[vpn-help] VPN not working with Radius and windows 2008

Vipan Kapur v.kapur at ibtimes.com
Mon Mar 25 10:18:34 CDT 2013 

Hello,

I am able to ping the Raduis server (Microsoft) from the firewall and able
to ping the firewall from the Radius server.  When I try to connect using an
AD account, I get the following on the firewall.

2013-03-25 11:05:15	info	IKE 198.228.194.124: XAuth login failed for
gateway GW-DIALUP-VPN, username r.neal, retry: 0, timeout: 0.
2013-03-25 11:05:15	warn	Primary 10.50.100.12, backup1 , and backup2
servers failed.
2013-03-25 11:05:15	warn	Active Server Switchover: New requests for
Microsoft server will try Primary from now on.
2013-03-25 11:05:15	warn	Active Server Switchover: New requests for
Microsoft server will try Backup2 from now on.
2013-03-25 11:05:14	warn	Active Server Switchover: New requests for
Microsoft server will try Backup1 from now on.
2013-03-25 11:05:12	info	IP address 10.50.101.14 is released from
0026088ff9ed.
2013-03-25 11:05:12	info	IP address 10.50.100.71 is assigned to
0026088ff9ed.
2013-03-25 11:05:11	info	IP address 10.50.100.71 is assigned to
0026088ff9ed.
2013-03-25 11:05:08	info	IP address 10.50.101.14 is assigned to
0026088ff9ed.
2013-03-25 11:05:06	warn	Trying primary server 10.50.100.12.
2013-03-25 11:05:03	info	Rejected an IKE packet on ethernet0/2 from
198.228.194.124:34633 to 209.66.114.182:4500 with cookies 42a0918ad450522c
and 10d48403d7ae665b because A Phase 2 packet arrived while XAuth was still
pending.
2013-03-25 11:05:03	info	IKE 198.228.194.124 Phase 1: Completed
Aggressive mode negotiations with a 28800-second lifetime.
2013-03-25 11:05:03	info	IKE 198.228.194.124 Phase 1: Completed for
user client.corporate.com.
2013-03-25 11:05:03	info	IKE<198.228.194.124> Phase 1: IKE responder
has detected NAT in front of the remote device.
2013-03-25 11:05:03	info	IKE<198.228.194.124> Phase 1: IKE responder
has detected NAT in front of the local device.
2013-03-25 11:05:03	info	IKE 198.228.194.124 phase 1:The symmetric
crypto key has been generated successfully.
2013-03-25 11:05:03	info	IKE 198.228.194.124 Phase 1: Responder
starts AGGRESSIVE mode negotiations.

I am attaching my firewall config as well as the Shrew Client config file.
I hope someone will be able to assist me resolving the issue.



-----Original Message-----
From: vpn-help-bounces at lists.shrew.net
[mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Kevin VPN
Sent: Sunday, March 24, 2013 9:25 PM
To: vpn-help at lists.shrew.net
Subject: Re: [vpn-help] VPN not working with Radius and windows 2008

On 02/27/2013 01:11 PM, Vipan Kapur wrote:
> Hello there!
>
> I hope you can help me, I have setup VPN access using the article 
> http://www.shrew.net/support/Howto_Juniper_SSG but I cannot connect 
> using the Radius server.  I can only connect if I create a user 
> account on the firewall, but I don't want to do that for all the users.
>
> The firewall shows the following:
>
> 2013-02-27 13:04:26	info	IKE 198.228.192.58: XAuth login failed for
> gateway GW-DIALUP-VPN, username v.kapur, retry: 0, timeout: 0.
> 2013-02-27 13:04:26	warn	Primary 10.50.100.12, backup1 , and backup2
> servers failed.
> 2013-02-27 13:04:26	warn	Active Server Switchover: New requests for
> Microsoft server will try Primary from now on.
> 2013-02-27 13:04:26	warn	Active Server Switchover: New requests for
> Microsoft server will try Backup2 from now on.
> 2013-02-27 13:04:25	warn	Active Server Switchover: New requests for
> Microsoft server will try Backup1 from now on.
> 2013-02-27 13:04:17	warn	Trying primary server 10.50.100.12.

Hi Vipan,

These messages look to me like your Juniper is unable to contact the RADIUS
server.  I'm assuming "Microsoft server" is your Windows 2008 RADIUS server.

If your device is unable to communicate with the RADIUS server, it obviously
would be unable to verify credentials that come from that server.

_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net
https://lists.shrew.net/mailman/listinfo/vpn-help
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: FW_config.txt
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20130325/8575531d/attachment-0002.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: shrew.vpn.txt
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20130325/8575531d/attachment-0003.txt>

More information about the vpn-help mailing list