Hello there! I hope you can help me, I have setup VPN access using the article http://www.shrew.net/support/Howto_Juniper_SSG but I cannot connect using the Radius server. I can only connect if I create a user account on the firewall, but I don't want to do that for all the users.
The firewall shows the following: 2013-02-27 13:04:26 info IKE 198.228.192.58: XAuth login failed for gateway GW-DIALUP-VPN, username v.kapur, retry: 0, timeout: 0. 2013-02-27 13:04:26 warn Primary 10.50.100.12, backup1 , and backup2 servers failed. 2013-02-27 13:04:26 warn Active Server Switchover: New requests for Microsoft server will try Primary from now on. 2013-02-27 13:04:26 warn Active Server Switchover: New requests for Microsoft server will try Backup2 from now on. 2013-02-27 13:04:25 warn Active Server Switchover: New requests for Microsoft server will try Backup1 from now on. 2013-02-27 13:04:17 warn Trying primary server 10.50.100.12. 2013-02-27 13:04:14 info Rejected an IKE packet on ethernet0/2 from 198.228.192.58:52023 to 209.66.114.182:500 with cookies b39458fbfd5bf598 and 522010f96b92f8d1 because A Phase 2 packet arrived while XAuth was still pending. 2013-02-27 13:04:14 info IKE 198.228.192.58 Phase 1: Completed Aggressive mode negotiations with a 28800-second lifetime. 2013-02-27 13:04:14 info IKE 198.228.192.58 Phase 1: Completed for user client.corporate.com. 2013-02-27 13:04:14 info IKE 198.228.192.58 phase 1:The symmetric crypto key has been generated successfully. 2013-02-27 13:04:14 info IKE 198.228.192.58 Phase 1: Responder starts AGGRESSIVE mode negotiations. The IKE logs are attached as well as the error on the shrew soft client.
config loaded for site '209.66.114.182' configuring client settings ... attached to key daemon ... peer configured iskamp proposal configured esp proposal configured client configured local id configured remote id configured pre-shared key configured bringing up tunnel ... user authentication error tunnel disabled detached from key daemon ...
13/02/27 13:03:05 ## : IKE Daemon, ver 2.1.7 13/02/27 13:03:05 ## : Copyright 2010 Shrew Soft Inc. 13/02/27 13:03:05 ## : This product linked OpenSSL 0.9.8h 28 May 2008 13/02/27 13:03:05 ii : opened 'C:\Program Files\ShrewSoft\VPN Client\debug\iked.log' 13/02/27 13:03:05 ii : opened 'C:\Program Files\ShrewSoft\VPN Client/debug/dump-ike-decrypt.cap' 13/02/27 13:03:05 ii : opened 'C:\Program Files\ShrewSoft\VPN Client/debug/dump-ike-encrypt.cap' 13/02/27 13:03:05 ii : rebuilding vnet device list ... 13/02/27 13:03:05 ii : device ROOT\VNET\0000 disabled 13/02/27 13:03:05 ii : network process thread begin ... 13/02/27 13:03:05 ii : pfkey process thread begin ... 13/02/27 13:03:05 ii : ipc server process thread begin ... 13/02/27 13:04:16 ii : ipc client process thread begin ... 