[vpn-help] Phase 2 failing with Juniper SSG140

Drew Majewski dmajewski at markovprocesses.com
Wed Aug 14 14:22:27 CDT 2013 

Hi Kevin,

 

Sorry for the late response but I just double checked and tried all of the
Phase 2 settings but I get the same result:

 

Here are the Phase 2 proposals that I use:            

                nopfs-esp-3des-md5

                nopfs-esp-3des-sha

                nopfs-esp-aes128-sha

                nopfs-esp-aes128-md5 

 

In the Shrew 2.2.0 client I test with I tried a few different combination
of options but none of them work:

                Transform Algorithm: esp-3des

                HMAC Algorithm: sha1

                PFS Exchange: disabled

                

                Transform Algorithm: esp-3des

                HMAC Algorithm: md5

                PFS Exchange: disabled

                

                Transform Algorithm: esp-aes

                Transform Key Length: 128

                HMAC Algorithm: sha1

                PFS Exchange: disabled

                

                Transform Algorithm: esp-aes

                Transform Key Length: 128

                HMAC Algorithm: md5

                PFS Exchange: disabled

                

On all of the tests above I get the same issue.  Shrew connects, tunnel
enables, grabs VPN IP, can't ping anything and then Shrew just disconnects
and logs in Juniper about Phase 2.

                2013-08-14 15:08:54        info        IKE x.x.x.x Phase 2
msg ID 61aceddd: Negotiations have failed.

                2013-08-14 15:08:54        info        IKE x.x.x.x Phase 2
msg ID 61aceddd: Negotiations have failed for user *****.

 

 

From: prolag at gmail.com [mailto:prolag at gmail.com] On Behalf Of Alexis La
Goutte
Sent: Friday, August 02, 2013 6:23 AM
To: Drew Majewski
Cc: Matthew Grooms
Subject: Re: [vpn-help] Phase 2 failing with Juniper SSG140

 

Hi Drew,

Thanks for feedback !

It is possible to attach debug ? (with 2.1.7 ?)

Do you have look phase 2 settings ? it is auto or manual ? (because there
is some new phase 2 parameters supported (and some times, there is ISAKMP
Fragmentation...)

Regards,

 

 

On Thu, Aug 1, 2013 at 6:10 PM, Drew Majewski
<dmajewski at markovprocesses.com> wrote:

Hello,

 

To add to this issue..I downgraded the Shrew client to 2.1.7, upgraded
Juniper to 6.3.0r14.0, and phase 2 passes just fine.  I get the original
error about phase 2 failing but then it comes up just fine.  If I go back
and install the later version of Shrew then it's back to the same issue as
before and the tunnel never comes up.  So from what I can tell this is an
issue with Shrew 2.2.x versions passing phase 2 traffic.

 

I have no problem using version 2.1.7 but this will be a problem for users
who are running Windows 8.  Are you able to advise on any kind of solution
for this?

 

Thanks!
Drew

 

From: prolag at gmail.com [mailto:prolag at gmail.com] On Behalf Of Alexis La
Goutte
Sent: Tuesday, July 16, 2013 8:07 AM
To: Drew Majewski
Cc: vpn-help at lists.shrew.net
Subject: Re: [vpn-help] Phase 2 failing with Juniper SSG140

 

 

 

On Mon, Jul 15, 2013 at 10:03 PM, Drew Majewski
<dmajewski at markovprocesses.com> wrote:

Hello,

 

I've been working with Juniper support to try and get VPN connectivity
setup with Shrew but we're having issues getting phase 2 to pass.
Juniper has repeated all the steps in their labs too and get the same
results as below and their only solution is to contact you guys or use
another VPN Client. 

 

Juniper support has stated: "I suspect that Shrew soft client 2.2.2,
running on windows xp (which is what I tried) is not compatible with  the
Juniper firewall.

 

The shrew soft client seems to be sending a notification message(DOI 1
24578 INITIAL-CONTACT), which is halting or  stopping the Juniper firewall
to proceed with phase-2 negotiations (refer frame4 in the packet capture
shrewsoftsnoop1.pcap)

 

2013-07-12 11:47:34        info        IKE 96.242.112.67: Received initial
contact notification and removed Phase 1 SAs.

2013-07-12 11:47:34        info        IKE 96.242.112.67: Received initial
contact notification and removed Phase 2 SAs.

2013-07-12 11:47:34        info        IKE 96.242.112.67: Received a
notification message for DOI 1 24578 INITIAL-CONTACT.  >> HERE

2013-07-12 11:47:34        info        IKE 96.242.112.67 Phase 1:
Completed Aggressive mode negotiations with a  28800-second lifetime."

 

The other errors that are being logged with this are:  "Rejected an IKE
packet on ethernet0/2 from 96.242.112.67:14499 to 96.242.112.68:4500 with
cookies 5cd1700e400706fd and 0ba9de74df44fcb6 because A Phase 2 packet
arrived while XAuth was still pending.  IKE 96.242.112.67 Phase 2 msg ID
fd04e4ca: Negotiations have failed. "

 

I'm not sure where to go with this or if it is anything that other users
have experienced.

 

Thank you for any help you're able to give.

 

Hi Drew,

it is possible to attach debug info with pcap  ? (
https://www.shrew.net/support/VPN_Bug_Report_Windows  )

There is some known issue with Juniper and Xauth but it is with SRX :
https://lists.shrew.net/pipermail/vpn-help/2012-December/014091.html

Regards,

 


Drew Majewski


_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net
https://lists.shrew.net/mailman/listinfo/vpn-help

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20130814/a610090c/attachment-0001.html>

More information about the vpn-help mailing list