[vpn-help] Phase 2 failing with Juniper SSG140
Kevin VPN
kvpn at live.com
Wed Aug 7 20:37:32 CDT 2013
On 07/15/2013 04:03 PM, Drew Majewski wrote:
> Hello,
>
<snip>
>
> Juniper support has stated: "I suspect that Shrew soft client 2.2.2,
> running on windows xp (which is what I tried) is not compatible with the
> Juniper firewall.
>
> The shrew soft client seems to be sending a notification message(DOI 1
> 24578 INITIAL-CONTACT), which is halting or stopping the Juniper firewall
> to proceed with phase-2 negotiations (refer frame4 in the packet capture
> shrewsoftsnoop1.pcap)
>
Hi Drew,
Shrew works just fine with Juniper ScreenOS devices (like the SSGs).
The first thing I'd do is make sure that in the Shrew config, General
tab, Auto Configuration is set to "ike config push" - that's a key
setting for Junipers.
<snip>
>
> The other errors that are being logged with this are: "Rejected an IKE
> packet on ethernet0/2 from 96.242.112.67:14499 to 96.242.112.68:4500 with
> cookies 5cd1700e400706fd and 0ba9de74df44fcb6 because A Phase 2 packet
> arrived while XAuth was still pending. IKE 96.242.112.67 Phase 2 msg ID
> fd04e4ca: Negotiations have failed. "
>
Don't worry about the XAuth still pending error, I've seen it even on
successful connections. The Phase 2 message is a problem though.
Can you generate a debug log from Shrew for us so we can see what Shrew
sees from the gateway?
https://www.shrew.net/support/VPN_Bug_Report_Windows
More information about the vpn-help
mailing list