[vpn-help] Phase 2 failing with Juniper SSG140

Kevin VPN kvpn at live.com
Thu Aug 8 22:01:36 CDT 2013


On 08/01/2013 12:10 PM, Drew Majewski wrote:
> Hello,
>
>
>
> To add to this issue..I downgraded the Shrew client to 2.1.7, upgraded
> Juniper to 6.3.0r14.0, and phase 2 passes just fine.  I get the original
> error about phase 2 failing but then it comes up just fine.  If I go back
> and install the later version of Shrew then it's back to the same issue as
> before and the tunnel never comes up.  So from what I can tell this is an
> issue with Shrew 2.2.x versions passing phase 2 traffic.
>
>
>
> I have no problem using version 2.1.7 but this will be a problem for users
> who are running Windows 8.  Are you able to advise on any kind of solution
> for this?
>

Hi Drew,

This sounds like a fragmentation issue in the Phase2 negotiation 
packets.  Shrew 2.1.7 has fewer Phase2 options, so has smaller packets 
during negotiation.  Shrew 2.2.x has more and frequently generates 
packets that are too large which then need to be fragmented on the 
network.  When the network has device that discards fragmented packets 
(firewalls like to do this) it causes Phase2 negotiations in Shrew 2.2.x 
to fail.

To solve this, find out what settings are used in the Phase2 
negotiation, then hardcode them into the Shrew Site configuration Phase 
2 tab.

You can find the required Phase2 settings either by checking the gateway 
or generate a debug log from Shrew 2.1.7 that succeeds with Phase 2.  If 
you can't read the debug, post it here and we'll let you know what 
settings are required.

Debug report instructions:
https://www.shrew.net/support/VPN_Bug_Report_Windows



More information about the vpn-help mailing list