Hi Matthew, Lars
we just bought an SRX220. Could any of You help us? We try to establish a
Dial-up VPN using RADIUS user authentication. Client is 2.1.6.
Please see the attached log.
Best,
Tamas
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Matthew Grooms
Sent: Friday, October 01, 2010 7:14 PM
To: Lars Vik
Cc: [email protected]
Subject: Re: [vpn-help] JUNOS/SRX with Shrew VPN
On 9/22/2010 2:50 PM, Lars Vik wrote:
> Hi,
>
> Anyone managed to get Shrew VPN to work with JUNOS on the SRX-series?
> (SRX240H-POE).
>
Hi Lars,
I don't have a SRX series gateway device in my lab. At one point, the folks at
Juniper were going to ship me one but they never did. What kind of issues are
you having?
-Matthew
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help
Junos log:
Jan 11 13:06:58 Advertizing DPD capability
Jan 11 13:06:58 ike_policy_reply_isakmp_vendor_ids: Start
Jan 11 13:06:58 ike_st_o_status_n: Start
Jan 11 13:06:58 ike_st_o_private: Start
Jan 11 13:06:58 ike_policy_reply_private_payload_out: Start
Jan 11 13:06:58 my_ipaddr_as_ike_id: add <10.10.10.10>
Jan 11 13:06:58 ike_policy_reply_private_payload_out: Start
Jan 11 13:06:58 ike_policy_reply_private_payload_out: Start
Jan 11 13:06:58 ike_st_o_calc_skeyid: Calculating skeyid
Jan 11 13:06:58 ike_encode_packet: Start, SA = { 0xf740505a 04ee401a - d4ba02a3
07bba232 } / 00000000, nego = -1
Jan 11 13:06:58 ike_send_packet: Start, send SA = { f740505a 04ee401a -
d4ba02a3 07bba232}, nego = -1, src = 10.10.10.10:500, dst = 30.30.30.30:1165,
routing table id = 0
Jan 11 13:06:58 ike_get_sa: Start, SA = { f740505a 04ee401a - d4ba02a3 07bba232
} / 00000000, remote = 30.30.30.30:4357
Jan 11 13:06:58 ike_sa_find: Found SA = { f740505a 04ee401a - d4ba02a3 07bba232
}
Jan 11 13:06:58 ike_decode_packet: Start
Jan 11 13:06:58 ike_decode_packet: Start, SA = { f740505a 04ee401a - d4ba02a3
07bba232} / 00000000, nego = -1
Jan 11 13:06:58 10.10.10.10:4500 (Responder) <-> 30.30.30.30:4357 { f740505a
04ee401a - d4ba02a3 07bba232 [-1] / 0x00000000 } Aggr; Reserved 1 not 0
Jan 11 13:06:58 10.10.10.10:4500 (Responder) <-> 30.30.30.30:4357 { f740505a
04ee401a - d4ba02a3 07bba232 [-1] / 0x00000000 } Aggr; Error = Payload
malformed (16)
Jan 11 13:06:58 ike_alloc_negotiation: Start, SA = { f740505a 04ee401a -
d4ba02a3 07bba232}
Jan 11 13:06:58 ike_encode_packet: Start, SA = { 0xf740505a 04ee401a - d4ba02a3
07bba232 } / 67763539, nego = 0
Jan 11 13:06:58 ike_send_packet: Start, send SA = { f740505a 04ee401a -
d4ba02a3 07bba232}, nego = 0, src = 10.10.10.10:4500, dst = 30.30.30.30:4357,
routing table id = 0
Jan 11 13:06:58 ike_delete_negotiation: Start, SA = { f740505a 04ee401a -
d4ba02a3 07bba232}, nego = 0
Jan 11 13:06:58 ike_free_negotiation_info: Start, nego = 0
Jan 11 13:06:58 ike_free_negotiation: Start, nego = 0
Jan 11 13:06:58 ike_get_sa: Start, SA = { f740505a 04ee401a - d4ba02a3 07bba232
} / 528e4365, remote = 30.30.30.30:4357
Jan 11 13:06:58 ike_sa_find: Found SA = { f740505a 04ee401a - d4ba02a3 07bba232
}
Jan 11 13:06:58 ike_alloc_negotiation: Start, SA = { f740505a 04ee401a -
d4ba02a3 07bba232}
Jan 11 13:06:58 ike_decode_packet: Start
Jan 11 13:06:58 ike_decode_packet: Start, SA = { f740505a 04ee401a - d4ba02a3
07bba232} / 528e4365, nego = 0
Jan 11 13:06:58 10.10.10.10:4500 (Responder) <-> 30.30.30.30:4357 { f740505a
04ee401a - d4ba02a3 07bba232 [0] / 0x528e4365 } Info; Trying to decrypt, but no
decryption context initialized
