[vpn-help] Windows 8 - Shrew to Juniper connection - SA (Kevin VPN)
James Minard
JMinard at precisioncs.net
Tue May 14 12:48:15 CDT 2013
Kevin,
Mystery solved! I looked at the logs on the Juniper while establishing the connection, and the system event log didn't give me much information to go on, however, I noticed in the alarm logs that when I tried to establish the connection, it started logging fragmented traffic alerts. I turned off the block fragment traffic protection and 2.2.0 client established the SA.
I guess the only question is why the 2.2.0 client traffic is being fragmented and the 2.1.7 isn't?
James J. Minard, MCP
Network Technician
Precision Computer Solutions, Inc.
JMinard at PrecisionCS.net
Phone (810) 987-8748 Ext 122
-----Original Message-----
From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of vpn-help-request at lists.shrew.net
Sent: Tuesday, May 14, 2013 1:00 PM
To: vpn-help at lists.shrew.net
Subject: vpn-help Digest, Vol 80, Issue 14
Send vpn-help mailing list submissions to
vpn-help at lists.shrew.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.shrew.net/mailman/listinfo/vpn-help
or, via email, send a message with subject or body 'help' to
vpn-help-request at lists.shrew.net
You can reach the person managing the list at
vpn-help-owner at lists.shrew.net
When replying, please edit your Subject line so it is more specific than "Re: Contents of vpn-help digest..."
Today's Topics:
1. Re: Windows 8 - Shrew to Juniper connection - SA (Kevin VPN)
(James Minard)
2. Re: VPN connection to NetASQ V9 with certificates
(Alexis La Goutte)
3. Automatic selection of local address to use (Juan Carlos Figueroa)
----------------------------------------------------------------------
Message: 1
Date: Mon, 13 May 2013 18:44:46 +0000
From: James Minard <JMinard at precisioncs.net>
To: "vpn-help at lists.shrew.net" <vpn-help at lists.shrew.net>
Subject: Re: [vpn-help] Windows 8 - Shrew to Juniper connection - SA
(Kevin VPN)
Message-ID:
<EBC4F299528134478BCB14B72DB797A0D6BD2F at PCSIVMail.pcsi.local>
Content-Type: text/plain; charset="us-ascii"
Kevin,
1. It's an SSG.
2. I will have to try again tomorrow afternoon when I'm in the office with the 2.2.0 client to generate the logs on the Juniper.
James J. Minard, MCP
Network Technician
Precision Computer Solutions, Inc.
JMinard at PrecisionCS.net
Phone (810) 987-8748 Ext 122
-----Original Message-----
From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of vpn-help-request at lists.shrew.net
Sent: Monday, May 13, 2013 1:00 PM
To: vpn-help at lists.shrew.net
Subject: vpn-help Digest, Vol 80, Issue 13
Send vpn-help mailing list submissions to
vpn-help at lists.shrew.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.shrew.net/mailman/listinfo/vpn-help
or, via email, send a message with subject or body 'help' to
vpn-help-request at lists.shrew.net
You can reach the person managing the list at
vpn-help-owner at lists.shrew.net
When replying, please edit your Subject line so it is more specific than "Re: Contents of vpn-help digest..."
Today's Topics:
1. Re: Windows 8 - Shrew to Juniper connection - SA (Kevin VPN)
----------------------------------------------------------------------
Message: 1
Date: Sun, 12 May 2013 20:53:29 -0400
From: Kevin VPN <kvpn at live.com>
To: vpn-help at lists.shrew.net
Subject: Re: [vpn-help] Windows 8 - Shrew to Juniper connection - SA
Message-ID: <BLU0-SMTP2527D0B6675369C1DF76FF5A0A00 at phx.gbl>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
On 05/10/2013 02:18 PM, James Minard wrote:
> Here are the logs from a working 2.1.7 machine and another machine
> that I just installed 2.2.0 on and used the same policy and user for,
> and cannot get the SA to establish. Thanks.
>
> James J. Minard, MCP Network Technician Precision Computer Solutions,
> Inc. JMinard at PrecisionCS.net Phone (810) 987-8748 Ext 122
>
>
> -----Original Message----- From: vpn-help-bounces at lists.shrew.net
> [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of
> vpn-help-request at lists.shrew.net Sent: Friday, May 10, 2013 1:00 PM
> To: vpn-help at lists.shrew.net Subject: vpn-help Digest, Vol 80, Issue
> 11
>
> Send vpn-help mailing list submissions to vpn-help at lists.shrew.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.shrew.net/mailman/listinfo/vpn-help or, via email, send
> a message with subject or body 'help' to
> vpn-help-request at lists.shrew.net
>
> You can reach the person managing the list at
> vpn-help-owner at lists.shrew.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of vpn-help digest..."
