[vpn-help] Phase 2 failing with Juniper SSG140
Drew Majewski
dmajewski at markovprocesses.com
Mon Jul 15 15:03:36 CDT 2013
Hello,
I've been working with Juniper support to try and get VPN connectivity
setup with Shrew but we're having issues getting phase 2 to pass.
Juniper has repeated all the steps in their labs too and get the same
results as below and their only solution is to contact you guys or use
another VPN Client.
Juniper support has stated: "I suspect that Shrew soft client 2.2.2,
running on windows xp (which is what I tried) is not compatible with the
Juniper firewall.
The shrew soft client seems to be sending a notification message(DOI 1
24578 INITIAL-CONTACT), which is halting or stopping the Juniper firewall
to proceed with phase-2 negotiations (refer frame4 in the packet capture
shrewsoftsnoop1.pcap)
2013-07-12 11:47:34 info IKE 96.242.112.67: Received initial
contact notification and removed Phase 1 SAs.
2013-07-12 11:47:34 info IKE 96.242.112.67: Received initial
contact notification and removed Phase 2 SAs.
2013-07-12 11:47:34 info IKE 96.242.112.67: Received a
notification message for DOI 1 24578 INITIAL-CONTACT. >> HERE
2013-07-12 11:47:34 info IKE 96.242.112.67 Phase 1:
Completed Aggressive mode negotiations with a 28800-second lifetime."
The other errors that are being logged with this are: "Rejected an IKE
packet on ethernet0/2 from 96.242.112.67:14499 to 96.242.112.68:4500 with
cookies 5cd1700e400706fd and 0ba9de74df44fcb6 because A Phase 2 packet
arrived while XAuth was still pending. IKE 96.242.112.67 Phase 2 msg ID
fd04e4ca: Negotiations have failed. "
I'm not sure where to go with this or if it is anything that other users
have experienced.
Thank you for any help you're able to give.
Drew Majewski
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20130715/23a09ebd/attachment.html>
More information about the vpn-help
mailing list