On 7/30/2010 1:18 AM, Matthew Grooms wrote:
On 7/29/2010 12:09 AM, Neal Katz wrote:
Thanks for the help about logging, I did not see that before.
I am using 'ike config push', and PSK+Xauth
It looks like my problem is during the xauth stage,
I created a new user, type='XAuth' , same problem
( question: should my user be part of any group ? )
From your previous log, it would appear that you are passing xauth. The
Juniper devices use a bastardized version of modecfg push which wraps
the client configuration ( address, mask, DNS, WINS settings ) inside
the Xauth conversation. So when something goes wrong, it looks like an
Xauth problem.
From what I can tell, the conversation goes something like this ...
1) The gateway asks the client to authenticate
2) The client returns an authentication
3) The gateway pushes configuration attributes to the client
4) The client responds with the attributes it accepted
5) The gateway rejects the response from the client
6) The gateway re-tries the process
7) The client notices that the process has restarted, and bails
Can you please send me the decrypted IKE debug output? I'd like to take
a closer look at the conversation at the packet level.
Hi Niel,
What do you have configured for the adapter type? As the SSG howto
implies, you should have the default of "Use a virtual adapter and
assigned address" and have "Obtain Automatically" checked for the
address/netmask. The decrypted packet dump you sent would suggest that
the client is set to not receive an address automatically.
-Matthew
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help