13/02/27 13:04:16 <A : peer config add message 13/02/27 13:04:16 DB : peer added ( obj count = 1 ) 13/02/27 13:04:16 ii : local address 172.20.10.3 selected for peer 13/02/27 13:04:16 DB : tunnel added ( obj count = 1 ) 13/02/27 13:04:16 <A : proposal config message 13/02/27 13:04:16 <A : proposal config message 13/02/27 13:04:16 <A : client config message 13/02/27 13:04:16 <A : xauth username message 13/02/27 13:04:16 <A : xauth password message 13/02/27 13:04:16 <A : local id 'client.corporate.com' message 13/02/27 13:04:16 <A : remote id 'vpn.corporate.com' message 13/02/27 13:04:16 <A : preshared key message 13/02/27 13:04:16 <A : remote resource message 13/02/27 13:04:16 <A : peer tunnel enable message 13/02/27 13:04:16 DB : new phase1 ( ISAKMP initiator ) 13/02/27 13:04:16 DB : exchange type is aggressive 13/02/27 13:04:16 DB : 172.20.10.3:500 <-> 209.66.114.182:500 13/02/27 13:04:16 DB : b39458fbfd5bf598:0000000000000000 13/02/27 13:04:16 DB : phase1 added ( obj count = 1 ) 13/02/27 13:04:16 >> : security association payload 13/02/27 13:04:16 >> : - proposal #1 payload 13/02/27 13:04:16 >> : -- transform #1 payload 13/02/27 13:04:16 >> : -- transform #2 payload 13/02/27 13:04:16 >> : -- transform #3 payload 13/02/27 13:04:16 >> : -- transform #4 payload 13/02/27 13:04:16 >> : -- transform #5 payload 13/02/27 13:04:16 >> : -- transform #6 payload 13/02/27 13:04:16 >> : -- transform #7 payload 13/02/27 13:04:16 >> : -- transform #8 payload 13/02/27 13:04:16 >> : -- transform #9 payload 13/02/27 13:04:16 >> : -- transform #10 payload 13/02/27 13:04:16 >> : -- transform #11 payload 13/02/27 13:04:16 >> : -- transform #12 payload 13/02/27 13:04:16 >> : -- transform #13 payload 13/02/27 13:04:16 >> : -- transform #14 payload 13/02/27 13:04:16 >> : -- transform #15 payload 13/02/27 13:04:16 >> : -- transform #16 payload 13/02/27 13:04:16 >> : -- transform #17 payload 13/02/27 13:04:16 >> : -- transform #18 payload 13/02/27 13:04:16 >> : key exchange payload 13/02/27 13:04:16 >> : nonce payload 13/02/27 13:04:16 >> : identification payload 13/02/27 13:04:16 >> : vendor id payload 13/02/27 13:04:16 ii : local supports XAUTH 13/02/27 13:04:16 >> : vendor id payload 13/02/27 13:04:16 ii : local supports nat-t ( draft v00 ) 13/02/27 13:04:16 >> : vendor id payload 13/02/27 13:04:16 ii : local supports nat-t ( draft v01 ) 13/02/27 13:04:16 >> : vendor id payload 13/02/27 13:04:16 ii : local supports nat-t ( draft v02 ) 13/02/27 13:04:16 >> : vendor id payload 13/02/27 13:04:16 ii : local supports nat-t ( draft v03 ) 13/02/27 13:04:16 >> : vendor id payload 13/02/27 13:04:16 ii : local supports nat-t ( rfc ) 13/02/27 13:04:16 >> : vendor id payload 13/02/27 13:04:16 ii : local supports FRAGMENTATION 13/02/27 13:04:16 >> : vendor id payload 13/02/27 13:04:16 ii : local supports DPDv1 13/02/27 13:04:16 >> : vendor id payload 13/02/27 13:04:16 ii : local is SHREW SOFT compatible 13/02/27 13:04:16 >> : vendor id payload 13/02/27 13:04:16 ii : local is NETSCREEN compatible 13/02/27 13:04:16 >> : vendor id payload 13/02/27 13:04:16 ii : local is SIDEWINDER compatible 13/02/27 13:04:16 >> : vendor id payload 13/02/27 13:04:16 ii : local is CISCO UNITY compatible 13/02/27 13:04:16 >= : cookies b39458fbfd5bf598:0000000000000000 13/02/27 13:04:16 >= : message 00000000 13/02/27 13:04:16 -> : send IKE packet 172.20.10.3:500 -> 209.66.114.182:500 ( 1196 bytes ) 13/02/27 13:04:16 DB : phase1 resend event scheduled ( ref count = 2 ) 13/02/27 13:04:17 <- : recv IKE packet 209.66.114.182:500 -> 172.20.10.3:500 ( 389 bytes ) 13/02/27 13:04:17 DB : phase1 found 13/02/27 13:04:17 ii : processing phase1 packet ( 389 bytes ) 13/02/27 13:04:17 =< : cookies b39458fbfd5bf598:522010f96b92f8d1 13/02/27 13:04:17 =< : message 00000000 13/02/27 13:04:17 << : security association payload 13/02/27 13:04:17 << : - propsal #1 payload 13/02/27 13:04:17 << : -- transform #1 payload 13/02/27 13:04:17 ii : unmatched isakmp proposal/transform 13/02/27 13:04:17 ii : key length ( 128 != 256 ) 13/02/27 13:04:17 ii : unmatched isakmp proposal/transform 13/02/27 13:04:17 ii : key length ( 128 != 256 ) 13/02/27 13:04:17 ii : unmatched isakmp proposal/transform 13/02/27 13:04:17 ii : key length ( 128 != 192 ) 13/02/27 13:04:17 ii : unmatched isakmp proposal/transform 13/02/27 13:04:17 ii : key length ( 128 != 192 ) 13/02/27 13:04:17 !! : peer violates RFC, transform number mismatch ( 1 != 5 ) 13/02/27 13:04:17 ii : matched isakmp proposal #1 transform #1 13/02/27 13:04:17 ii : - transform = ike 13/02/27 13:04:17 ii : - cipher type = aes 13/02/27 13:04:17 ii : - key length = 128 bits 13/02/27 13:04:17 ii : - hash type = md5 13/02/27 13:04:17 ii : - dh group = modp-1024 13/02/27 13:04:17 ii : - auth type = xauth-initiator-psk 13/02/27 13:04:17 ii : - life seconds = 86400 13/02/27 13:04:17 ii : - life kbytes = 0 13/02/27 13:04:17 << : vendor id payload 13/02/27 13:04:17 ii : unknown vendor id ( 28 bytes ) 13/02/27 13:04:17 0x : 0516dc8a 882c54a5 6690dc05 bdda3b9e c805e586 12000000 1e060000 13/02/27 13:04:17 << : vendor id payload 13/02/27 13:04:17 ii : peer supports XAUTH 13/02/27 13:04:17 << : vendor id payload 13/02/27 13:04:17 ii : peer supports DPDv1 13/02/27 13:04:17 << : vendor id payload 13/02/27 13:04:17 ii : peer supports HEARTBEAT-NOTIFY 13/02/27 13:04:17 << : key exchange payload 13/02/27 13:04:17 << : nonce payload 13/02/27 13:04:17 << : identification payload 13/02/27 13:04:17 ii : phase1 id match 13/02/27 13:04:17 ii : received = fqdn vpn.corporate.com 13/02/27 13:04:17 << : hash payload 13/02/27 13:04:17 ii : nat-t is unsupported by remote peer 13/02/27 13:04:17 == : DH shared secret ( 128 bytes ) 13/02/27 13:04:17 == : SETKEYID ( 16 bytes ) 13/02/27 13:04:17 == : SETKEYID_d ( 16 bytes ) 13/02/27 13:04:17 == : SETKEYID_a ( 16 bytes ) 13/02/27 13:04:17 == : SETKEYID_e ( 16 bytes ) 13/02/27 13:04:17 == : cipher key ( 16 bytes ) 13/02/27 13:04:17 == : cipher iv ( 16 bytes ) 13/02/27 13:04:17 == : phase1 hash_i ( computed ) ( 16 bytes ) 13/02/27 13:04:17 >> : hash payload 13/02/27 13:04:17 >= : cookies b39458fbfd5bf598:522010f96b92f8d1 13/02/27 13:04:17 >= : message 00000000 13/02/27 13:04:17 >= : encrypt iv ( 16 bytes ) 13/02/27 13:04:17 == : encrypt packet ( 48 bytes ) 13/02/27 13:04:17 == : stored iv ( 16 bytes ) 13/02/27 13:04:17 DB : phase1 resend event canceled ( ref count = 1 ) 13/02/27 13:04:17 -> : send IKE packet 172.20.10.3:500 -> 209.66.114.182:500 ( 88 bytes ) 13/02/27 13:04:17 == : phase1 hash_r ( computed ) ( 16 bytes ) 13/02/27 13:04:17 == : phase1 hash_r ( received ) ( 16 bytes ) 13/02/27 