<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Jul 15, 2013 at 10:03 PM, Drew Majewski <span dir="ltr"><<a href="mailto:dmajewski@markovprocesses.com" target="_blank">dmajewski@markovprocesses.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="">Hello,<u></u><u></u></p>
<p class=""><u></u> <u></u></p>
<p class="">I’ve been working with Juniper support to try and get
VPN connectivity setup with Shrew but we’re having issues getting phase 2
to pass. Juniper has repeated all the steps in their labs too and
get the same results as below and their only solution is to contact you guys or
use another VPN Client. <u></u><u></u></p>
<p class=""><u></u> <u></u></p>
<p class="">Juniper support has stated: “I suspect that Shrew soft
client 2.2.2, running on windows xp (which is what I tried) is not compatible
with the Juniper firewall.<u></u><u></u></p>
<p class=""><u></u> <u></u></p>
<p class="">The shrew soft client seems to be sending a notification
message(DOI 1 24578 INITIAL-CONTACT), which is halting or stopping the
Juniper firewall to proceed with phase-2 negotiations (refer frame4 in the
packet capture shrewsoftsnoop1.pcap)<u></u><u></u></p>
<p class=""><u></u> <u></u></p>
<p class="">2013-07-12 11:47:34 info IKE
<a href="http://96.242.112.67" target="_blank">96.242.112.67</a>: Received initial contact notification and removed Phase 1 SAs.<u></u><u></u></p>
<p class="">2013-07-12 11:47:34 info IKE
<a href="http://96.242.112.67" target="_blank">96.242.112.67</a>: Received initial contact notification and removed Phase 2 SAs.<u></u><u></u></p>
<p class="">2013-07-12 11:47:34 info IKE
<a href="http://96.242.112.67" target="_blank">96.242.112.67</a>: Received a notification message for DOI 1 24578
INITIAL-CONTACT. >> HERE<u></u><u></u></p>
<p class="">2013-07-12 11:47:34 info IKE
96.242.112.67 Phase 1: Completed Aggressive mode negotiations with a
28800-second lifetime.”<u></u><u></u></p>
<p class=""><u></u> <u></u></p>
<p class="">The other errors that are being logged with this are: "Rejected
an IKE packet on ethernet0/2 from <a href="http://96.242.112.67:14499" target="_blank">96.242.112.67:14499</a> to <a href="http://96.242.112.68:4500" target="_blank">96.242.112.68:4500</a> with
cookies 5cd1700e400706fd and 0ba9de74df44fcb6 because A Phase 2 packet arrived while
XAuth was still pending. IKE 96.242.112.67 Phase 2 msg ID fd04e4ca:
Negotiations have failed. "<u></u><u></u></p>
<p class=""><u></u> <u></u></p>
<p class="">I’m not sure where to go with this or if it is anything
that other users have experienced.<u></u><u></u></p>
<p class=""><u></u> <u></u></p>
<p class="">Thank you for any help you’re able to give.</p></div></div></blockquote><div><br></div><div>Hi Drew,<br><br></div><div>it is possible to attach debug info with pcap ? ( <a href="https://www.shrew.net/support/VPN_Bug_Report_Windows">https://www.shrew.net/support/VPN_Bug_Report_Windows</a> )<br>
<br></div><div>There is some known issue with Juniper and Xauth but it is with SRX : <a href="https://lists.shrew.net/pipermail/vpn-help/2012-December/014091.html">https://lists.shrew.net/pipermail/vpn-help/2012-December/014091.html</a><br>
<br></div><div>Regards,<br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div link="blue" vlink="purple" lang="EN-US"><div><p class="">
<span class=""><font color="#888888"><u></u><u></u></font></span></p><span class=""><font color="#888888">
<p class=""><br>
Drew Majewski<u></u><u></u></p>
</font></span></div>
</div>
<br>_______________________________________________<br>
vpn-help mailing list<br>
<a href="mailto:vpn-help@lists.shrew.net">vpn-help@lists.shrew.net</a><br>
<a href="https://lists.shrew.net/mailman/listinfo/vpn-help" target="_blank">https://lists.shrew.net/mailman/listinfo/vpn-help</a><br>
<br></blockquote></div><br></div></div>