Hi Gauras, You use the Windows or Linux client?
it is possible to get a trace for connection ? (to get the VID) Regards, On Sat, Feb 20, 2010 at 11:39 AM, Gauras Gaurauskas <[email protected]>wrote: > Hello, > > Does anybody tried to use Shrew VPN to establish VPN with Juniper SRX210? > When i try to connect with Shrew VPN to the SRX210, on Phase1 SRX210 sends > back message NO-PROPOSAL-CHOSEN. > In the SRX debug log i see that SRX is not able to recognize a peer > > Feb 3 01:16:14 ike_decode_packet: Start > Feb 3 01:16:14 ike_decode_packet: Start, SA = { 01e4a6ad e1553f43 - > 41d763a0 0839b3be} / 00000000, nego = -1 > Feb 3 01:16:14 ike_decode_payload_sa: Start > Feb 3 01:16:14 ike_decode_payload_t: Start, # trans = 3 > Feb 3 01:16:14 ike_st_i_vid: VID[0..8] = 09002689 dfd6b712 ... > Feb 3 01:16:14 The remote server at 192.168.207.100:500 is > 'draft-beaulieu-ike-xauth-02.txt' > Feb 3 01:16:14 ike_st_i_vid: VID[0..16] = 4485152d 18b6bbcd ... > Feb 3 01:16:14 Setting natt remote version to 2 > Feb 3 01:16:14 The remote server at 192.168.207.100:500 is > 'draft-ietf-ipsec-nat-t-ike-00' > Feb 3 01:16:14 ike_st_i_vid: VID[0..16] = 16f6ca16 e4a4066d ... > Feb 3 01:16:14 The remote server at 192.168.207.100:500 is '16 f6 ca 16 > e4 a4 06 6d 83 82 1a 0f 0a ea a8 62' > Feb 3 01:16:14 ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ... > Feb 3 01:16:14 Setting natt remote version to 3 > Feb 3 01:16:14 The remote server at 192.168.207.100:500 is > 'draft-ietf-ipsec-nat-t-ike-02' > Feb 3 01:16:14 ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ... > Feb 3 01:16:14 The remote server at 192.168.207.100:500 is > 'draft-ietf-ipsec-nat-t-ike-03' > Feb 3 01:16:14 ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ... > Feb 3 01:16:14 The remote server at 192.168.207.100:500 is '4a 13 1c 81 > 07 03 58 45 5c 57 28 f2 0e 95 45 2f' > Feb 3 01:16:14 ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ... > Feb 3 01:16:14 The remote server at 192.168.207.100:500 is > 'draft-ietf-ipsec-dpd-00.txt' > Feb 3 01:16:14 ike_st_i_vid: VID[0..16] = f14b94b7 bff1fef0 ... > Feb 3 01:16:14 The remote server at 192.168.207.100:500 is 'f1 4b 94 b7 > bf f1 fe f0 27 73 b8 c4 9f ed ed 26' > Feb 3 01:16:14 ike_st_i_vid: VID[0..20] = 166f932d 55eb64d8 ... > Feb 3 01:16:14 The remote server at 192.168.207.100:500 is '16 6f 93 2d > 55 eb 64 d8 e4 df 4f d3 7e 23 13 f0 d0 fd 84 51' > Feb 3 01:16:14 ike_st_i_vid: VID[0..16] = 8404adf9 cda05760 ... > Feb 3 01:16:14 The remote server at 192.168.207.100:500 is '84 04 ad f9 > cd a0 57 60 b2 ca 29 2e 4b ff 53 7b' > Feb 3 01:16:14 ike_st_i_vid: VID[0..16] = 12f5f28c 457168a9 ... > Feb 3 01:16:14 The remote server at 192.168.207.100:500 is 'CISCO-UNITY' > Feb 3 01:16:14 ike_st_i_id: Start > Feb 3 01:16:14 ike_st_i_sa_proposal: Start > Feb 3 01:16:14 Not doing MM check since initiator=FALSE and exch_type=4 > Feb 3 01:16:14 Unable to find ike gateway as remote peer:192.168.207.100 > is not recognized. > Feb 3 01:16:14 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 > [responder] failed for p1_local=ipv4(any:0,[0..3]=84.15.44.82) > p1_remote=fqdn(any:0,[0..11]=user1.testas) > Feb 3 01:16:14 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 > [responder] failed for p1_local=ipv4(any:0,[0..3]=84.15.44.82) > p1_remote=fqdn(any:0,[0..11]=user1.testas) > Feb 3 01:16:14 ike_isakmp_sa_reply: Start > > I guess that it is because of last VENDOR ID, which Shrew VPN client > sends to the gateway. By default last VID is 'CISCO-UNITY', but it seems > that SRX expects 'JNPR IPSec Client' > When i use Juniper DynamicVPN client to connect to SRX, the last VID send > by the Juniper client is 'JNPR IPSec Client'. > > eb 3 00:37:03 ike_decode_payload_sa: Start > Feb 3 00:37:03 ike_decode_payload_t: Start, # trans = 1 > Feb 3 00:37:03 ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ... > Feb 3 00:37:03 The remote server at 192.168.207.100:1142 is > 'draft-ietf-ipsec-dpd-00.txt' > Feb 3 00:37:03 ike_st_i_vid: VID[0..8] = 09002689 dfd6b712 ... > Feb 3 00:37:03 The remote server at 192.168.207.100:1142 is > 'draft-beaulieu-ike-xauth-02.txt' > Feb 3 00:37:03 ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ... > Feb 3 00:37:03 Setting natt remote version to 3 > Feb 3 00:37:03 The remote server at 192.168.207.100:1142 is > 'draft-ietf-ipsec-nat-t-ike-03' > Feb 3 00:37:03 ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ... > Feb 3 00:37:03 The remote server at 192.168.207.100:1142 is > 'draft-ietf-ipsec-nat-t-ike-02' > Feb 3 00:37:03 ike_st_i_vid: VID[0..18] = 4a4e5052 20495053 ... > Feb 3 00:37:03 The remote server at 192.168.207.100:1142 is 'JNPR IPSec > Client' > Feb 3 00:37:03 ike_st_i_id: Start > Feb 3 00:37:03 ike_st_i_sa_proposal: Start > Feb 3 00:37:03 ike_isakmp_sa_reply: Start > Feb 3 00:37:03 ike_st_i_nonce: Start, nonce[0..64] = a8995644 916c8238 ... > Feb 3 00:37:03 ike_st_i_cert: Start > Feb 3 00:37:03 ike_st_i_hash_key: Start, no key_hash > Feb 3 00:37:03 ike_st_i_ke: Ke[0..192] = 0bfdd989 3383f389 ... > Feb 3 00:37:03 ike_st_i_cr: Start > Feb 3 00:37:03 ike_st_i_private: Start > Feb 3 00:37:03 ike_st_o_sa_values: Start > Feb 3 00:37:03 ike_st_o_ke: Start > Feb 3 00:37:03 ike_st_o_nonce: Start > Feb 3 00:37:03 ike_policy_reply_isakmp_nonce_data_len: Start > Feb 3 00:37:03 ike_st_o_id: Start > > Is it possible to add a new feature to Shrew VPN client similat to "Enable > Check Point Compatible Vendor ID", which would allow to send 'JNPR IPSec > Client' VID as last VID? > > > > _______________________________________________ > vpn-help mailing list > [email protected] > http://lists.shrew.net/mailman/listinfo/vpn-help > >
_______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
