[vpn-help] Windows 8 - Shrew to Juniper connection - SA

Sun May 12 19:53:29 CDT 2013

On 05/10/2013 02:18 PM, James Minard wrote:
> Here are the logs from a working 2.1.7 machine and another machine
> that I just installed 2.2.0 on and used the same policy and user for,
> and cannot get the SA to establish. Thanks.
>
> James J. Minard, MCP Network Technician Precision Computer Solutions,
> Inc. JMinard at PrecisionCS.net Phone (810) 987-8748 Ext 122
>
>
> -----Original Message----- From: vpn-help-bounces at lists.shrew.net
> [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of
> vpn-help-request at lists.shrew.net Sent: Friday, May 10, 2013 1:00 PM
> To: vpn-help at lists.shrew.net Subject: vpn-help Digest, Vol 80, Issue
> 11
>
> Send vpn-help mailing list submissions to vpn-help at lists.shrew.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.shrew.net/mailman/listinfo/vpn-help or, via email, send
> a message with subject or body 'help' to
> vpn-help-request at lists.shrew.net
>
> You can reach the person managing the list at
> vpn-help-owner at lists.shrew.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of vpn-help digest..."
>
>
> Today's Topics:
>
> 1. Re: . Windows 8 - Shrew to Juniper connection - SA failed (James
> Minard) (James Minard) 2. Re: Windows 8 - Shrew to Juniper connection
> - SA failed (Kevin VPN) 3. Re: . Windows 8 - Shrew to Juniper
> connection - SA failed (James Minard) (Kevin VPN) 4. Connecting Shrew
> 2.2.0 to ZyWALL USG 20 - invalid	message from gateway (Lukasz Sokol)
> 5. VPN connection to NetASQ V9 with certificates (J Greenhouse)
>
>
> ----------------------------------------------------------------------
>
>  Message: 1 Date: Thu, 9 May 2013 19:41:40 +0000 From: James Minard
> <JMinard at precisioncs.net> To: "vpn-help at lists.shrew.net"
> <vpn-help at lists.shrew.net> Subject: Re: [vpn-help] . Windows 8 -
> Shrew to Juniper connection - SA failed (James Minard) Message-ID:
> <EBC4F299528134478BCB14B72DB797A0D5AC38 at PCSIVMail.pcsi.local>
> Content-Type: text/plain; charset="us-ascii"
>
> Further followup on this today revealed that it's not just a Windows
> 8 issue with the 2.2.0 client. I had a Windows 7 machine that
> exhibited the same behavior. I downgraded that one to 2.1.7 and it
> worked fine. I guess my next step is going to be to load the 2.2.0
> client on my Windows 7 PC and play around with some of the settings,
> unless anyone knows offhand why this would be occurring. One thing I
> did notice is that my 2.1.7 client connections with NAT-T / IKE |
> ESP, but the 2.2.0 client says NAT-T v2 /IKE | ESP
>
> James J. Minard, MCP Network Technician Precision Computer Solutions,
> Inc. JMinard at PrecisionCS.net Phone (810) 987-8748 Ext 122
>
> -----Original Message----- From: vpn-help-bounces at lists.shrew.net
> [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of
> vpn-help-request at lists.shrew.net Sent: Thursday, May 09, 2013 1:00
> PM To: vpn-help at lists.shrew.net Subject: vpn-help Digest, Vol 80,
> Issue 10
>
> ----------------------------------------------------------------------
>
>  Message: 1 Date: Thu, 9 May 2013 00:46:48 +0000 From: James Minard
> <JMinard at precisioncs.net> To: "vpn-help at lists.shrew.net"
> <vpn-help at lists.shrew.net> Subject: [vpn-help] Windows 8 - Shrew to
> Juniper connection - SA failed Message-ID:
> <EBC4F299528134478BCB14B72DB797A0D5A8BA at PCSIVMail.pcsi.local>
> Content-Type: text/plain; charset="us-ascii"
>
> The xauth is succeeding, but on the remote client, if I switch over
> to the Network tab, it shows 0 established SAs, 0 Expired, but the
> Failed starts at 0 and then starts incrementing up to 1,2,3, etc. I
> thought maybe it was something to do with the Microsoft wi-fi virtual
> adapter in Windows 8, so I had the remote user disable that since I
> thought it was like the Windows 7 Microsoft virtual wi-fi minport
> adapter that I have seen cause problems with Shrew, but it didn't'
> make a difference.
>
> Any suggestions on what else could be causing this behavior? I've
> never seen the SA not establish after xauth is successful. The same
