Javier Morales López de Gamarra
fmorales_htw at hotmail.com
Tue Jun 28 00:21:09 CDT 2011
Please, any help would be very appreciated
> From: fmorales_htw at hotmail.com
> To: vpn-help at lists.shrew.net
> Date: Mon, 27 Jun 2011 09:29:17 +0200
> Subject: [vpn-help] Simple shrew dialup vpn user with SSG-140 does not works - Please Help
>
>
> Hi, I am trying to setup a simple dial-up vpn user with shrew and Juniper SSG-140 using the tutorial
>
> http://www.shrew.net/support/wiki/HowtoJuniperSsg
>
>
> but it does not works....
>
>
> I always get the following error:
>
> 2011-06-27 09:15:45 info IKE<88.xxxxxxxx>: XAuth login was aborted for gateway <vpnclient_gateway>, username <joe>, retry: 0.
> 2011-06-27 09:15:39 info Rejected an IKE packet on ethernet0/9 from 88.xxxxxxxx:58125 to 62.XXx.XXX.XXX:4500 with cookies 429c1915bb026bce and c125368ff8ef5fb4 because a Phase 2 packet arrived while XAuth was still pending.
> 2011-06-27 09:15:39 info IKE<88.2.163.210> Phase 1: Completed Aggressive mode negotiations with a <28800>-second lifetime.
> 2011-06-27 09:15:39 info IKE<88.xxxxxxxx> Phase 1: Completed for user <vpnclient_ph1id>.
> 2011-06-27 09:15:39 info IKE<88.xxxxxxxx> Phase 1: IKE responder has detected NAT in front of the remote device.
> 2011-06-27 09:15:39 info IKE<88.xxxxxxxx> Phase 1: IKE responder has detected NAT in front of the local device.
> 2011-06-27 09:15:39 info IKE<88.xxxxxxxx> Phase 1: Responder starts AGGRESSIVE mode negotiations.
>
>
>
>
> Here is my shrew file:
>
>
> n:version:2
> n:network-ike-port:500
> n:network-mtu-size:1380
> n:client-addr-auto:1
> n:network-natt-port:4500
> n:network-natt-rate:15
> n:network-frag-size:540
> n:network-dpd-enable:1
> n:client-banner-enable:1
> n:network-notify-enable:1
> n:client-wins-used:1
> n:client-wins-auto:1
> n:client-dns-used:1
> n:client-dns-auto:1
> n:client-splitdns-used:1
> n:client-splitdns-auto:1
> n:phase1-dhgroup:2
> n:phase1-life-secs:86400
> n:phase1-life-kbytes:0
> n:vendor-chkpt-enable:0
> n:phase2-life-secs:3600
> n:phase2-life-kbytes:0
> n:policy-nailed:0
> n:policy-list-auto:0
> s:network-host:vpn.XXXXXXXXXXXXX.com
> s:client-auto-mode:pull
> s:client-iface:virtual
> s:network-natt-mode:enable
> s:network-frag-mode:enable
> s:auth-method:mutual-psk-xauth
> s:ident-client-type:fqdn
> s:ident-server-type:fqdn
> s:ident-client-data:client.domain.com
> s:ident-server-data:vpngw.domain.com
> b:auth-mutual-psk:YXQ0d2lyZWxlc3M=
> s:phase1-exchange:aggressive
> s:phase1-cipher:auto
> s:phase1-hash:auto
> s:phase2-transform:auto
> s:phase2-hmac:auto
> s:ipcomp-transform:disabled
> n:phase2-pfsgroup:-1
> s:policy-level:auto
> s:policy-list-include:192.168.12.0 / 255.255.252.0
>
>
> And here is my SSG - 140 config file ...
