[vpn-help] SAs expire immediately, connecting to Juniper SSG via Shrew

Kevin VPN kvpn at live.com
Mon Nov 7 21:13:25 CST 2011


On 10/27/2011 04:22 PM, Tim Keane wrote:
>
> When I attempt to connect using Shrew, Phase1 and Phase2 negotiations are
> completed successfully.  However, the SAs immediately expire.  This is happening
> using Shrew v. 2.1.7 and 2.2.0, on both XP and Win7 client computers.
>
...
> 11/10/27 15:01:47 ii : processing phase2 packet ( 76 bytes )
> 11/10/27 15:01:47 ii : processing phase2 packet ( 76 bytes )
> 11/10/27 15:01:47 DB : phase2 found
> 11/10/27 15:01:47 DB : phase2 found
> 11/10/27 15:01:47 !! : phase2 packet ignored, resending last packet ( phase2
> already mature )
> 11/10/27 15:01:47 !! : phase2 packet ignored, resending last packet ( phase2
> already mature )
>

Hi Tim,

I would suggest that your problem is that Phase 2 is not completing 
successfully.  Shrew might think that it's complete (mature), but the 
gateway is still sending configure packets, suggesting that it does not 
agree.  I've seen this before, but can't remember exactly the cause. 
Maybe the proxy ids or policies didn't match?

Double-check your Phase 2, proxy and/or policy settings to be sure they 
are the same on both the client and gateway.



More information about the vpn-help mailing list