[vpn-help] Shrew VPN Client + Juniper SRX : Autodisconnect
Jeroen J.A.W. Hermans
j.hermans at epsys.nl
Wed Dec 19 02:30:05 CST 2012
Hello Matthew,
Sorry that i wasn't able to provide you with debugging information
because it is a live system now. Thank you for figuring this one out! I
am good for now (Pulse client) but the Pulse client is rather limited.
I'll see if i can set up a "test" dynamic VPN on the SRX so i can test
your new software once it is finished in the new year.
Kind regards,
Jeroen
On 19-12-2012 5:35, Matthew Grooms wrote:
> Gregory and Jeron,
>
> I took a closer look at the logs tonight and compared them against the
> Juniper SSG in my lab. It's pretty clear whats going on but it won't
> be possible to fix without a rewrite of the modecfg code on the Shrew
> Soft VPN client, which is probably needed anyway. So here is the
> detail ...
>
> Modecfg is a generic way for one side of a connection to send a
> REQUEST for which the other side responds with a REPLY. Alternately,
> one side can send a SET for which the other side responds with a ACK.
> However, Xauth ( extended user authentication ) is built on top of
> Modecfg which gets mixed in with negotiating configuration info like
> IP address, netmasks and DNS settings. To make things even more
> complicated, there are two ways to negotiate the configuration
> settings. These methods are commonly referred to as a PUSH or a PULL,
> where the server pushes configuration settings to the client or the
> client pulls configuration settings from the server.
>
> In any case, the way Juniper used to do things is like this ...
>
> SERVER -> CLIENT : REQUEST [ XAUTH USERNAME/PASSWORD ]
> CLIENT -> SERVER : REPLY [ XAUTH USERNAME/PASSWORD ]
> SERVER -> CLIENT : SET [ ADDRESS/NETMASK/ETC... ]
> CLIENT -> SERVER : ACK [ ADDRESS/NETMASK/ETC... ]
> SERVER -> CLIENT : SET [ XAUTH RESULT ]
> CLIENT -> SERVER : ACK [ XAUTH RESULT ]
>
> Now, I always thought it was strange that they proceeded to configure
> the client address/netmask/etc.. before sending the AUTH result. In
> fact, when I read the RFC draft, I wrote the server side support in
> the Shrew Soft IKE daemon differently for PUSH mode because I thought
> that whoever wrote the Juniper version had completely mus-interpreted
> the specification ...
>
> http://tools.ietf.org/id/draft-ietf-ipsec-isakmp-mode-cfg-05.txt
>
> In any case, Juniper has changed it's mind about things and now they
> do things like this ...
>
> SERVER -> CLIENT : REQUEST [ XAUTH USERNAME/PASSWORD ]
> CLIENT -> SERVER : REPLY [ XAUTH USERNAME/PASSWORD ]
> SERVER -> CLIENT : SET [ XAUTH RESULT ]
> CLIENT -> SERVER : ACK [ XAUTH RESULT ]
> SERVER -> CLIENT : SET [ ADDRESS/NETMASK/ETC... ]
> CLIENT -> SERVER : ACK [ ADDRESS/NETMASK/ETC... ]
>
> Makes more sense right? :) But unfortunately, the information in the
> packet header doesn't denote if it's part of Xauth or if it's part of
> another configuration exchange. For example ...
>
> SERVER -> CLIENT : SET [ ???? ]
>
> ... Is this Modecfg packet related to Xauth or other configuration
> data? There are two ways to go about it ...
>
> 1) Follow a strict order based on the gateway your dealing with and
> process the packet with the expectation that certain attributes will
> be present as the Xauth/Config process progresses.
>
> 2) Do a generic parse of the packet, look for specific attributes that
> are related to some type of config exchange ( XAUTH, Config ) and then
> take specific action based on those attributes.
>
> When I instrumented the Xauth code in the Shrew Soft client, I chose
> option (1). But now that Juniper has changed the order in which they
> do things, that has obviously broke our processing. In other words,
> this is the outcome ...
>
> SERVER -> CLIENT : REQUEST [ XAUTH USERNAME/PASSWORD ]
> CLIENT -> SERVER : REPLY [ XAUTH USERNAME/PASSWORD ]
> SERVER -> CLIENT : SET [ XAUTH RESULT ]
> CLIENT -> SERVER : ACK [ ADDRESS/NETMASK/ETC... ]
> SERVER -> CLIENT : SET [ ADDRESS/NETMASK/ETC... ]
> CLIENT -> SERVER : ACK [ XAUTH RESULT ]
>
> So, the only way to correct this is to unwind the rather complex code
> that handles Xauth/Config and build an even more complicated state
> machine that can be more adaptive to unpredicted server behavior. This
> will definately not happen for the 2.2.0 release, but I'd like to put
> more time into it after the 1st of the year and make the new code part
> of the next release.
>
> Sorry I can't be more help at the moment. I will get it fixed but it
> will take some time.
>
> Thanks again for the bug report and related debug output,
>
> -Matthew
>
> On 12/18/2012 12:54 PM, Matthew Grooms wrote:
>> Gregory,
>>
>> Thanks for sending me the log. Very interesting indeed. There appears to
>> be a logic bug in the client with respect to the SRX modecfg push
>> exchange sequence. This works fine with my SSG but unfortunately not
>> with an SRX ( I don't have one of these ). I'll need to examine the
>> packet exchange more closely later tonight when I have time.
>>
>> Thanks,
>>
>> -Matthew
>>
>
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help
More information about the vpn-help
mailing list