[vpn-help] Phase 2 failing with Juniper SSG140

Alexis La Goutte alexis.lagoutte at gmail.com
Tue Jul 16 07:07:21 CDT 2013 

On Mon, Jul 15, 2013 at 10:03 PM, Drew Majewski <
dmajewski at markovprocesses.com> wrote:

>  Hello,****
>
> ** **
>
> I’ve been working with Juniper support to try and get VPN connectivity
> setup with Shrew but we’re having issues getting phase 2 to pass.   Juniper
> has repeated all the steps in their labs too and get the same results as
> below and their only solution is to contact you guys or use another VPN
> Client. ****
>
> ** **
>
> Juniper support has stated: “I suspect that Shrew soft client 2.2.2,
> running on windows xp (which is what I tried) is not compatible with  the
> Juniper firewall.****
>
> ** **
>
> The shrew soft client seems to be sending a notification message(DOI 1
> 24578 INITIAL-CONTACT), which is halting or  stopping the Juniper firewall
> to proceed with phase-2 negotiations (refer frame4 in the packet capture
> shrewsoftsnoop1.pcap)****
>
> ** **
>
> 2013-07-12 11:47:34        info        IKE 96.242.112.67: Received
> initial contact notification and removed Phase 1 SAs.****
>
> 2013-07-12 11:47:34        info        IKE 96.242.112.67: Received
> initial contact notification and removed Phase 2 SAs.****
>
> 2013-07-12 11:47:34        info        IKE 96.242.112.67: Received a
> notification message for DOI 1 24578 INITIAL-CONTACT.  >> HERE****
>
> 2013-07-12 11:47:34        info        IKE 96.242.112.67 Phase 1:
> Completed Aggressive mode negotiations with a  28800-second lifetime.”****
>
> ** **
>
> The other errors that are being logged with this are:  "Rejected an IKE
> packet on ethernet0/2 from 96.242.112.67:14499 to 96.242.112.68:4500 with
> cookies 5cd1700e400706fd and 0ba9de74df44fcb6 because A Phase 2 packet
> arrived while XAuth was still pending.  IKE 96.242.112.67 Phase 2 msg ID
> fd04e4ca: Negotiations have failed. "****
>
> ** **
>
> I’m not sure where to go with this or if it is anything that other users
> have experienced.****
>
> ** **
>
> Thank you for any help you’re able to give.
>

Hi Drew,

it is possible to attach debug info with pcap  ? (
https://www.shrew.net/support/VPN_Bug_Report_Windows  )

There is some known issue with Juniper and Xauth but it is with SRX :
https://lists.shrew.net/pipermail/vpn-help/2012-December/014091.html

Regards,

****
>
>
> Drew Majewski****
>
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> https://lists.shrew.net/mailman/listinfo/vpn-help
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20130716/398beba3/attachment.html>

More information about the vpn-help mailing list