[vpn-help] Phase 2 failing with Juniper SSG140
Drew Majewski
dmajewski at markovprocesses.com
Wed Aug 14 14:22:27 CDT 2013
Hi Kevin,
Sorry for the late response but I just double checked and tried all of the
Phase 2 settings but I get the same result:
Here are the Phase 2 proposals that I use:
nopfs-esp-3des-md5
nopfs-esp-3des-sha
nopfs-esp-aes128-sha
nopfs-esp-aes128-md5
In the Shrew 2.2.0 client I test with I tried a few different combination
of options but none of them work:
Transform Algorithm: esp-3des
HMAC Algorithm: sha1
PFS Exchange: disabled
Transform Algorithm: esp-3des
HMAC Algorithm: md5
PFS Exchange: disabled
Transform Algorithm: esp-aes
Transform Key Length: 128
HMAC Algorithm: sha1
PFS Exchange: disabled
Transform Algorithm: esp-aes
Transform Key Length: 128
HMAC Algorithm: md5
PFS Exchange: disabled
On all of the tests above I get the same issue. Shrew connects, tunnel
enables, grabs VPN IP, can't ping anything and then Shrew just disconnects
and logs in Juniper about Phase 2.
2013-08-14 15:08:54 info IKE x.x.x.x Phase 2
msg ID 61aceddd: Negotiations have failed.
2013-08-14 15:08:54 info IKE x.x.x.x Phase 2
msg ID 61aceddd: Negotiations have failed for user *****.
From: prolag at gmail.com [mailto:prolag at gmail.com] On Behalf Of Alexis La
Goutte
Sent: Friday, August 02, 2013 6:23 AM
To: Drew Majewski
Cc: Matthew Grooms
Subject: Re: [vpn-help] Phase 2 failing with Juniper SSG140
Hi Drew,
Thanks for feedback !
It is possible to attach debug ? (with 2.1.7 ?)
Do you have look phase 2 settings ? it is auto or manual ? (because there
is some new phase 2 parameters supported (and some times, there is ISAKMP
Fragmentation...)
Regards,
On Thu, Aug 1, 2013 at 6:10 PM, Drew Majewski
<dmajewski at markovprocesses.com> wrote:
Hello,
To add to this issue..I downgraded the Shrew client to 2.1.7, upgraded
Juniper to 6.3.0r14.0, and phase 2 passes just fine. I get the original
error about phase 2 failing but then it comes up just fine. If I go back
and install the later version of Shrew then it's back to the same issue as
before and the tunnel never comes up. So from what I can tell this is an
issue with Shrew 2.2.x versions passing phase 2 traffic.
I have no problem using version 2.1.7 but this will be a problem for users
who are running Windows 8. Are you able to advise on any kind of solution
for this?
Thanks!
Drew
From: prolag at gmail.com [mailto:prolag at gmail.com] On Behalf Of Alexis La
Goutte
Sent: Tuesday, July 16, 2013 8:07 AM
To: Drew Majewski
Cc: vpn-help at lists.shrew.net
Subject: Re: [vpn-help] Phase 2 failing with Juniper SSG140
On Mon, Jul 15, 2013 at 10:03 PM, Drew Majewski
<dmajewski at markovprocesses.com> wrote:
Hello,
I've been working with Juniper support to try and get VPN connectivity
setup with Shrew but we're having issues getting phase 2 to pass.
Juniper has repeated all the steps in their labs too and get the same
results as below and their only solution is to contact you guys or use
another VPN Client.
Juniper support has stated: "I suspect that Shrew soft client 2.2.2,
running on windows xp (which is what I tried) is not compatible with the
Juniper firewall.
The shrew soft client seems to be sending a notification message(DOI 1
24578 INITIAL-CONTACT), which is halting or stopping the Juniper firewall
to proceed with phase-2 negotiations (refer frame4 in the packet capture
shrewsoftsnoop1.pcap)
2013-07-12 11:47:34 info IKE 96.242.112.67: Received initial
contact notification and removed Phase 1 SAs.
2013-07-12 11:47:34 info IKE 96.242.112.67: Received initial
contact notification and removed Phase 2 SAs.
2013-07-12 11:47:34 info IKE 96.242.112.67: Received a
notification message for DOI 1 24578 INITIAL-CONTACT. >> HERE
2013-07-12 11:47:34 info IKE 96.242.112.67 Phase 1:
Completed Aggressive mode negotiations with a 28800-second lifetime."
The other errors that are being logged with this are: "Rejected an IKE
packet on ethernet0/2 from 96.242.112.67:14499 to 96.242.112.68:4500 with
cookies 5cd1700e400706fd and 0ba9de74df44fcb6 because A Phase 2 packet
arrived while XAuth was still pending. IKE 96.242.112.67 Phase 2 msg ID
fd04e4ca: Negotiations have failed. "
I'm not sure where to go with this or if it is anything that other users
have experienced.
Thank you for any help you're able to give.
Hi Drew,
it is possible to attach debug info with pcap ? (
https://www.shrew.net/support/VPN_Bug_Report_Windows )
There is some known issue with Juniper and Xauth but it is with SRX :
https://lists.shrew.net/pipermail/vpn-help/2012-December/014091.html
Regards,
Drew Majewski
_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net
https://lists.shrew.net/mailman/listinfo/vpn-help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20130814/a610090c/attachment-0001.html>
More information about the vpn-help
mailing list