Hello,
To add to this issue..I downgraded the Shrew client to 2.1.7, upgraded Juniper to 6.3.0r14.0, and phase 2 passes just fine. I get the original error about phase 2 failing but then it comes up just fine. If I go back and install the later version of Shrew then it's back to the same issue as before and the tunnel never comes up. So from what I can tell this is an issue with Shrew 2.2.x versions passing phase 2 traffic. I have no problem using version 2.1.7 but this will be a problem for users who are running Windows 8. Are you able to advise on any kind of solution for this? Thanks! Drew From: [email protected] [mailto:[email protected]] On Behalf Of Alexis La Goutte Sent: Tuesday, July 16, 2013 8:07 AM To: Drew Majewski Cc: [email protected] Subject: Re: [vpn-help] Phase 2 failing with Juniper SSG140 On Mon, Jul 15, 2013 at 10:03 PM, Drew Majewski <[email protected]> wrote: Hello, I've been working with Juniper support to try and get VPN connectivity setup with Shrew but we're having issues getting phase 2 to pass. Juniper has repeated all the steps in their labs too and get the same results as below and their only solution is to contact you guys or use another VPN Client. Juniper support has stated: "I suspect that Shrew soft client 2.2.2, running on windows xp (which is what I tried) is not compatible with the Juniper firewall. The shrew soft client seems to be sending a notification message(DOI 1 24578 INITIAL-CONTACT), which is halting or stopping the Juniper firewall to proceed with phase-2 negotiations (refer frame4 in the packet capture shrewsoftsnoop1.pcap) 2013-07-12 11:47:34 info IKE 96.242.112.67: Received initial contact notification and removed Phase 1 SAs. 2013-07-12 11:47:34 info IKE 96.242.112.67: Received initial contact notification and removed Phase 2 SAs. 2013-07-12 11:47:34 info IKE 96.242.112.67: Received a notification message for DOI 1 24578 INITIAL-CONTACT. >> HERE 2013-07-12 11:47:34 info IKE 96.242.112.67 Phase 1: Completed Aggressive mode negotiations with a 28800-second lifetime." The other errors that are being logged with this are: "Rejected an IKE packet on ethernet0/2 from 96.242.112.67:14499 to 96.242.112.68:4500 with cookies 5cd1700e400706fd and 0ba9de74df44fcb6 because A Phase 2 packet arrived while XAuth was still pending. IKE 96.242.112.67 Phase 2 msg ID fd04e4ca: Negotiations have failed. " I'm not sure where to go with this or if it is anything that other users have experienced. Thank you for any help you're able to give. Hi Drew, it is possible to attach debug info with pcap ? ( https://www.shrew.net/support/VPN_Bug_Report_Windows ) There is some known issue with Juniper and Xauth but it is with SRX : https://lists.shrew.net/pipermail/vpn-help/2012-December/014091.html Regards, Drew Majewski _______________________________________________ vpn-help mailing list [email protected] https://lists.shrew.net/mailman/listinfo/vpn-help
_______________________________________________ vpn-help mailing list [email protected] https://lists.shrew.net/mailman/listinfo/vpn-help