Jan 11 13:06:58 10.10.10.10:4500 (Responder) <-> 30.30.30.30:4357 { f740505a
04ee401a - d4ba02a3 07bba232 [0] / 0x528e4365 } Info; Error = No SA established
(8194)
Jan 11 13:06:58 ike_send_notify: Notification to informational exchange ignored
Jan 11 13:06:58 ike_delete_negotiation: Start, SA = { f740505a 04ee401a -
d4ba02a3 07bba232}, nego = 0
Jan 11 13:06:58 ike_free_negotiation_info: Start, nego = 0
Jan 11 13:06:58 ike_free_negotiation: Start, nego = 0
Shrew log:
11/01/11 13:06:57 >> : security association payload
11/01/11 13:06:57 >> : - proposal #1 payload
11/01/11 13:06:57 >> : -- transform #1 payload
11/01/11 13:06:57 >> : key exchange payload
11/01/11 13:06:57 >> : nonce payload
11/01/11 13:06:57 >> : identification payload
11/01/11 13:06:57 >> : vendor id payload
11/01/11 13:06:57 ii : local supports XAUTH
11/01/11 13:06:57 >> : vendor id payload
11/01/11 13:06:57 ii : local supports nat-t ( draft v00 )
11/01/11 13:06:57 >> : vendor id payload
11/01/11 13:06:57 ii : local supports nat-t ( draft v01 )
11/01/11 13:06:57 >> : vendor id payload
11/01/11 13:06:57 ii : local supports nat-t ( draft v02 )
11/01/11 13:06:57 >> : vendor id payload
11/01/11 13:06:57 ii : local supports nat-t ( draft v03 )
11/01/11 13:06:57 >> : vendor id payload
11/01/11 13:06:57 ii : local supports nat-t ( rfc )
11/01/11 13:06:57 >> : vendor id payload
11/01/11 13:06:57 ii : local supports FRAGMENTATION
11/01/11 13:06:57 >> : vendor id payload
11/01/11 13:06:57 ii : local supports DPDv1
11/01/11 13:06:57 >> : vendor id payload
11/01/11 13:06:57 ii : local is SHREW SOFT compatible
11/01/11 13:06:57 >> : vendor id payload
11/01/11 13:06:57 ii : local is NETSCREEN compatible
11/01/11 13:06:57 >> : vendor id payload
11/01/11 13:06:57 ii : local is SIDEWINDER compatible
11/01/11 13:06:57 >> : vendor id payload
11/01/11 13:06:57 ii : local is CISCO UNITY compatible
11/01/11 13:06:57 >> : vendor id payload
11/01/11 13:06:57 ii : local is CHECKPOINT compatible
11/01/11 13:06:57 >= : cookies f740505a04ee401a:0000000000000000
11/01/11 13:06:57 >= : message 00000000
11/01/11 13:06:57 -> : send IKE packet 30.30.30.30:500 -> 10.10.10.10:500 ( 570
bytes )
11/01/11 13:06:57 DB : phase1 resend event scheduled ( ref count = 2 )
11/01/11 13:06:57 <- : recv IKE packet 10.10.10.10:500 -> 30.30.30.30:500 ( 540
bytes )
11/01/11 13:06:57 DB : phase1 found
11/01/11 13:06:57 ii : processing phase1 packet ( 540 bytes )
11/01/11 13:06:57 =< : cookies f740505a04ee401a:d4ba02a307bba232
11/01/11 13:06:57 =< : message 00000000
11/01/11 13:06:57 << : security association payload
11/01/11 13:06:57 << : - propsal #1 payload
11/01/11 13:06:57 << : -- transform #1 payload
11/01/11 13:06:57 ii : matched isakmp proposal #1 transform #1
11/01/11 13:06:57 ii : - transform = ike
11/01/11 13:06:57 ii : - cipher type = 3des
11/01/11 13:06:57 ii : - key length = default
11/01/11 13:06:57 ii : - hash type = sha1
11/01/11 13:06:57 ii : - dh group = modp-1024
11/01/11 13:06:57 ii : - auth type = xauth-initiator-psk
11/01/11 13:06:57 ii : - life seconds = 28800
11/01/11 13:06:57 ii : - life kbytes = 0
11/01/11 13:06:57 << : key exchange payload
11/01/11 13:06:57 << : nonce payload
11/01/11 13:06:57 << : identification payload
11/01/11 13:06:57 ii : phase1 id target is any
11/01/11 13:06:57 ii : phase1 id match
11/01/11 13:06:57 ii : received = ipv4-host 10.10.10.10
11/01/11 13:06:57 << : hash payload
11/01/11 13:06:57 << : vendor id payload
