Please, any help would be very appreciated
> From: [email protected] > To: [email protected] > Date: Mon, 27 Jun 2011 09:29:17 +0200 > Subject: [vpn-help] Simple shrew dialup vpn user with SSG-140 does not works > - Please Help > > > Hi, I am trying to setup a simple dial-up vpn user with shrew and Juniper > SSG-140 using the tutorial > > http://www.shrew.net/support/wiki/HowtoJuniperSsg > > > but it does not works.... > > > I always get the following error: > > 2011-06-27 09:15:45 info IKE<88.xxxxxxxx>: XAuth login was aborted for > gateway <vpnclient_gateway>, username <joe>, retry: 0. > 2011-06-27 09:15:39 info Rejected an IKE packet on ethernet0/9 from > 88.xxxxxxxx:58125 to 62.XXx.XXX.XXX:4500 with cookies 429c1915bb026bce and > c125368ff8ef5fb4 because a Phase 2 packet arrived while XAuth was still > pending. > 2011-06-27 09:15:39 info IKE<88.2.163.210> Phase 1: Completed Aggressive mode > negotiations with a <28800>-second lifetime. > 2011-06-27 09:15:39 info IKE<88.xxxxxxxx> Phase 1: Completed for user > <vpnclient_ph1id>. > 2011-06-27 09:15:39 info IKE<88.xxxxxxxx> Phase 1: IKE responder has detected > NAT in front of the remote device. > 2011-06-27 09:15:39 info IKE<88.xxxxxxxx> Phase 1: IKE responder has detected > NAT in front of the local device. > 2011-06-27 09:15:39 info IKE<88.xxxxxxxx> Phase 1: Responder starts > AGGRESSIVE mode negotiations. > > > > > Here is my shrew file: > > > n:version:2 > n:network-ike-port:500 > n:network-mtu-size:1380 > n:client-addr-auto:1 > n:network-natt-port:4500 > n:network-natt-rate:15 > n:network-frag-size:540 > n:network-dpd-enable:1 > n:client-banner-enable:1 > n:network-notify-enable:1 > n:client-wins-used:1 > n:client-wins-auto:1 > n:client-dns-used:1 > n:client-dns-auto:1 > n:client-splitdns-used:1 > n:client-splitdns-auto:1 > n:phase1-dhgroup:2 > n:phase1-life-secs:86400 > n:phase1-life-kbytes:0 > n:vendor-chkpt-enable:0 > n:phase2-life-secs:3600 > n:phase2-life-kbytes:0 > n:policy-nailed:0 > n:policy-list-auto:0 > s:network-host:vpn.XXXXXXXXXXXXX.com > s:client-auto-mode:pull > s:client-iface:virtual > s:network-natt-mode:enable > s:network-frag-mode:enable > s:auth-method:mutual-psk-xauth > s:ident-client-type:fqdn > s:ident-server-type:fqdn > s:ident-client-data:client.domain.com > s:ident-server-data:vpngw.domain.com > b:auth-mutual-psk:YXQ0d2lyZWxlc3M= > s:phase1-exchange:aggressive > s:phase1-cipher:auto > s:phase1-hash:auto > s:phase2-transform:auto > s:phase2-hmac:auto > s:ipcomp-transform:disabled > n:phase2-pfsgroup:-1 > s:policy-level:auto > s:policy-list-include:192.168.12.0 / 255.255.252.0 > > > And here is my SSG - 140 config file ... > > set clock ntp > set clock timezone 1 > set vrouter trust-vr sharable > set vrouter "untrust-vr" > exit > set vrouter "trust-vr" > unset auto-route-export > exit > set service "TCP-5904" protocol tcp src-port 0-65535 dst-port 5904-5904 > unset alg sql enable > set auth-server "Local" id 0 > set auth-server "Local" server-name "Local" > set auth-server "Local" timeout 20 > set auth default auth server "Local" > set auth radius accounting port 1646 > set admin name "netscreen" > set admin password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" > set admin user "admin" password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" privilege > "all" > set admin manager-ip 192.168.13.90 255.255.255.255 > set admin manager-ip 192.168.13.187 255.255.255.255 > set admin manager-ip 192.168.14.208 255.255.255.255 > set admin manager-ip 192.168.15.201 