Hi, I am trying to setup a simple dial-up vpn user with shrew and Juniper SSG-140 using the tutorial http://www.shrew.net/support/wiki/HowtoJuniperSsg
but it does not works.... I always get the following error: 2011-06-27 09:15:45 info IKE<88.xxxxxxxx>: XAuth login was aborted for gateway <vpnclient_gateway>, username <joe>, retry: 0. 2011-06-27 09:15:39 info Rejected an IKE packet on ethernet0/9 from 88.xxxxxxxx:58125 to 62.XXx.XXX.XXX:4500 with cookies 429c1915bb026bce and c125368ff8ef5fb4 because a Phase 2 packet arrived while XAuth was still pending. 2011-06-27 09:15:39 info IKE<88.2.163.210> Phase 1: Completed Aggressive mode negotiations with a <28800>-second lifetime. 2011-06-27 09:15:39 info IKE<88.xxxxxxxx> Phase 1: Completed for user <vpnclient_ph1id>. 2011-06-27 09:15:39 info IKE<88.xxxxxxxx> Phase 1: IKE responder has detected NAT in front of the remote device. 2011-06-27 09:15:39 info IKE<88.xxxxxxxx> Phase 1: IKE responder has detected NAT in front of the local device. 2011-06-27 09:15:39 info IKE<88.xxxxxxxx> Phase 1: Responder starts AGGRESSIVE mode negotiations. Here is my shrew file: n:version:2 n:network-ike-port:500 n:network-mtu-size:1380 n:client-addr-auto:1 n:network-natt-port:4500 n:network-natt-rate:15 n:network-frag-size:540 n:network-dpd-enable:1 n:client-banner-enable:1 n:network-notify-enable:1 n:client-wins-used:1 n:client-wins-auto:1 n:client-dns-used:1 n:client-dns-auto:1 n:client-splitdns-used:1 n:client-splitdns-auto:1 n:phase1-dhgroup:2 n:phase1-life-secs:86400 n:phase1-life-kbytes:0 n:vendor-chkpt-enable:0 n:phase2-life-secs:3600 n:phase2-life-kbytes:0 n:policy-nailed:0 n:policy-list-auto:0 s:network-host:vpn.XXXXXXXXXXXXX.com s:client-auto-mode:pull s:client-iface:virtual s:network-natt-mode:enable s:network-frag-mode:enable s:auth-method:mutual-psk-xauth s:ident-client-type:fqdn s:ident-server-type:fqdn s:ident-client-data:client.domain.com s:ident-server-data:vpngw.domain.com b:auth-mutual-psk:YXQ0d2lyZWxlc3M= s:phase1-exchange:aggressive s:phase1-cipher:auto s:phase1-hash:auto s:phase2-transform:auto s:phase2-hmac:auto s:ipcomp-transform:disabled n:phase2-pfsgroup:-1 s:policy-level:auto s:policy-list-include:192.168.12.0 / 255.255.252.0 And here is my SSG - 140 config file ... set clock ntp set clock timezone 1 set vrouter trust-vr sharable set vrouter "untrust-vr" exit set vrouter "trust-vr" unset auto-route-export exit set service "TCP-5904" protocol tcp src-port 0-65535 dst-port 5904-5904 unset alg sql enable set auth-server "Local" id 0 set auth-server "Local" server-name "Local" set auth-server "Local" timeout 20 set auth default auth server "Local" set auth radius accounting port 1646 set admin name "netscreen" set admin password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" set admin user "admin" password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" privilege "all" set admin manager-ip 192.168.13.90 255.255.255.255 set admin manager-ip 192.168.13.187 255.255.255.255 set admin manager-ip 192.168.14.208 255.255.255.255 set admin manager-ip 192.168.15.201 255.255.255.255 set admin manager-ip 192.168.13.223 255.255.255.255 set admin manager-ip 192.168.13.62 255.255.255.255 set admin port 8080 set admin scs password disable username netscreen set admin auth timeout 10 set admin auth server "Local" set admin format dos set zone "Trust" vrouter "trust-vr" set zone "Untrust" vrouter "trust-vr" set zone "DMZ" vrouter "trust-vr" set zone "VLAN" vrouter "trust-vr" set zone id 100 "Zona Teletrabajadores" set zone id 101 "Untrust-2" set zone "Untrust-Tun" vrouter "trust-vr" set zone "Trust" tcp-rst unset zone "Untrust" block unset zone "Untrust" tcp-rst set zone "MGT" block set zone "DMZ" tcp-rst set zone "VLAN" block unset zone "VLAN" tcp-rst unset zone "Zona Teletrabajadores" tcp-rst unset zone "Untrust-2" tcp-rst set zone "Untrust" screen tear-drop set zone "Untrust" screen syn-flood set zone "Untrust" screen ping-death set zone "Untrust" screen ip-filter-src set zone "Untrust" screen land set zone "V1-Untrust" screen tear-drop set zone "V1-Untrust" screen syn-flood set zone "V1-Untrust" screen ping-death set zone "V1-Untrust" screen ip-filter-src set zone "V1-Untrust" screen land set interface "ethernet0/0" zone "Trust" set interface "ethernet0/1" zone "DMZ" set interface "ethernet0/2" zone "Untrust" set interface "ethernet0/8" zone "Trust" set interface "ethernet0/9" zone "Untrust" unset interface vlan1 ip set interface ethernet0/8 ip 192.168.10.1/16 set interface ethernet0/8 route set interface ethernet0/9 ip 62.XXXXXXXXX/28 set interface ethernet0/9 route unset interface vlan1 bypass-others-ipsec unset interface vlan1 bypass-non-ip set interface ethernet0/8 ip manageable set interface ethernet0/9 ip manageable set interface ethernet0/9 manage ping