I'm having trouble completing Phase1 of an IPSec tunnel from a Shrew client v2.1.7 to a Juniper Netscreen 5gt configured as Mutual PSK + Xauth. NAT-T is enabled and Exchange type is Aggressive, DH Group2. A negotiation timeout occurs. This configuration works fine with other PCs that access the internet via NATing firewalls or direct connection to internet.
It only doesn't work with a Verizon 4G USB Modem (Pantech UML290) that creates a Local Area Connection on the PC with a private IP (10.x.x.x/30) and is somehow NATing to a public address in Verizon network. From the IKE debug logs on the Netscreen I can see the IKE UDP:500 connection and the Netscreen sends a response to the client's public address using the PATed 500 port, but the Shrew software never sees it and continues to resend original request. Ex: ClientPublic:45213àNetscreenPublic:500. NetscreenPublic:500àClientPublic:45213 I have the Shrew trace utility running in debug mode, and it just continues to resend the phase 1 packets on port 500. The trace Firewall Rules tab shows the RECV DIVERT rule for the appropriate IP addresses, but never gets any hits. I can see from Wireshark that the PC is receiving the packets from the Netscreen and it includes both initiator and responder cookies and the NAT-D payload but for some reason the Shrew client doesn't acknowledge the packets. Again, this is only a problem on the Verizon 4G network. Has anyone seen behavior like this or have any ideas? Mark
_______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