13:04:17 ii : phase1 sa established 13/02/27 13:04:17 ii : 209.66.114.182:500 <-> 172.20.10.3:500 13/02/27 13:04:17 ii : b39458fbfd5bf598:522010f96b92f8d1 13/02/27 13:04:17 ii : sending peer INITIAL-CONTACT notification 13/02/27 13:04:17 ii : - 172.20.10.3:500 -> 209.66.114.182:500 13/02/27 13:04:17 ii : - isakmp spi = b39458fbfd5bf598:522010f96b92f8d1 13/02/27 13:04:17 ii : - data size 0 13/02/27 13:04:17 >> : hash payload 13/02/27 13:04:17 >> : notification payload 13/02/27 13:04:17 == : new informational hash ( 16 bytes ) 13/02/27 13:04:17 == : new informational iv ( 16 bytes ) 13/02/27 13:04:17 >= : cookies b39458fbfd5bf598:522010f96b92f8d1 13/02/27 13:04:17 >= : message 834c9ce9 13/02/27 13:04:17 >= : encrypt iv ( 16 bytes ) 13/02/27 13:04:17 == : encrypt packet ( 76 bytes ) 13/02/27 13:04:17 == : stored iv ( 16 bytes ) 13/02/27 13:04:17 -> : send IKE packet 172.20.10.3:500 -> 209.66.114.182:500 ( 104 bytes ) 13/02/27 13:04:17 DB : phase2 not found 13/02/27 13:04:17 <- : recv IKE packet 209.66.114.182:500 -> 172.20.10.3:500 ( 76 bytes ) 13/02/27 13:04:17 DB : phase1 found 13/02/27 13:04:17 ii : processing config packet ( 76 bytes ) 13/02/27 13:04:17 DB : config not found 13/02/27 13:04:17 DB : config added ( obj count = 1 ) 13/02/27 13:04:17 == : new config iv ( 16 bytes ) 13/02/27 13:04:17 =< : cookies b39458fbfd5bf598:522010f96b92f8d1 13/02/27 13:04:17 =< : message 082a6c7b 13/02/27 13:04:17 =< : decrypt iv ( 16 bytes ) 13/02/27 13:04:17 == : decrypt packet ( 76 bytes ) 13/02/27 13:04:17 <= : trimmed packet padding ( 8 bytes ) 13/02/27 13:04:17 <= : stored iv ( 16 bytes ) 13/02/27 13:04:17 << : hash payload 13/02/27 13:04:17 << : attribute payload 13/02/27 13:04:17 == : configure hash_i ( computed ) ( 16 bytes ) 13/02/27 13:04:17 == : configure hash_c ( computed ) ( 16 bytes ) 13/02/27 13:04:17 ii : configure hash verified 13/02/27 13:04:17 ii : - xauth authentication type 13/02/27 13:04:17 ii : - xauth username 13/02/27 13:04:17 ii : - xauth password 13/02/27 13:04:17 ii : received basic xauth request - 13/02/27 13:04:17 ii : - standard xauth username 13/02/27 13:04:17 ii : - standard xauth password 13/02/27 13:04:17 ii : sending xauth response for v.kapur 13/02/27 13:04:17 >> : hash payload 13/02/27 13:04:17 >> : attribute payload 13/02/27 13:04:17 == : new configure hash ( 16 bytes ) 13/02/27 13:04:17 >= : cookies b39458fbfd5bf598:522010f96b92f8d1 13/02/27 13:04:17 >= : message 082a6c7b 13/02/27 13:04:17 >= : encrypt iv ( 16 bytes ) 13/02/27 13:04:17 == : encrypt packet ( 84 bytes ) 13/02/27 13:04:17 == : stored iv ( 16 bytes ) 13/02/27 13:04:17 -> : send IKE packet 172.20.10.3:500 -> 209.66.114.182:500 ( 120 bytes ) 13/02/27 13:04:17 DB : config resend event scheduled ( ref count = 2 ) 13/02/27 13:04:22 -> : resend 1 config packet(s) 172.20.10.3:500 -> 209.66.114.182:500 13/02/27 13:04:27 -> : resend 1 config packet(s) 172.20.10.3:500 -> 209.66.114.182:500 13/02/27 13:04:29 <- : recv IKE packet 209.66.114.182:500 -> 172.20.10.3:500 ( 76 bytes ) 13/02/27 13:04:29 DB : phase1 found 13/02/27 13:04:29 ii : processing config packet ( 76 bytes ) 13/02/27 13:04:29 