>
>
> Today's Topics:
>
> 1. Re: . Windows 8 - Shrew to Juniper connection - SA failed (James
> Minard) (James Minard) 2. Re: Windows 8 - Shrew to Juniper connection
> - SA failed (Kevin VPN) 3. Re: . Windows 8 - Shrew to Juniper
> connection - SA failed (James Minard) (Kevin VPN) 4. Connecting Shrew
> 2.2.0 to ZyWALL USG 20 - invalid message from gateway (Lukasz Sokol)
> 5. VPN connection to NetASQ V9 with certificates (J Greenhouse)
>
>
> ----------------------------------------------------------------------
>
> Message: 1 Date: Thu, 9 May 2013 19:41:40 +0000 From: James Minard
> <JMinard at precisioncs.net> To: "vpn-help at lists.shrew.net"
> <vpn-help at lists.shrew.net> Subject: Re: [vpn-help] . Windows 8 - Shrew
> to Juniper connection - SA failed (James Minard) Message-ID:
> <EBC4F299528134478BCB14B72DB797A0D5AC38 at PCSIVMail.pcsi.local>
> Content-Type: text/plain; charset="us-ascii"
>
> Further followup on this today revealed that it's not just a Windows
> 8 issue with the 2.2.0 client. I had a Windows 7 machine that
> exhibited the same behavior. I downgraded that one to 2.1.7 and it
> worked fine. I guess my next step is going to be to load the 2.2.0
> client on my Windows 7 PC and play around with some of the settings,
> unless anyone knows offhand why this would be occurring. One thing I
> did notice is that my 2.1.7 client connections with NAT-T / IKE | ESP,
> but the 2.2.0 client says NAT-T v2 /IKE | ESP
>
> James J. Minard, MCP Network Technician Precision Computer Solutions,
> Inc. JMinard at PrecisionCS.net Phone (810) 987-8748 Ext 122
>
> -----Original Message----- From: vpn-help-bounces at lists.shrew.net
> [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of
> vpn-help-request at lists.shrew.net Sent: Thursday, May 09, 2013 1:00 PM
> To: vpn-help at lists.shrew.net Subject: vpn-help Digest, Vol 80, Issue
> 10
>
> ----------------------------------------------------------------------
>
> Message: 1 Date: Thu, 9 May 2013 00:46:48 +0000 From: James Minard
> <JMinard at precisioncs.net> To: "vpn-help at lists.shrew.net"
> <vpn-help at lists.shrew.net> Subject: [vpn-help] Windows 8 - Shrew to
> Juniper connection - SA failed Message-ID:
> <EBC4F299528134478BCB14B72DB797A0D5A8BA at PCSIVMail.pcsi.local>
> Content-Type: text/plain; charset="us-ascii"
>
> The xauth is succeeding, but on the remote client, if I switch over to
> the Network tab, it shows 0 established SAs, 0 Expired, but the Failed
> starts at 0 and then starts incrementing up to 1,2,3, etc. I thought
> maybe it was something to do with the Microsoft wi-fi virtual adapter
> in Windows 8, so I had the remote user disable that since I thought it
> was like the Windows 7 Microsoft virtual wi-fi minport adapter that I
> have seen cause problems with Shrew, but it didn't'
> make a difference.
>
> Any suggestions on what else could be causing this behavior? I've
> never seen the SA not establish after xauth is successful. The same
> user account works fine from my workstation, but it's Windows 7 and on
> an Ethernet connection, not wi-fi.
