[vpn-help] Windows 8 - Shrew to Juniper connection - SA

James Minard JMinard at precisioncs.net
Fri May 10 13:18:19 CDT 2013 

Here are the logs from a working 2.1.7 machine and another machine that I just installed 2.2.0 on and used the same policy and user for, and cannot get the SA to establish. Thanks.

James J. Minard, MCP
Network Technician
Precision Computer Solutions, Inc.
JMinard at PrecisionCS.net
Phone (810) 987-8748 Ext 122


-----Original Message-----
From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of vpn-help-request at lists.shrew.net
Sent: Friday, May 10, 2013 1:00 PM
To: vpn-help at lists.shrew.net
Subject: vpn-help Digest, Vol 80, Issue 11

Send vpn-help mailing list submissions to
	vpn-help at lists.shrew.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.shrew.net/mailman/listinfo/vpn-help
or, via email, send a message with subject or body 'help' to
	vpn-help-request at lists.shrew.net

You can reach the person managing the list at
	vpn-help-owner at lists.shrew.net

When replying, please edit your Subject line so it is more specific than "Re: Contents of vpn-help digest..."


Today's Topics:

   1. Re: . Windows 8 - Shrew to Juniper connection - SA failed
      (James Minard) (James Minard)
   2. Re: Windows 8 - Shrew to Juniper connection - SA failed
      (Kevin VPN)
   3. Re: . Windows 8 - Shrew to Juniper connection - SA failed
      (James Minard) (Kevin VPN)
   4. Connecting Shrew 2.2.0 to ZyWALL USG 20 - invalid	message
      from gateway (Lukasz Sokol)
   5. VPN connection to NetASQ V9 with certificates (J Greenhouse)


----------------------------------------------------------------------

Message: 1
Date: Thu, 9 May 2013 19:41:40 +0000
From: James Minard <JMinard at precisioncs.net>
To: "vpn-help at lists.shrew.net" <vpn-help at lists.shrew.net>
Subject: Re: [vpn-help] . Windows 8 - Shrew to Juniper connection - SA
	failed (James Minard)
Message-ID:
	<EBC4F299528134478BCB14B72DB797A0D5AC38 at PCSIVMail.pcsi.local>
Content-Type: text/plain; charset="us-ascii"

Further followup on this today revealed that it's not just a Windows 8 issue with the 2.2.0 client. I had a Windows 7 machine that exhibited the same behavior. I downgraded that one to 2.1.7 and it worked fine. I guess my next step is going to be to load the 2.2.0 client on my Windows 7 PC and play around with some of the settings, unless anyone knows offhand why this would be occurring. One thing I did notice is that my 2.1.7 client connections with NAT-T / IKE | ESP, but the 2.2.0 client says NAT-T v2 /IKE | ESP

James J. Minard, MCP
Network Technician
Precision Computer Solutions, Inc.
JMinard at PrecisionCS.net
Phone (810) 987-8748 Ext 122

-----Original Message-----
From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of vpn-help-request at lists.shrew.net
Sent: Thursday, May 09, 2013 1:00 PM
To: vpn-help at lists.shrew.net
Subject: vpn-help Digest, Vol 80, Issue 10

Send vpn-help mailing list submissions to
	vpn-help at lists.shrew.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.shrew.net/mailman/listinfo/vpn-help
or, via email, send a message with subject or body 'help' to
	vpn-help-request at lists.shrew.net

You can reach the person managing the list at
	vpn-help-owner at lists.shrew.net

When replying, please edit your Subject line so it is more specific than "Re: Contents of vpn-help digest..."