11/01/11 13:06:57 ii : peer supports DPDv1
11/01/11 13:06:57 << : vendor id payload
11/01/11 13:06:57 ii : unknown vendor id ( 28 bytes )
11/01/11 13:06:57 0x : 69936922 8741c6d4 ca094c93 e242c9de 19e7b7c6 00000005
00000500
11/01/11 13:06:57 << : vendor id payload
11/01/11 13:06:57 ii : unknown vendor id ( 16 bytes )
11/01/11 13:06:57 0x : 27bab5dc 01ea0760 ea4e3190 ac27c0d0
11/01/11 13:06:57 << : vendor id payload
11/01/11 13:06:57 ii : unknown vendor id ( 16 bytes )
11/01/11 13:06:57 0x : 6105c422 e76847e4 3f968480 1292aecd
11/01/11 13:06:57 << : vendor id payload
11/01/11 13:06:57 ii : peer supports nat-t ( draft v00 )
11/01/11 13:06:57 << : vendor id payload
11/01/11 13:06:57 ii : unknown vendor id ( 16 bytes )
11/01/11 13:06:57 0x : cd604643 35df21f8 7cfdb2fc 68b6a448
11/01/11 13:06:57 << : vendor id payload
11/01/11 13:06:57 ii : peer supports nat-t ( draft v02 )
11/01/11 13:06:57 << : vendor id payload
11/01/11 13:06:57 ii : peer supports nat-t ( draft v03 )
11/01/11 13:06:57 << : nat discovery payload
11/01/11 13:06:57 << : nat discovery payload
11/01/11 13:06:57 ii : nat discovery - local address is translated
11/01/11 13:06:57 ii : switching to src nat-t udp port 4500
11/01/11 13:06:57 ii : switching to dst nat-t udp port 4500
11/01/11 13:06:57 == : DH shared secret ( 128 bytes )
11/01/11 13:06:57 == : SETKEYID ( 20 bytes )
11/01/11 13:06:57 == : SETKEYID_d ( 20 bytes )
11/01/11 13:06:57 == : SETKEYID_a ( 20 bytes )
11/01/11 13:06:57 == : SETKEYID_e ( 20 bytes )
11/01/11 13:06:57 == : cipher key ( 40 bytes )
11/01/11 13:06:57 == : cipher iv ( 8 bytes )
11/01/11 13:06:57 == : phase1 hash_i ( computed ) ( 20 bytes )
11/01/11 13:06:57 >> : hash payload
11/01/11 13:06:57 >> : nat discovery payload
11/01/11 13:06:57 >> : nat discovery payload
11/01/11 13:06:57 >= : cookies f740505a04ee401a:d4ba02a307bba232
11/01/11 13:06:57 >= : message 00000000
11/01/11 13:06:57 >= : encrypt iv ( 8 bytes )
11/01/11 13:06:57 == : encrypt packet ( 100 bytes )
11/01/11 13:06:57 == : stored iv ( 8 bytes )
11/01/11 13:06:57 DB : phase1 resend event canceled ( ref count = 1 )
11/01/11 13:06:57 -> : send NAT-T:IKE packet 30.30.30.30:4500 ->
10.10.10.10:4500 ( 132 bytes )
11/01/11 13:06:57 == : phase1 hash_r ( computed ) ( 20 bytes )
11/01/11 13:06:57 == : phase1 hash_r ( received ) ( 20 bytes )
11/01/11 13:06:57 !! : phase1 sa rejected, invalid auth data
11/01/11 13:06:57 !! : 30.30.30.30:4500 <-> 10.10.10.10:4500
11/01/11 13:06:57 !! : f740505a4ee401a:d4ba02a37bba232
11/01/11 13:06:57 ii : sending peer DELETE message
11/01/11 13:06:57 ii : - 30.30.30.30:4500 -> 10.10.10.10:4500
11/01/11 13:06:57 ii : - isakmp spi = f740505a04ee401a:d4ba02a307bba232
11/01/11 13:06:57 ii : - data size 0
11/01/11 13:06:57 >> : hash payload
11/01/11 13:06:57 >> : delete payload
11/01/11 13:06:57 == : new informational hash ( 20 bytes )
11/01/11 13:06:57 == : new informational iv ( 8 bytes )
11/01/11 13:06:57 >= : cookies f740505a04ee401a:d4ba02a307bba232
11/01/11 13:06:57 >= : message 528e4365
11/01/11 13:06:57 >= : encrypt iv ( 8 bytes )
11/01/11 13:06:57 == : encrypt packet ( 80 bytes )
11/01/11 13:06:57 == : stored iv ( 8 bytes )
11/01/11 13:06:57 -> : send NAT-T:IKE packet 30.30.30.30:4500 ->
10.10.10.10:4500 ( 116 bytes )
11/01/11 13:06:57 ii : phase1 removal before expire time
11/01/11 13:06:57 DB : phase1 deleted ( obj count = 0 )
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help