>
> James J. Minard, MCP Network Technician Precision Computer Solutions,
> Inc. JMinard at PrecisionCS.net<mailto:JMinard at PrecisionCS.net> Phone
> (810) 987-8748 Ext 122
>
> -------------- next part -------------- An HTML attachment was
> scrubbed... URL:
> <https://lists.shrew.net/pipermail/vpn-help/attachments/20130509/5b66e
> 808/attachment-0001.html>
>
> ------------------------------
>
> _______________________________________________ vpn-help mailing list
> vpn-help at lists.shrew.net
> https://lists.shrew.net/mailman/listinfo/vpn-help
>
>
> End of vpn-help Digest, Vol 80, Issue 10
> ****************************************
>
>
>
> ------------------------------
>
> Message: 2 Date: Thu, 9 May 2013 21:23:25 -0400 From: Kevin VPN
> <kvpn at live.com> To: vpn-help at lists.shrew.net Subject: Re: [vpn-help]
> Windows 8 - Shrew to Juniper connection - SA failed Message-ID:
> <BLU0-SMTP4164C0FB8DB7F1A1719ABA3A0A50 at phx.gbl> Content-Type:
> text/plain; charset="ISO-8859-1"; format=flowed
>
> On 05/08/2013 08:46 PM, James Minard wrote:
>> The xauth is succeeding, but on the remote client, if I switch over
>> to the Network tab, it shows 0 established SAs, 0 Expired, but the
>> Failed starts at 0 and then starts incrementing up to 1,2,3, etc. I
>> thought maybe it was something to do with the Microsoft wi-fi virtual
>> adapter in Windows 8, so I had the remote user disable that since I
>> thought it was like the Windows 7 Microsoft virtual wi-fi minport
>> adapter that I have seen cause problems with Shrew, but it didn't'
>> make a difference.
>>
>> Any suggestions on what else could be causing this behavior? I've
>> never seen the SA not establish after xauth is successful. The same
>> user account works fine from my workstation, but it's Windows
>> 7 and on an Ethernet connection, not wi-fi.
>>
>
> Hi James,
>
> A failed SA is often because of a policy mismatch between Shrew and
> the VPN gateway, but since I assume you're using the exact same
> configuration on your Win7 workstation vs the Win8 machine, I'm not
> sure that's the case.
>
> Can you provide a bug report for us so we can see what Shrew is
> reporting? The instructions are here:
> https://www.shrew.net/support/VPN_Bug_Report_Windows
>
>
> ------------------------------
>
> Message: 3 Date: Thu, 9 May 2013 21:27:47 -0400 From: Kevin VPN
> <kvpn at live.com> To: vpn-help at lists.shrew.net Subject: Re: [vpn-help] .
> Windows 8 - Shrew to Juniper connection - SA failed (James Minard)
> Message-ID: <BLU0-SMTP26122064AF97C7EBB3C2C71A0A50 at phx.gbl>
> Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
>
> On 05/09/2013 03:41 PM, James Minard wrote:
>> Further followup on this today revealed that it's not just a Windows
>> 8 issue with the 2.2.0 client. I had a Windows 7 machine that
>> exhibited the same behavior. I downgraded that one to 2.1.7 and it
>> worked fine. I guess my next step is going to be to load the
>> 2.2.0 client on my Windows 7 PC and play around with some of the
>> settings, unless anyone knows offhand why this would be occurring.
>> One thing I did notice is that my 2.1.7 client connections with NAT-T
>> / IKE | ESP, but the 2.2.0 client says NAT-T v2 /IKE | ESP
>>
>
> Hi James,
>
> I just wrote back to your first message, then when I refreshed I saw
> this one.
>
> IKEv2 could be a cause of the problem. It's an interesting piece to
> explore anyway.
>
> In addition to the bug report (Shrew logs) that I requested before,
> can you provide a log from a Shrew 2.1.7 installation that's working?
>
Hi James,
The log from the 2.2.0 machine shows that the gateway does not respond to the Phase2 negotiation requests from Shrew.
Two questions:
1. What kind of Juniper? An SSG or SRX? There are known issues with SRXes I believe.
2. Are you able to get get logs from the gateway itself to ensure that
a) the gateway is receiving the Phase2 negotiation request from Shrew and b) to see what it has to say about it?
------------------------------
_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net
https://lists.shrew.net/mailman/listinfo/vpn-help
End of vpn-help Digest, Vol 80, Issue 13
****************************************
------------------------------
Message: 2
Date: Mon, 13 May 2013 21:30:40 +0200
From: Alexis La Goutte <alexis.lagoutte at gmail.com>
To: Jochen Boutens <jochen.boutens at finalbeta.net>
Cc: "vpn-help at lists.shrew.net" <vpn-help at lists.shrew.net>
Subject: Re: [vpn-help] VPN connection to NetASQ V9 with certificates
Message-ID:
<CAHzrgZnpPoV6cM0fOVAJd3B42zqdSABGZBNVS9USLsb7PbrG2g at mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"
On Mon, May 13, 2013 at 3:36 PM, Jochen Boutens < jochen.boutens at finalbeta.net> wrote:
> Thank you!****
>
> ** **
>
> C:\OpenSSL-Win32\bin>openssl.exe x509 -in c:\in.pem -inform pem -text
> -outform pem -out c:\out.pem -passin pass:example ****
>
> ** **
>
> Worked for me.