Today's Topics:

   1. Windows 8 - Shrew to Juniper connection - SA failed (James Minard)


----------------------------------------------------------------------

Message: 1
Date: Thu, 9 May 2013 00:46:48 +0000
From: James Minard <JMinard at precisioncs.net>
To: "vpn-help at lists.shrew.net" <vpn-help at lists.shrew.net>
Subject: [vpn-help] Windows 8 - Shrew to Juniper connection - SA
	failed
Message-ID:
	<EBC4F299528134478BCB14B72DB797A0D5A8BA at PCSIVMail.pcsi.local>
Content-Type: text/plain; charset="us-ascii"

The xauth is succeeding, but on the remote client, if I switch over to the Network tab, it shows 0 established SAs, 0 Expired, but the Failed starts at 0 and then starts incrementing up to 1,2,3, etc. I thought maybe it was something to do with the Microsoft wi-fi virtual adapter in Windows 8, so I had the remote user disable that since I thought it was like the Windows 7 Microsoft virtual wi-fi minport adapter that I have seen cause problems with Shrew, but it didn't' make a difference.

Any suggestions on what else could be causing this behavior? I've never seen the SA not establish after xauth is successful. The same user account works fine from my workstation, but it's Windows 7 and on an Ethernet connection, not wi-fi.

James J. Minard, MCP
Network Technician
Precision Computer Solutions, Inc.
JMinard at PrecisionCS.net<mailto:JMinard at PrecisionCS.net>
Phone (810) 987-8748 Ext 122

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20130509/5b66e808/attachment-0001.html>

------------------------------

_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net
https://lists.shrew.net/mailman/listinfo/vpn-help


End of vpn-help Digest, Vol 80, Issue 10
****************************************



------------------------------

Message: 2
Date: Thu, 9 May 2013 21:23:25 -0400
From: Kevin VPN <kvpn at live.com>
To: vpn-help at lists.shrew.net
Subject: Re: [vpn-help] Windows 8 - Shrew to Juniper connection - SA
	failed
Message-ID: <BLU0-SMTP4164C0FB8DB7F1A1719ABA3A0A50 at phx.gbl>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed

On 05/08/2013 08:46 PM, James Minard wrote:
> The xauth is succeeding, but on the remote client, if I switch over to 
> the Network tab, it shows 0 established SAs, 0 Expired, but the Failed 
> starts at 0 and then starts incrementing up to 1,2,3, etc. I thought 
> maybe it was something to do with the Microsoft wi-fi virtual adapter 
> in Windows 8, so I had the remote user disable that since I thought it 
> was like the Windows 7 Microsoft virtual wi-fi minport adapter that I 
> have seen cause problems with Shrew, but it didn't'
> make a difference.
>
> Any suggestions on what else could be causing this behavior? I've 
> never seen the SA not establish after xauth is successful. The same 
> user account works fine from my workstation, but it's Windows 7 and on 
> an Ethernet connection, not wi-fi.
>

Hi James,

A failed SA is often because of a policy mismatch between Shrew and the VPN gateway, but since I assume you're using the exact same configuration on your Win7 workstation vs the Win8 machine, I'm not sure that's the case.

Can you provide a bug report for us so we can see what Shrew is reporting?  The instructions are here:
https://www.shrew.net/support/VPN_Bug_Report_Windows


------------------------------

Message: 3
Date: Thu, 9 May 2013 21:27:47 -0400
From: Kevin VPN <kvpn at live.com>
To: vpn-help at lists.shrew.net
Subject: Re: [vpn-help] . Windows 8 - Shrew to Juniper connection - SA
	failed (James Minard)
Message-ID: <BLU0-SMTP26122064AF97C7EBB3C2C71A0A50 at phx.gbl>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed

On 05/09/2013 03:41 PM, James Minard wrote:
> Further followup on this today revealed that it's not just a Windows
> 8 issue with the 2.2.0 client. I had a Windows 7 machine that
> exhibited the same behavior. I downgraded that one to 2.1.7 and it
> worked fine. I guess my next step is going to be to load the 2.2.0
> client on my Windows 7 PC and play around with some of the settings,
> unless anyone knows offhand why this would be occurring. One thing I
> did notice is that my 2.1.7 client connections with NAT-T / IKE |
> ESP, but the 2.2.0 client says NAT-T v2 /IKE | ESP
>

Hi James,

I just wrote back to your first message, then when I refreshed I saw 
this one.