set interface ethernet0/9 manage telnet set interface ethernet0/9 manage web set interface ethernet0/9 vip untrust 5904 "TCP-5904" 192.168.13.184 manual set interface ethernet0/8 dip 4 192.168.10.100 192.168.10.100 set interface ethernet0/8 dot1x max-user 32 set pak-poll p1queue pak-threshold 240 set pak-poll p2queue pak-threshold 80 unset flow no-tcp-seq-check set flow tcp-syn-check set domain MyNetwork set hostname FW-SSG140 set pki authority default scep mode "auto" set pki x509 default cert-path partial set pki x509 dn country-name "ES" set pki x509 dn state-name "------" set pki x509 dn local-name "------" set pki x509 dn org-name "--------" set pki x509 dn name "FW-SSG140" set pki x509 dn email "FW-SSG140xxxxxxxxxx.com" set dns host dns1 194.179.1.100 src-interface ethernet0/9 set dns host dns2 62.XXX.XXX.XXX src-interface ethernet0/9 set dns host dns3 0.0.0.0 set address "Trust" "192.168.0.0/255.255.0.0" 192.168.0.0 255.255.0.0 set address "Trust" "192.168.13.125/255.255.255.255" 192.168.13.125 255.255.255.255 set address "Trust" "192.168.13.162/255.255.255.255" 192.168.13.162 255.255.255.255 set address "Trust" "192.168.13.223/255.255.255.255" 192.168.13.223 255.255.255.255 set address "Trust" "192.168.162" 192.168.162 set address "Trust" "192.169.13.130/255.255.255.255" 192.169.13.130 255.255.255.255 set address "Trust" "Red Servidor 192.168.12.0 255.255.252.0 set address "Zona Teletrabajadores" "192.168.13.224/255.255.255.255" 192.168.13.224 255.255.255.255 set ippool "mypool" 192.168.39.1 192.168.39.254 set ippool "IP_Pool" 172.16.16.10 172.16.16.50 set user "joe" uid 108 set user "joe" type l2tp xauth set user "joe" remote ippool "mypool" set user "joe" remote dns1 "192.168.13.114" set user "joe" remote dns2 "192.168.13.130" set user "joe" password "BHDBhCY0N24JHwstwVCaNUot52nujMMGRg==" unset user "joe" type auth set user "joe" "enable" set user "vpnclient_ph1id" uid 107 set user "vpnclient_ph1id" ike-id fqdn "client.domain.com" share-limit 1 set user "vpnclient_ph1id" type ike set user "vpnclient_ph1id" "enable" set user-group "vpnclient_group" id 3 set user-group "vpnclient_group" user "vpnclient_ph1id" set ike gateway "vpnclient_gateway" dialup "vpnclient_ph1id" Aggr local-id "vpngw.domain.com" outgoing-interface "ethernet0/9" preshare "1GK7RhS/NSu5cTsbHqCQOs9mp3n8IZO1bg==" proposal "pre-g2-3des-sha" "pre-g2-3des-md5" "pre-g2-aes128-sha" "pre-g2-aes128-md5" unset ike gateway "vpnclient_gateway" nat-traversal udp-checksum set ike gateway "vpnclient_gateway" nat-traversal keepalive-frequency 20 set ike gateway "vpnclient_gateway" xauth server "Local" unset ike gateway "vpnclient_gateway" xauth do-edipi-auth set ike gateway "vpnclient_gateway" dpd interval 30 unset ike policy-checking set ike respond-bad-spi 1 unset ike ikeid-enumeration unset ike dos-protection unset ipsec access-session enable set ipsec access-session maximum 5000 set ipsec access-session upper-threshold 0 set ipsec access-session lower-threshold 0 set ipsec access-session dead-p2-sa-timeout 0 unset ipsec access-session log-error unset ipsec access-session info-exch-connected unset ipsec access-session use-error-log set xauth default ippool "mypool" set xauth default dns1 192.168.13.114 set xauth default dns2 192.168.13.130 set vpn "vpnclient_tunnel" gateway "vpnclient_gateway" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha" "nopfs-esp-3des-md5" "nopfs-esp-aes128-sha" "nopfs-esp-aes128-md5" set l2tp default dns1 192.168.13.114 set l2tp default dns2 192.168.13.130 set l2tp default ppp-auth chap set l2tp "l2-tunnel" id 1 outgoing-interface ethernet0/9 keepalive 60 set l2tp "l2-tunnel" remote-setting ippool "mypool" dns1 192.168.13.114 set url protocol websense exit set policy id 84 name "vpnclient" from "Untrust" to "Trust" "Dial-Up VPN" "Red Servidor MyNetwork" "ANY" nat src tunnel vpn "vpnclient_tunnel" id 102 log set policy id 84 exit set policy id 3 from "Trust" to "Untrust" "Any" "Any" "ANY" deny log set policy id 3 exit set policy id 1 from "Untrust" to "Trust" "Any" "Any" "ANY" deny log set policy id 1 exit set syslog config "192.168.13.222" set syslog config "192.168.13.222" facilities local0 local0 set syslog enable set nsmgmt bulkcli reboot-timeout 60 set nsmgmt bulkcli reboot-wait 0 set ssh version v2 set ssh enable set scp enable set config lock timeout 5 set ntp server "130.206.3.166" set ntp server src-interface "ethernet0/9" set ntp interval 100 set snmp port listen 161 set snmp port trap 162 set vrouter "untrust-vr" exit set vrouter "trust-vr" unset add-default-route set route 0.0.0.0/0 interface ethernet0/9 gateway 62.XXX.XXX.XXX preference 20 exit set vrouter "untrust-vr" exit set vrouter "trust-vr" exit Any help would be very appreciated. Thanks _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