>
> set clock ntp
> set clock timezone 1
> set vrouter trust-vr sharable
> set vrouter "untrust-vr"
> exit
> set vrouter "trust-vr"
> unset auto-route-export
> exit
> set service "TCP-5904" protocol tcp src-port 0-65535 dst-port 5904-5904
> unset alg sql enable
> set auth-server "Local" id 0
> set auth-server "Local" server-name "Local"
> set auth-server "Local" timeout 20
> set auth default auth server "Local"
> set auth radius accounting port 1646
> set admin name "netscreen"
> set admin password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
> set admin user "admin" password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" privilege "all"
> set admin manager-ip 192.168.13.90 255.255.255.255
> set admin manager-ip 192.168.13.187 255.255.255.255
> set admin manager-ip 192.168.14.208 255.255.255.255
> set admin manager-ip 192.168.15.201 255.255.255.255
> set admin manager-ip 192.168.13.223 255.255.255.255
> set admin manager-ip 192.168.13.62 255.255.255.255
> set admin port 8080
> set admin scs password disable username netscreen
> set admin auth timeout 10
> set admin auth server "Local"
> set admin format dos
> set zone "Trust" vrouter "trust-vr"
> set zone "Untrust" vrouter "trust-vr"
> set zone "DMZ" vrouter "trust-vr"
> set zone "VLAN" vrouter "trust-vr"
> set zone id 100 "Zona Teletrabajadores"
> set zone id 101 "Untrust-2"
> set zone "Untrust-Tun" vrouter "trust-vr"
> set zone "Trust" tcp-rst
> unset zone "Untrust" block
> unset zone "Untrust" tcp-rst
> set zone "MGT" block
> set zone "DMZ" tcp-rst
> set zone "VLAN" block
> unset zone "VLAN" tcp-rst
> unset zone "Zona Teletrabajadores" tcp-rst
> unset zone "Untrust-2" tcp-rst
> set zone "Untrust" screen tear-drop
> set zone "Untrust" screen syn-flood
> set zone "Untrust" screen ping-death
> set zone "Untrust" screen ip-filter-src
> set zone "Untrust" screen land
> set zone "V1-Untrust" screen tear-drop
> set zone "V1-Untrust" screen syn-flood
> set zone "V1-Untrust" screen ping-death
> set zone "V1-Untrust" screen ip-filter-src
> set zone "V1-Untrust" screen land
> set interface "ethernet0/0" zone "Trust"
> set interface "ethernet0/1" zone "DMZ"
> set interface "ethernet0/2" zone "Untrust"
> set interface "ethernet0/8" zone "Trust"
> set interface "ethernet0/9" zone "Untrust"
> unset interface vlan1 ip
> set interface ethernet0/8 ip 192.168.10.1/16
> set interface ethernet0/8 route
> set interface ethernet0/9 ip 62.XXXXXXXXX/28
> set interface ethernet0/9 route
> unset interface vlan1 bypass-others-ipsec
> unset interface vlan1 bypass-non-ip
> set interface ethernet0/8 ip manageable
> set interface ethernet0/9 ip manageable
> set interface ethernet0/9 manage ping
> set interface ethernet0/9 manage telnet
> set interface ethernet0/9 manage web
> set interface ethernet0/9 vip untrust 5904 "TCP-5904" 192.168.13.184 manual
> set interface ethernet0/8 dip 4 192.168.10.100 192.168.10.100
> set interface ethernet0/8 dot1x max-user 32
> set pak-poll p1queue pak-threshold 240
> set pak-poll p2queue pak-threshold 80
> unset flow no-tcp-seq-check
> set flow tcp-syn-check
> set domain MyNetwork
> set hostname FW-SSG140
> set pki authority default scep mode "auto"
> set pki x509 default cert-path partial
> set pki x509 dn country-name "ES"
> set pki x509 dn state-name "------"
> set pki x509 dn local-name "------"
> set pki x509 dn org-name "--------"
> set pki x509 dn name "FW-SSG140"
> set pki x509 dn email "FW-SSG140xxxxxxxxxx.com"
> set dns host dns1 194.179.1.100 src-interface ethernet0/9
> set dns host dns2 62.XXX.XXX.XXX src-interface ethernet0/9
> set dns host dns3 0.0.0.0
> set address "Trust" "192.168.0.0/255.255.0.0" 192.168.0.0 255.255.0.0
> set address "Trust" "192.168.13.125/255.255.255.255" 192.168.13.125 255.255.255.255
> set address "Trust" "192.168.13.162/255.255.255.255" 192.168.13.162 255.255.255.255
> set address "Trust" "192.168.13.223/255.255.255.255" 192.168.13.223 255.255.255.255