IKEv2 could be a cause of the problem. It's an interesting piece to 
explore anyway.

In addition to the bug report (Shrew logs) that I requested before, can 
you provide a log from a Shrew 2.1.7 installation that's working?


------------------------------

Message: 4
Date: Wed, 08 May 2013 15:39:03 +0100
From: Lukasz Sokol <el.es.cr at gmail.com>
To: vpn-help at lists.shrew.net
Subject: [vpn-help] Connecting Shrew 2.2.0 to ZyWALL USG 20 - invalid
	message from gateway
Message-ID: <518A6387.2030401 at gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Hi,
i used the tutorial about USG300 as a starting point;

the use case :

Laptop (<-wifi->) iPhone [personal hot spot w/NAT] <- [3G internet] -> ZyWALL USG20

Laptop runs Shrew 2.2.0 on WinXP Home 32bit

ZyWall runs f/w 3.00(BDQ.4)

Shrew VPN fails with message 'invalid message from gateway'

Phase1 on both is set to exactly the same as per the linked tutorial;

Looking at 'decode' grade log with packet dump options enabled [all but DNS]
it seems that all is going well until it gets

(lines that look good
<- recv IKE packet [gw public ip address]:500 -> [laptop priv ip address]:500 ( 228 bytes )

0x [a few lines of packet dump]

DB phase1 found
DB phase1 ref increment ( ref count = 1, obj count = 1 )
ww initiator port vales should only float once per session
ii processing phase1 packet ( 228 bytes )
=< cookies [some hash]
...(until about here)
=< message 00000000
<< ignoring duplicate key exchange payload
!! unprocessed payload data
<< ignoring duplicate nonce payload
!! unhandled phase1 payload 'unknown' ( 250 ) [this figure changes with every run]
!! unprocessed payload data
ii sending peer DELETE message

If this is not enough, I'll try to post more log.

Hope the above makes sense

Lukasz


------------------------------

Message: 5
Date: Wed, 8 May 2013 16:12:02 +0200
From: J Greenhouse <J_Greenhouse at hotmail.com>
To: <vpn-help at lists.shrew.net>
Subject: [vpn-help] VPN connection to NetASQ V9 with certificates
Message-ID: <BLU0-SMTP3203E8D445C1B8C79EC632CE5BB0 at phx.gbl>
Content-Type: text/plain; charset="us-ascii"

I've currently set up a VPN connection to a NetASQ running v9. 

 

V9 supports "mode config , DHCP" and connections from IPHone. (Hybrid or
Certificate/Xauth authentication)
The way to setup the VPN client is a bit different then it was in v8 (guide
on Shrew soft website). I've already found out how to connect using the
client , yet I have a small usability question. 

 

The users first have to provide their domain authentication, after that they
also have to provide the password to unlock the .p12 (Server Certificate
Authority File) file needed to connect. 

The official VPN client of NetASQ actually remembers the password for the
certificate the file time you connect. I would like the same behavior in de
Shrew soft client. 
Can this be done? Or can I convert the p12 to some other format that doesn't
require the added security? 

 

Best Regards, 

Jochen

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20130508/c1892109/attachment-0001.html>

------------------------------

_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net
https://lists.shrew.net/mailman/listinfo/vpn-help


End of vpn-help Digest, Vol 80, Issue 11
****************************************
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2.1.7working.zip
Type: application/x-zip-compressed
Size: 3762 bytes
Desc: 2.1.7working.zip
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20130510/dfcb29eb/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2.2.0notworking.zip
Type: application/x-zip-compressed
Size: 5401 bytes
Desc: 2.2.0notworking.zip
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20130510/dfcb29eb/attachment-0003.bin>

More information about the vpn-help mailing list