>
Thanks for the feedback (and the command !)
> ****
>
> ** **
>
> *From:* prolag at gmail.com [mailto:prolag at gmail.com] *On Behalf Of
> *Alexis La Goutte
> *Sent:* vrijdag 10 mei 2013 19:29
> *To:* Jochen Boutens
> *Cc:* vpn-help at lists.shrew.net
> *Subject:* Re: [vpn-help] VPN connection to NetASQ V9 with
> certificates***
> *
>
> ** **
>
> ** **
>
> Hi,****
>
> On Wed, May 8, 2013 at 4:12 PM, J Greenhouse
> <J_Greenhouse at hotmail.com>
> wrote:****
>
> I?ve currently set up a VPN connection to a NetASQ running v9. ****
>
> ****
>
> V9 supports ?mode config , DHCP? and connections from IPHone. (Hybrid
> or Certificate/Xauth authentication) The way to setup the VPN client
> is a bit different then it was in v8 (guide on Shrew soft website).
> I?ve already found out how to connect using the client , yet I have a
> small usability question. ****
>
> ****
>
> The users first have to provide their domain authentication, after
> that they also have to provide the password to unlock the .p12 (Server
> Certificate Authority File) file needed to connect. ****
>
> The official VPN client of NetASQ actually remembers the password for
> the certificate the file time you connect. I would like the same
> behavior in de Shrew soft client.
> Can this be done? Or can I convert the p12 to some other format that
> doesn?t require the added security?****
>
> ** **
>
> It is not possible with Shrew (to save the certificat password).****
>
> ** **
>
> With Openssl, it is possible to modify the certificate to don't need a key.
> ****
>
> ** **
>
> Regards, ****
>
> ****
>
> Best Regards, ****
>
> Jochen****
>
> ****
>
>
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> https://lists.shrew.net/mailman/listinfo/vpn-help****
>
> ** **
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20130513/6806a0b5/attachment-0001.html>
------------------------------
Message: 3
Date: Tue, 14 May 2013 04:55:17 -0500
From: "Juan Carlos Figueroa" <jcfigueroa at gmail.com>
To: <vpn-help at lists.shrew.net>
Subject: [vpn-help] Automatic selection of local address to use
Message-ID: <005301ce5089$251afb70$6f50f250$@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Hello!
On a Windows Server 2008 R2 machine I have the Shrew VPN Client v2.2. I have two VPNs configured. The machine has 15 IP addresses. Both VPN are configured with Local Host mode='Use an existing adapter and current address'. When I establish a connection with the VPN 'A' the local address selected is the main IP of the Windows machine (1.1.1.1). However, ALL THE TIMES that I started the other VPN 'B' the local address selected is the second IP address of the Windows machine (2.2.2.2). I made several tests
like:
1. Establish the VPN 'B' before the VPN 'A': Same result. The VPN 'B' is always using the 2nd local address and not the main local address
2. Check the logs: The log is always showing:
13/05/14 04:39:43 DB : peer added ( obj count = 1 )
13/05/14 04:39:43 ii : local address 2.2.2.2 selected for peer
13/05/14 04:39:43 DB : peer ref increment ( ref count = 2, obj count = 1)
3. Add the secondary IP addresses to the Windows machine using with the 'skipsource' parameter: Done. However, the VPN client is always selecting the secondary IP address to establish that VPN.
Then, I want to know why the Shrew VPN Client is always selecting the IP
1.1.1.1 as the local source for the VPN 'A' and the IP 2.2.2.2 as the local source for my VPN 'B'. This behavior was not on a previous machine Windows Server 2008 (Not R2) with the same number of IP addresses. On that machine, the VPN client ALWAYS selects the main IP address as the local source for any VPN.
Thank you
Juan
------------------------------
_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net
https://lists.shrew.net/mailman/listinfo/vpn-help
End of vpn-help Digest, Vol 80, Issue 14
****************************************
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sysevent.zip
Type: application/x-zip-compressed
Size: 1112 bytes
Desc: sysevent.zip
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20130514/cf69ba9b/attachment.bin>
More information about the vpn-help
mailing list