Hi Gauras,<br><br>You use the Windows or Linux client?<br><br>it is possible to get a trace for connection ? (to get the VID)<br><br>Regards,<br><br><div class="gmail_quote">On Sat, Feb 20, 2010 at 11:39 AM, Gauras Gaurauskas <span dir="ltr"><<a href="mailto:gaurasg@gmail.com">gaurasg@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">Hello,<br><br>Does anybody tried to use Shrew VPN to establish VPN with Juniper SRX210?<br>When i try to connect with Shrew VPN to the SRX210, on Phase1 SRX210 sends back message NO-PROPOSAL-CHOSEN. <br>
In the SRX debug log i see that SRX is not able to recognize a peer<br>
<br>Feb 3 01:16:14 ike_decode_packet: Start<br>Feb 3 01:16:14 ike_decode_packet: Start, SA = { 01e4a6ad e1553f43 - 41d763a0 0839b3be} / 00000000, nego = -1<br>Feb 3 01:16:14 ike_decode_payload_sa: Start<br>Feb 3 01:16:14 ike_decode_payload_t: Start, # trans = 3<br>
Feb 3 01:16:14 ike_st_i_vid: VID[0..8] = 09002689 dfd6b712 ...<br>Feb 3 01:16:14 The remote server at <a href="http://192.168.207.100:500" target="_blank">192.168.207.100:500</a> is 'draft-beaulieu-ike-xauth-02.txt'<br>
Feb 3 01:16:14 ike_st_i_vid: VID[0..16] = 4485152d 18b6bbcd ...<br>
Feb 3 01:16:14 Setting natt remote version to 2<br>Feb 3 01:16:14 The remote server at <a href="http://192.168.207.100:500" target="_blank">192.168.207.100:500</a> is 'draft-ietf-ipsec-nat-t-ike-00'<br>Feb 3 01:16:14 ike_st_i_vid: VID[0..16] = 16f6ca16 e4a4066d ...<br>
Feb 3 01:16:14 The remote server at <a href="http://192.168.207.100:500" target="_blank">192.168.207.100:500</a> is '16 f6 ca 16 e4 a4 06 6d 83 82 1a 0f 0a ea a8 62'<br>Feb 3 01:16:14 ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...<br>
Feb 3 01:16:14 Setting natt remote version to 3<br>Feb 3 01:16:14 The remote server at <a href="http://192.168.207.100:500" target="_blank">192.168.207.100:500</a> is 'draft-ietf-ipsec-nat-t-ike-02'<br>Feb 3 01:16:14 ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ...<br>
Feb 3 01:16:14 The remote server at <a href="http://192.168.207.100:500" target="_blank">192.168.207.100:500</a> is 'draft-ietf-ipsec-nat-t-ike-03'<br>Feb 3 01:16:14 ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...<br>
Feb 3 01:16:14 The remote server at <a href="http://192.168.207.100:500" target="_blank">192.168.207.100:500</a> is '4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f'<br>
Feb 3 01:16:14 ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...<br>Feb 3 01:16:14 The remote server at <a href="http://192.168.207.100:500" target="_blank">192.168.207.100:500</a> is 'draft-ietf-ipsec-dpd-00.txt'<br>
Feb 3 01:16:14 ike_st_i_vid: VID[0..16] = f14b94b7 bff1fef0 ...<br>
Feb 3 01:16:14 The remote server at <a href="http://192.168.207.100:500" target="_blank">192.168.207.100:500</a> is 'f1 4b 94 b7 bf f1 fe f0 27 73 b8 c4 9f ed ed 26'<br>Feb 3 01:16:14 ike_st_i_vid: VID[0..20] = 166f932d 55eb64d8 ...<br>
Feb 3 01:16:14 The remote server at <a href="http://192.168.207.100:500" target="_blank">192.168.207.100:500</a> is '16 6f 93 2d 55 eb 64 d8 e4 df 4f d3 7e 23 13 f0 d0 fd 84 51'<br>Feb 3 01:16:14 ike_st_i_vid: VID[0..16] = 8404adf9 cda05760 ...<br>
Feb 3 01:16:14 The remote server at <a href="http://192.168.207.100:500" target="_blank">192.168.207.100:500</a> is '84 04 ad f9 cd a0 57 60 b2 ca 29 2e 4b ff 53 7b'<br>Feb 3 01:16:14 ike_st_i_vid: VID[0..16] = 12f5f28c 457168a9 ...<br>