> user account works fine from my workstation, but it's Windows 7 and
> on an Ethernet connection, not wi-fi.
>
> James J. Minard, MCP Network Technician Precision Computer Solutions,
> Inc. JMinard at PrecisionCS.net<mailto:JMinard at PrecisionCS.net> Phone
> (810) 987-8748 Ext 122
>
> -------------- next part -------------- An HTML attachment was
> scrubbed... URL:
> <https://lists.shrew.net/pipermail/vpn-help/attachments/20130509/5b66e808/attachment-0001.html>
>
>  ------------------------------
>
> _______________________________________________ vpn-help mailing
> list vpn-help at lists.shrew.net
> https://lists.shrew.net/mailman/listinfo/vpn-help
>
>
> End of vpn-help Digest, Vol 80, Issue 10
> ****************************************
>
>
>
> ------------------------------
>
> Message: 2 Date: Thu, 9 May 2013 21:23:25 -0400 From: Kevin VPN
> <kvpn at live.com> To: vpn-help at lists.shrew.net Subject: Re: [vpn-help]
> Windows 8 - Shrew to Juniper connection - SA failed Message-ID:
> <BLU0-SMTP4164C0FB8DB7F1A1719ABA3A0A50 at phx.gbl> Content-Type:
> text/plain; charset="ISO-8859-1"; format=flowed
>
> On 05/08/2013 08:46 PM, James Minard wrote:
>> The xauth is succeeding, but on the remote client, if I switch over
>> to the Network tab, it shows 0 established SAs, 0 Expired, but the
>> Failed starts at 0 and then starts incrementing up to 1,2,3, etc. I
>> thought maybe it was something to do with the Microsoft wi-fi
>> virtual adapter in Windows 8, so I had the remote user disable that
>> since I thought it was like the Windows 7 Microsoft virtual wi-fi
>> minport adapter that I have seen cause problems with Shrew, but it
>> didn't' make a difference.
>>
>> Any suggestions on what else could be causing this behavior? I've
>> never seen the SA not establish after xauth is successful. The
>> same user account works fine from my workstation, but it's Windows
>> 7 and on an Ethernet connection, not wi-fi.
>>
>
> Hi James,
>
> A failed SA is often because of a policy mismatch between Shrew and
> the VPN gateway, but since I assume you're using the exact same
> configuration on your Win7 workstation vs the Win8 machine, I'm not
> sure that's the case.
>
> Can you provide a bug report for us so we can see what Shrew is
> reporting?  The instructions are here:
> https://www.shrew.net/support/VPN_Bug_Report_Windows
>
>
> ------------------------------
>
> Message: 3 Date: Thu, 9 May 2013 21:27:47 -0400 From: Kevin VPN
> <kvpn at live.com> To: vpn-help at lists.shrew.net Subject: Re: [vpn-help]
> . Windows 8 - Shrew to Juniper connection - SA failed (James Minard)
> Message-ID: <BLU0-SMTP26122064AF97C7EBB3C2C71A0A50 at phx.gbl>
> Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
>
> On 05/09/2013 03:41 PM, James Minard wrote:
>> Further followup on this today revealed that it's not just a
>> Windows 8 issue with the 2.2.0 client. I had a Windows 7 machine
>> that exhibited the same behavior. I downgraded that one to 2.1.7
>> and it worked fine. I guess my next step is going to be to load the
>> 2.2.0 client on my Windows 7 PC and play around with some of the
>> settings, unless anyone knows offhand why this would be occurring.
>> One thing I did notice is that my 2.1.7 client connections with
>> NAT-T / IKE | ESP, but the 2.2.0 client says NAT-T v2 /IKE | ESP
>>
>
> Hi James,
>
> I just wrote back to your first message, then when I refreshed I saw
> this one.
>
> IKEv2 could be a cause of the problem. It's an interesting piece to
> explore anyway.
>
> In addition to the bug report (Shrew logs) that I requested before,
> can you provide a log from a Shrew 2.1.7 installation that's
> working?
>

Hi James,

The log from the 2.2.0 machine shows that the gateway does not respond 
to the Phase2 negotiation requests from Shrew.

Two questions:

1. What kind of Juniper?  An SSG or SRX?  There are known issues with 
SRXes I believe.

2. Are you able to get get logs from the gateway itself to ensure that 
a) the gateway is receiving the Phase2 negotiation request from Shrew 
and b) to see what it has to say about it?