[vpn-help] Juniper SRX210 NAT-T problems

Loris Modenese l.modenese at gmail.com
Sat Feb 4 07:23:10 CST 2012 

Hi Kevin,

I can confirm what Gergely said.
The problem it is related to the NAT-T and DPD code on both 2.1.7 and 
2.2.0 versions.
With NAT-T disabled or with a dial-up connection (public IP address) the 
link is stable.
I've also notice that no matter the client it is configured (with or w/o 
DPD and different timeout)
it keep on sending DPD every 30sec when NAT-T option is enabled for 10 
times then it always disconnect (about 5-5.5 min).
I tested the config with 4 SRX-240H, 1 SRX-210H and 3 SRX-100 running 
JunOS 10.4 with the same results.

Here my working config for JunOS 10.4 (NAT-T disabled)

n:version:2
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:300
n:network-frag-size:540
n:network-dpd-enable:0
n:client-banner-enable:0
n:network-notify-enable:0
n:client-wins-used:1
n:client-wins-auto:1
n:client-dns-used:1
n:client-dns-auto:1
n:client-splitdns-used:1
n:client-splitdns-auto:1
n:phase1-dhgroup:2
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:0
s:network-host:12.34.56.78
s:client-auto-mode:push
s:client-iface:virtual
s:network-natt-mode:disable
s:network-frag-mode:enable
s:auth-method:mutual-psk-xauth
s:ident-client-type:fqdn
s:ident-server-type:any
s:ident-client-data:vpnclient.domain.local
b:auth-mutual-psk:xxxxxxxxxxxxxxxxx
s:phase1-exchange:aggressive
s:phase1-cipher:3des
s:phase1-hash:md5
s:phase2-transform:esp-3des
s:phase2-hmac:md5
s:ipcomp-transform:disabled
n:phase2-pfsgroup:2
s:policy-level:auto
s:policy-list-include:192.168.78.0 / 255.255.255.0
s:client-saved-username:

Best regards
Loris Modenese



> On 07/05/2011 05:06 AM, Gergely Kiss wrote:
>> Dear List!
>>
>> I'm having problems while connecting to a Juniper SRX210 firewall
>> running JunOS 11.1R1.10. I'm using the latest stable Shrewsoft client
>> (2.1.7) on Windows 7 (but the issue happens on Windows XP, too).
>>
>> If I try to connect from a device with a public IP-address, like a
>> mobile broadband connection (without using NAT-T), everything works
>> perfectly, but if I connect through a NAT device (Linksys WRT54GS), the
>> connection works only for 6-7 minutes and then it terminates with no
>> particular reason (the error message is: "session terminated by gateway").
>>
> ...
>
>> I already tried debugging both ends, but I found nothing helpful in the
>> logs (except some "config packet ignored" messages on the client). I
>> already tried upgrading to the latest beta release (2.2.0-beta-1), but
>> the issues still exists.
>>
> Hi Gergely,
>
> It might be that the Dead Peer Detection is somehow failing... that
> usually is 5 minutes or so.  When you did the debug trace, did you see
> DPD messages (DPDV1-R-U-THERE) going back and forth?
>
> You could try disabling Dead Peer Detection in the Shrew site
> configuration...
>

More information about the vpn-help mailing list