Feb 3 01:16:14 The remote server at <a href="http://192.168.207.100:500" target="_blank">192.168.207.100:500</a> is 'CISCO-UNITY'<br>Feb 3 01:16:14 ike_st_i_id: Start<br>Feb 3 01:16:14 ike_st_i_sa_proposal: Start<br>
Feb 3 01:16:14 Not doing MM check since initiator=FALSE and exch_type=4<br>
Feb 3 01:16:14 Unable to find ike gateway as remote peer:192.168.207.100 is not recognized.<br>Feb 3 01:16:14 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=84.15.44.82) p1_remote=fqdn(any:0,[0..11]=user1.testas)<br>
Feb 3 01:16:14 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=84.15.44.82) p1_remote=fqdn(any:0,[0..11]=user1.testas)<br>Feb 3 01:16:14 ike_isakmp_sa_reply: Start<br>
<br>I guess that it is because of last VENDOR ID, which Shrew VPN client sends to the gateway. By default last VID is 'CISCO-UNITY', but it seems that SRX expects 'JNPR IPSec Client'<br>When i use Juniper DynamicVPN client to connect to SRX, the last VID send by the Juniper client is 'JNPR IPSec Client'.<br>
<br>eb 3 00:37:03 ike_decode_payload_sa: Start<br>Feb 3 00:37:03 ike_decode_payload_t: Start, # trans = 1<br>Feb 3 00:37:03 ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...<br>Feb 3 00:37:03 The remote server at <a href="http://192.168.207.100:1142" target="_blank">192.168.207.100:1142</a> is 'draft-ietf-ipsec-dpd-00.txt'<br>
Feb 3 00:37:03 ike_st_i_vid: VID[0..8] = 09002689 dfd6b712 ...<br>Feb 3 00:37:03 The remote server at <a href="http://192.168.207.100:1142" target="_blank">192.168.207.100:1142</a> is 'draft-beaulieu-ike-xauth-02.txt'<br>
Feb 3 00:37:03 ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ...<br>
Feb 3 00:37:03 Setting natt remote version to 3<br>Feb 3 00:37:03 The remote server at <a href="http://192.168.207.100:1142" target="_blank">192.168.207.100:1142</a> is 'draft-ietf-ipsec-nat-t-ike-03'<br>Feb 3 00:37:03 ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...<br>
Feb 3 00:37:03 The remote server at <a href="http://192.168.207.100:1142" target="_blank">192.168.207.100:1142</a> is 'draft-ietf-ipsec-nat-t-ike-02'<br>Feb 3 00:37:03 ike_st_i_vid: VID[0..18] = 4a4e5052 20495053 ...<br>
Feb 3 00:37:03 The remote server at <a href="http://192.168.207.100:1142" target="_blank">192.168.207.100:1142</a> is 'JNPR IPSec Client'<br>
Feb 3 00:37:03 ike_st_i_id: Start<br>Feb 3 00:37:03 ike_st_i_sa_proposal: Start<br>Feb 3 00:37:03 ike_isakmp_sa_reply: Start<br>Feb 3 00:37:03 ike_st_i_nonce: Start, nonce[0..64] = a8995644 916c8238 ...<br>Feb 3 00:37:03 ike_st_i_cert: Start<br>
Feb 3 00:37:03 ike_st_i_hash_key: Start, no key_hash<br>Feb 3 00:37:03 ike_st_i_ke: Ke[0..192] = 0bfdd989 3383f389 ...<br>Feb 3 00:37:03 ike_st_i_cr: Start<br>Feb 3 00:37:03 ike_st_i_private: Start<br>Feb 3 00:37:03 ike_st_o_sa_values: Start<br>
Feb 3 00:37:03 ike_st_o_ke: Start<br>Feb 3 00:37:03 ike_st_o_nonce: Start<br>Feb 3 00:37:03 ike_policy_reply_isakmp_nonce_data_len: Start<br>Feb 3 00:37:03 ike_st_o_id: Start<br><br>Is it possible to add a new feature to Shrew VPN client similat to "Enable Check Point Compatible Vendor ID", which would allow to send 'JNPR IPSec Client' VID as last VID?<br>
<br><br>
<br>_______________________________________________<br>
vpn-help mailing list<br>
<a href="mailto:vpn-help@lists.shrew.net">vpn-help@lists.shrew.net</a><br>
<a href="http://lists.shrew.net/mailman/listinfo/vpn-help" target="_blank">http://lists.shrew.net/mailman/listinfo/vpn-help</a><br>
<br></blockquote></div><br>