On 11/21/2011 05:05 PM, Tim Keane wrote:
Kevin VPN<kvpn@...> writes:
Double-check your Phase 2, proxy and/or policy settings to be sure they
are the same on both the client and gateway.
I've double-checked them, and I can't find any discrepancy. If I watch the
Security Associations tab of the VPN Trace utility, I see two mature SAs
momentarily displayed. The logs of the Juniper seem to indicate that it's happy
with the completion of the VPN tunnel as well. I think my phase2 parameters
have to match, because the tunnel is up for a moment.
Any help with this would be much appreciated. It's currently holding up our VPN
rollout, because I'd much rather get Shrew working than pay NCP's exhorbitant
prices for a client. Thanks for anyone's help with this!
Here is the part of the log in question:
...
11/11/21 16:25:27<- : recv IKE packet 1.2.3.8:500 -> 1.2.3.112:500 ( 76 bytes )
11/11/21 16:25:27 DB : phase1 found
11/11/21 16:25:27 ii : processing phase2 packet ( 76 bytes )
11/11/21 16:25:27 DB : phase2 found
11/11/21 16:25:27 !! : phase2 packet ignored, resending last packet ( phase2
already mature )
11/11/21 16:25:27 -> : resend 1 phase2 packet(s) [0/2] 1.2.3.112:500 ->
1.2.3.8:500
11/11/21 16:25:27<- : recv IKE packet 1.2.3.8:500 -> 1.2.3.112:500 ( 76 bytes )
11/11/21 16:25:27 DB : phase1 found
11/11/21 16:25:27 ii : processing phase2 packet ( 76 bytes )
11/11/21 16:25:27 DB : phase2 found
11/11/21 16:25:27 !! : phase2 packet ignored, resending last packet ( phase2
already mature )
11/11/21 16:25:27 -> : resend 1 phase2 packet(s) [1/2] 1.2.3.112:500 ->
1.2.3.8:500
11/11/21 16:25:27<- : recv IKE packet 1.2.3.8:500 -> 1.2.3.112:500 ( 76 bytes )
11/11/21 16:25:27 DB : phase1 found
11/11/21 16:25:27 ii : processing phase2 packet ( 76 bytes )
11/11/21 16:25:27 DB : phase2 found
11/11/21 16:25:27 !! : phase2 packet ignored, resending last packet ( phase2
already mature )
11/11/21 16:25:27 -> : resend 1 phase2 packet(s) [2/2] 1.2.3.112:500 ->
1.2.3.8:500
11/11/21 16:25:27 K< : recv pfkey UPDATE ESP message
11/11/21 16:25:27<- : recv IKE packet 1.2.3.8:500 -> 1.2.3.112:500 ( 76 bytes )
11/11/21 16:25:27 DB : phase1 found
11/11/21 16:25:27 ii : processing phase2 packet ( 76 bytes )
11/11/21 16:25:27 DB : phase2 found
11/11/21 16:25:27 !! : phase2 packet ignored, resending last packet ( phase2
already mature )
11/11/21 16:25:27 ii : resend limit exceeded for phase2 exchange
11/11/21 16:25:27 DB : phase2 soft event canceled ( ref count = 2 )
11/11/21 16:25:27 DB : phase2 hard event canceled ( ref count = 1 )
11/11/21 16:25:27 DB : phase1 found
11/11/21 16:25:27 ii : sending peer DELETE message
This phase2 loop suggests to me that something still isn't right with
phase2.
You say you're using Juniper and can see the logs. Does it report a
"completed negotiations" message in the event log? It will list the the
lifetime so you can see if it matches what Shrew reports.
There's also a 'debug ike' command you can run at the CLI that may also
shed some light on things.
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help