DB : config found 13/02/27 13:04:29 == : new config iv ( 16 bytes ) 13/02/27 13:04:29 =< : cookies b39458fbfd5bf598:522010f96b92f8d1 13/02/27 13:04:29 =< : message df3f7caa 13/02/27 13:04:29 =< : decrypt iv ( 16 bytes ) 13/02/27 13:04:29 == : decrypt packet ( 76 bytes ) 13/02/27 13:04:29 <= : trimmed packet padding ( 16 bytes ) 13/02/27 13:04:29 <= : stored iv ( 16 bytes ) 13/02/27 13:04:29 << : hash payload 13/02/27 13:04:29 << : attribute payload 13/02/27 13:04:29 == : configure hash_i ( computed ) ( 16 bytes ) 13/02/27 13:04:29 == : configure hash_c ( computed ) ( 16 bytes ) 13/02/27 13:04:29 ii : configure hash verified 13/02/27 13:04:29 ii : received xauth result - 13/02/27 13:04:29 !! : user v.kapur authentication failed 13/02/27 13:04:29 DB : phase1 soft event canceled ( ref count = 3 ) 13/02/27 13:04:29 DB : phase1 hard event canceled ( ref count = 2 ) 13/02/27 13:04:29 DB : phase1 dead event canceled ( ref count = 1 ) 13/02/27 13:04:29 ii : sending peer DELETE message 13/02/27 13:04:29 ii : - 172.20.10.3:500 -> 209.66.114.182:500 13/02/27 13:04:29 ii : - isakmp spi = b39458fbfd5bf598:522010f96b92f8d1 13/02/27 13:04:29 ii : - data size 0 13/02/27 13:04:29 >> : hash payload 13/02/27 13:04:29 >> : delete payload 13/02/27 13:04:29 == : new informational hash ( 16 bytes ) 13/02/27 13:04:29 == : new informational iv ( 16 bytes ) 13/02/27 13:04:29 >= : cookies b39458fbfd5bf598:522010f96b92f8d1 13/02/27 13:04:29 >= : message 6ccea8cf 13/02/27 13:04:29 >= : encrypt iv ( 16 bytes ) 13/02/27 13:04:29 == : encrypt packet ( 76 bytes ) 13/02/27 13:04:29 == : stored iv ( 16 bytes ) 13/02/27 13:04:29 -> : send IKE packet 172.20.10.3:500 -> 209.66.114.182:500 ( 104 bytes ) 13/02/27 13:04:29 DB : config resend event canceled ( ref count = 1 ) 13/02/27 13:04:29 DB : config deleted ( obj count = 0 ) 13/02/27 13:04:29 ii : phase1 removal before expire time 13/02/27 13:04:29 DB : phase1 deleted ( obj count = 0 ) 13/02/27 13:04:29 <- : recv IKE packet 209.66.114.182:500 -> 172.20.10.3:500 ( 92 bytes ) 13/02/27 13:04:29 DB : phase1 not found 13/02/27 13:04:29 ww : ike packet from 209.66.114.182 ignored, unknown phase1 sa for peer 13/02/27 13:04:29 ww : b39458fbfd5bf598:522010f96b92f8d1 13/02/27 13:04:29 DB : policy not found 13/02/27 13:04:29 DB : policy not found 13/02/27 13:04:29 DB : policy not found 13/02/27 13:04:29 DB : policy not found 13/02/27 13:04:29 DB : policy not found 13/02/27 13:04:29 DB : policy not found 13/02/27 13:04:29 DB : tunnel dpd event canceled ( ref count = 2 ) 13/02/27 13:04:29 DB : tunnel stats event canceled ( ref count = 1 ) 13/02/27 13:04:29 DB : removing tunnel config references 13/02/27 13:04:29 DB : removing tunnel phase2 references 13/02/27 13:04:29 DB : removing tunnel phase1 references 13/02/27 13:04:29 DB : tunnel deleted ( obj count = 0 ) 13/02/27 13:04:29 DB : removing all peer tunnel refrences 13/02/27 13:04:29 DB : peer deleted ( obj count = 0 ) 13/02/27 13:04:29 ii : ipc client process thread exit ...
_______________________________________________ vpn-help mailing list [email protected] https://lists.shrew.net/mailman/listinfo/vpn-help