> set address "Trust" "192.168.162" 192.168.162
> set address "Trust" "192.169.13.130/255.255.255.255" 192.169.13.130 255.255.255.255
> set address "Trust" "Red Servidor 192.168.12.0 255.255.252.0
> set address "Zona Teletrabajadores" "192.168.13.224/255.255.255.255" 192.168.13.224 255.255.255.255
> set ippool "mypool" 192.168.39.1 192.168.39.254
> set ippool "IP_Pool" 172.16.16.10 172.16.16.50
> set user "joe" uid 108
> set user "joe" type l2tp xauth
> set user "joe" remote ippool "mypool"
> set user "joe" remote dns1 "192.168.13.114"
> set user "joe" remote dns2 "192.168.13.130"
> set user "joe" password "BHDBhCY0N24JHwstwVCaNUot52nujMMGRg=="
> unset user "joe" type auth
> set user "joe" "enable"
> set user "vpnclient_ph1id" uid 107
> set user "vpnclient_ph1id" ike-id fqdn "client.domain.com" share-limit 1
> set user "vpnclient_ph1id" type ike
> set user "vpnclient_ph1id" "enable"
> set user-group "vpnclient_group" id 3
> set user-group "vpnclient_group" user "vpnclient_ph1id"
> set ike gateway "vpnclient_gateway" dialup "vpnclient_ph1id" Aggr local-id "vpngw.domain.com" outgoing-interface "ethernet0/9" preshare "1GK7RhS/NSu5cTsbHqCQOs9mp3n8IZO1bg==" proposal "pre-g2-3des-sha" "pre-g2-3des-md5" "pre-g2-aes128-sha" "pre-g2-aes128-md5"
> unset ike gateway "vpnclient_gateway" nat-traversal udp-checksum
> set ike gateway "vpnclient_gateway" nat-traversal keepalive-frequency 20
> set ike gateway "vpnclient_gateway" xauth server "Local"
> unset ike gateway "vpnclient_gateway" xauth do-edipi-auth
> set ike gateway "vpnclient_gateway" dpd interval 30
> unset ike policy-checking
> set ike respond-bad-spi 1
> unset ike ikeid-enumeration
> unset ike dos-protection
> unset ipsec access-session enable
> set ipsec access-session maximum 5000
> set ipsec access-session upper-threshold 0
> set ipsec access-session lower-threshold 0
> set ipsec access-session dead-p2-sa-timeout 0
> unset ipsec access-session log-error
> unset ipsec access-session info-exch-connected
> unset ipsec access-session use-error-log
> set xauth default ippool "mypool"
> set xauth default dns1 192.168.13.114
> set xauth default dns2 192.168.13.130
> set vpn "vpnclient_tunnel" gateway "vpnclient_gateway" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha" "nopfs-esp-3des-md5" "nopfs-esp-aes128-sha" "nopfs-esp-aes128-md5"
> set l2tp default dns1 192.168.13.114
> set l2tp default dns2 192.168.13.130
> set l2tp default ppp-auth chap
> set l2tp "l2-tunnel" id 1 outgoing-interface ethernet0/9 keepalive 60
> set l2tp "l2-tunnel" remote-setting ippool "mypool" dns1 192.168.13.114
> set url protocol websense
> exit
> set policy id 84 name "vpnclient" from "Untrust" to "Trust" "Dial-Up VPN" "Red Servidor MyNetwork" "ANY" nat src tunnel vpn "vpnclient_tunnel" id 102 log
> set policy id 84
> exit
> set policy id 3 from "Trust" to "Untrust" "Any" "Any" "ANY" deny log
> set policy id 3
> exit
> set policy id 1 from "Untrust" to "Trust" "Any" "Any" "ANY" deny log
> set policy id 1
> exit
> set syslog config "192.168.13.222"
> set syslog config "192.168.13.222" facilities local0 local0
> set syslog enable
> set nsmgmt bulkcli reboot-timeout 60
> set nsmgmt bulkcli reboot-wait 0
> set ssh version v2
> set ssh enable
> set scp enable
> set config lock timeout 5
> set ntp server "130.206.3.166"
> set ntp server src-interface "ethernet0/9"
> set ntp interval 100
> set snmp port listen 161
> set snmp port trap 162
> set vrouter "untrust-vr"
> exit
> set vrouter "trust-vr"
> unset add-default-route
> set route 0.0.0.0/0 interface ethernet0/9 gateway 62.XXX.XXX.XXX preference 20
> exit
> set vrouter "untrust-vr"
> exit
> set vrouter "trust-vr"
> exit
>
>
>
> Any help would be very appreciated.
>
> Thanks
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110628/e6f877af/attachment-0002.html>
More information about the vpn-help
mailing list