255.255.255.255 > set admin manager-ip 192.168.13.223 255.255.255.255 > set admin manager-ip 192.168.13.62 255.255.255.255 > set admin port 8080 > set admin scs password disable username netscreen > set admin auth timeout 10 > set admin auth server "Local" > set admin format dos > set zone "Trust" vrouter "trust-vr" > set zone "Untrust" vrouter "trust-vr" > set zone "DMZ" vrouter "trust-vr" > set zone "VLAN" vrouter "trust-vr" > set zone id 100 "Zona Teletrabajadores" > set zone id 101 "Untrust-2" > set zone "Untrust-Tun" vrouter "trust-vr" > set zone "Trust" tcp-rst > unset zone "Untrust" block > unset zone "Untrust" tcp-rst > set zone "MGT" block > set zone "DMZ" tcp-rst > set zone "VLAN" block > unset zone "VLAN" tcp-rst > unset zone "Zona Teletrabajadores" tcp-rst > unset zone "Untrust-2" tcp-rst > set zone "Untrust" screen tear-drop > set zone "Untrust" screen syn-flood > set zone "Untrust" screen ping-death > set zone "Untrust" screen ip-filter-src > set zone "Untrust" screen land > set zone "V1-Untrust" screen tear-drop > set zone "V1-Untrust" screen syn-flood > set zone "V1-Untrust" screen ping-death > set zone "V1-Untrust" screen ip-filter-src > set zone "V1-Untrust" screen land > set interface "ethernet0/0" zone "Trust" > set interface "ethernet0/1" zone "DMZ" > set interface "ethernet0/2" zone "Untrust" > set interface "ethernet0/8" zone "Trust" > set interface "ethernet0/9" zone "Untrust" > unset interface vlan1 ip > set interface ethernet0/8 ip 192.168.10.1/16 > set interface ethernet0/8 route > set interface ethernet0/9 ip 62.XXXXXXXXX/28 > set interface ethernet0/9 route > unset interface vlan1 bypass-others-ipsec > unset interface vlan1 bypass-non-ip > set interface ethernet0/8 ip manageable > set interface ethernet0/9 ip manageable > set interface ethernet0/9 manage ping > set interface ethernet0/9 manage telnet > set interface ethernet0/9 manage web > set interface ethernet0/9 vip untrust 5904 "TCP-5904" 192.168.13.184 manual > set interface ethernet0/8 dip 4 192.168.10.100 192.168.10.100 > set interface ethernet0/8 dot1x max-user 32 > set pak-poll p1queue pak-threshold 240 > set pak-poll p2queue pak-threshold 80 > unset flow no-tcp-seq-check > set flow tcp-syn-check > set domain MyNetwork > set hostname FW-SSG140 > set pki authority default scep mode "auto" > set pki x509 default cert-path partial > set pki x509 dn country-name "ES" > set pki x509 dn state-name "------" > set pki x509 dn local-name "------" > set pki x509 dn org-name "--------" > set pki x509 dn name "FW-SSG140" > set pki x509 dn email "FW-SSG140xxxxxxxxxx.com" > set dns host dns1 194.179.1.100 src-interface ethernet0/9 > set dns host dns2 62.XXX.XXX.XXX src-interface ethernet0/9 > set dns host dns3 0.0.0.0 > set address "Trust" "192.168.0.0/255.255.0.0" 192.168.0.0 255.255.0.0 > set address "Trust" "192.168.13.125/255.255.255.255" 192.168.13.125 > 255.255.255.255 > set address "Trust" "192.168.13.162/255.255.255.255" 192.168.13.162 > 255.255.255.255 > set address "Trust" "192.168.13.223/255.255.255.255" 192.168.13.223 > 255.255.255.255 > set address "Trust" "192.168.162" 192.168.162 > set address "Trust" "192.169.13.130/255.255.255.255" 192.169.13.130 > 255.255.255.255 > set address "Trust" "Red Servidor 192.168.12.0 255.255.252.0 > set address "Zona Teletrabajadores" "192.168.13.224/255.255.255.255" > 192.168.13.224 255.255.255.255 > set ippool "mypool" 192.168.39.1 192.168.39.254 > set ippool "IP_Pool" 172.16.16.10 172.16.16.50 > set user "joe" uid 108 > set user "joe" type l2tp xauth > set user "joe" remote ippool "mypool" > set user "joe" remote dns1 "192.168.13.114" > set user "joe" remote dns2 "192.168.13.130" > set user "joe" password "BHDBhCY0N24JHwstwVCaNUot52nujMMGRg==" > unset user "joe" type auth > set user "joe" "enable" > set user "vpnclient_ph1id" uid 107 > set user "vpnclient_ph1id" ike-id fqdn "client.domain.com" share-limit 1 > set user "vpnclient_ph1id" type ike > set user "vpnclient_ph1id" "enable" > set user-group "vpnclient_group" id 3 > set user-group "vpnclient_group" user "vpnclient_ph1id" > set ike gateway "vpnclient_gateway" dialup "vpnclient_ph1id" Aggr local-id > "vpngw.domain.com" outgoing-interface "ethernet0/9" preshare > "1GK7RhS/NSu5cTsbHqCQOs9mp3n8IZO1bg==" proposal "pre-g2-3des-sha" > "pre-g2-3des-md5" "pre-g2-aes128-sha" "pre-g2-aes128-md5" > unset ike gateway "vpnclient_gateway" nat-traversal udp-checksum > set ike gateway "vpnclient_gateway" nat-traversal keepalive-frequency 20 > set ike gateway "vpnclient_gateway" xauth server "Local" > unset ike gateway "vpnclient_gateway" xauth do-edipi-auth > set ike gateway "vpnclient_gateway" dpd interval 30 > unset ike policy-checking > set ike respond-bad-spi 1 > unset ike ikeid-enumeration > unset ike dos-protection > unset ipsec access-session enable > set ipsec access-session maximum 5000 > set ipsec access-session upper-threshold 0 > set ipsec access-session lower-threshold 0 > set ipsec access-session dead-p2-sa-timeout 0 > unset ipsec access-session log-error > unset ipsec access-session info-exch-connected > unset ipsec access-session use-error-log > set xauth default ippool "mypool" > set xauth default dns1 192.168.13.114 > set xauth default dns2 192.168.13.130 > set vpn "vpnclient_tunnel" gateway "vpnclient_gateway" no-replay tunnel > idletime 0 proposal "nopfs-esp-3des-sha" "nopfs-esp-3des-md5" > "nopfs-esp-aes128-sha" "nopfs-esp-aes128-md5" > set l2tp default dns1 192.168.13.114 > set l2tp default dns2 192.168.13.130 > set l2tp default ppp-auth chap > set l2tp "l2-tunnel" id 1 outgoing-interface ethernet0/9 keepalive 60 > set l2tp "l2-tunnel" remote-setting ippool "mypool" dns1 192.168.13.114 > set url protocol websense > exit > set policy id 84 name "vpnclient" from "Untrust" to "Trust" "Dial-Up VPN" > "Red Servidor MyNetwork" "ANY" nat src tunnel vpn "vpnclient_tunnel" id 102 > log > set policy id 84 > exit > set policy id 3 from "Trust" to "Untrust" "Any" "Any" "ANY" deny log > set policy id 3 > exit > set policy id 1 from "Untrust" to "Trust" "Any" "Any" "ANY" deny log > set policy id 1 > exit > set syslog config "192.168.13.222" > set syslog config "192.168.13.222" facilities local0 local0 > set syslog enable > set nsmgmt bulkcli reboot-timeout 60 > set nsmgmt bulkcli reboot-wait 0 > set ssh version v2 > set ssh enable > set scp enable > set config lock timeout 5 > set ntp server "130.206.3.166" > set ntp server src-interface "ethernet0/9" > set ntp interval 100 > set snmp port listen 161 > set snmp port trap 162 > set vrouter "untrust-vr" > exit > set vrouter "trust-vr" > unset add-default-route > set route 0.0.0.0/0 interface ethernet0/9 gateway 62.XXX.XXX.XXX preference 20 > exit > set vrouter "untrust-vr" > exit > set vrouter "trust-vr" > exit > > > > Any help would be very appreciated. > > Thanks > _______________________________________________ > vpn-help mailing list > [email protected] > http://lists.shrew.net/mailman/listinfo/vpn-help
_______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
