[vpn-help] Mutual RSA+XAuth problem

Kevin VPN kvpn at live.com
Mon Apr 22 07:25:26 CDT 2013 

Hi Gerd,

I disagree with your statement because I think you're not making two key 
differentiations that result in an unfair blanket judgment.

First, there was a post a while ago stating that there is a known 
problem using XAUTH with Juniper SRX-based devices, because Juniper has 
changed how their XAUTH implementation works between the older SSG 
devices and their newer SRX devices.

On the other hand, the SSG devices seem to work very well with the Shrew 
Soft VPN Client - there are lots of people successfully using SSGs and 
Shrew on this list.

The second differentiation is relevant to the issue below, which is the 
difference between using passwords vs certificates.  Certificates are 
hard; people struggle with them all the time in all kinds of 
applications (try getting an embedded Java implementation to trust 
self-signed certificates for instance) and signing chains are frequently 
an issue.  That people trying to use certificates are having problems is 
not necessarily a problem with Shrew or Juniper - it could just be the 
certificates themselves.

I am sure that there are people on this list who use certificates with 
Juniper SSGs and Shrew who can help.  We merely have to be patient in 
the hope that one of them will help out.


On 04/22/2013 07:58 AM, Gerd Röthig wrote:
> Hello all,
>
> I read this mailing list for some time now. Again and again, there are
> problems with Shrew Soft VPN client and several Juniper equipment. It seems
> that Shrew Soft VPN Client simply does not work with the Juniper devices.
> Perhaps, this is by design (if Juniper offers their own client software).
> Or, it is like many ultra-professional "Web Applications" which only work
> with Internet Explorer. Although it seems like a suboptimal idea at a first
> glance, you should perhaps be thinking about using the Juniper certified
> client software (if there is any) or reverting to Cisco Systems VPN client.
>
> Kind regards,
>
> Gerd
>
>
> 2013/4/22 eric xu <chixu8341 at hotmail.com>
>
>> Hi All,
>>
>> While testing Client 2.17 on Ubuntu 12.04 LTS following
>> Howto_Juniper_SSG_Using_Certs) with SSG20 I come across following problem:
>>
>> 13/04/22 15:34:16 -> : send NAT-T:IKE packet 192.168.1.108:4500 ->
>> 120.72.49.xxx:4500 ( 2036 bytes )
>> 13/04/22 15:34:16 ii : *unable to get local issuer certificate(20) at
>> depth:0*
>> 13/04/22 15:34:16 ii : subject :/C=CN/ST=Beijing/L=Beijing/O= Ltd.
>> /O=Chenhongli Beijing Co./OU=IT/CN=0164022011000224/CN=rsa-key/CN=
>> vpn.chenhongli-bj.net/CN=Ms. Helen Wang
>> 13/04/22 15:34:16 !! : unable to verify remote peer certificate
>>
>> Since it is a self-signed certificate and per howto I did place the ca.crt
>> into ~/.ike/certs but still has above problem.
>>
>> Any help will be appreciated.
>>

More information about the vpn-help mailing list