Hi John, What do you use in Policy Tab for generation level ?
Cheers On Sat, Mar 18, 2017 at 3:05 PM, John Ellin <[email protected]> wrote: > Hi, > > I am attempting to connect an OpenSUSE 42.1 client to my SRX5308. > > Followed the instructions here: https://www.shrew.net/support/ > Howto_Netgear with the following exceptions: > NAS: > Mode config: > IP Pool Address range: 192.168.128.1 - 192.168.128.16 > Local IP Address: 192.168.0.0/255.255.252.0 > > IKE Policy: > XAuth Authentication Type: Radius - PAP > > Shrew: > Policy: > include 192.168.0.0/255.255.252.0 > > When I attempt to connect, the VPN client states that the tunnel > established, however, the NAS states that the IPSec SA is NOT established. > > Assuming: > remote.client.com = FQDN of remote client > USER = user id of XAuth authenticating user > XXX.XXX.XXX.XXX = external address of remote client > YYY.YYY.YYY.YYY = external IP address of SRX5308 > > The logs from the NAS are as follows (first entry at bottom): > > Fri Mar 17 14:41:38 2017 (GMT -0400): [SRX5308] [IKE] INFO: 192.168.128.1 > IP address has been released by remote peer. > Fri Mar 17 14:41:37 2017 (GMT -0400): [SRX5308] [IKE] INFO: ISAKMP-SA > deleted for YYY.YYY.YYY.YYY[4500]-XXX.XXX.XXX.XXX[34224] with > spi:8ae7e3cde8560bbb:bb87af718d22be29 > Fri Mar 17 14:41:36 2017 (GMT -0400): [SRX5308] [IKE] INFO: XAuthUser > USER Logged Out from IP Address XXX.XXX.XXX.XXX > Fri Mar 17 14:41:36 2017 (GMT -0400): [SRX5308] [IKE] INFO: Purged > ISAKMP-SA with proto_id=ISAKMP and spi=8ae7e3cde8560bbb:bb87af718d22be29. > > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] ERROR: Ignored > attribute 28680 > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] ERROR: Ignored > attribute 28677 > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] ERROR: Cannot open > "/etc/motd" > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] ERROR: Ignored > attribute 28674 > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] WARNING: Ignored > attribute 5 > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: 192.168.128.1 > IP address is assigned to remote peer XXX.XXX.XXX.XXX[34224] > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received > attribute type "ISAKMP_CFG_REQUEST" from XXX.XXX.XXX.XXX[34224] > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: XAuthUser > USER Logged In from IP Address XXX.XXX.XXX.XXX > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Login > succeeded for user "USER" > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Contacting > RADIUS for authenticating user "USER" using PAP > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received > attribute type "ISAKMP_CFG_REPLY" from XXX.XXX.XXX.XXX[34224] > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: ISAKMP-SA > established for YYY.YYY.YYY.YYY[4500]-XXX.XXX.XXX.XXX[34224] with > spi:8ae7e3cde8560bbb:bb87af718d22be29 > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Sending Xauth > request to XXX.XXX.XXX.XXX[34224] > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: NAT detected: > Local is behind a NAT device. and alsoPeer is behind a NAT device > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: NAT-D payload > does not match for XXX.XXX.XXX.XXX[34224] > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: NAT-D payload > does not match for YYY.YYY.YYY.YYY[4500] > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: For > XXX.XXX.XXX.XXX[63293], Selected NAT-T version: RFC 3947Fri Mar 17 14:40:46 > 2017 (GMT -0400): [SRX5308] [IKE] INFO: Floating ports for NAT-T with peer > XXX.XXX.XXX.XXX[34224] > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received > unknown Vendor ID > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received > unknown Vendor ID > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received > unknown Vendor ID > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received > Vendor ID: DPD > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received > Vendor ID: DPD > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received > unknown Vendor ID > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received > Vendor ID: RFC 3947 > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received > unknown Vendor ID > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received > Vendor ID: draft-ietf-ipsec-nat-t-ike-02 > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received > unknown Vendor ID > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received > unknown Vendor ID > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received > Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Beginning > Aggressive mode. > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received > request for new phase 1 negotiation: YYY.YYY.YYY.YYY[500]<=>XXX. > XXX.XXX.XXX[63293] > Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Remote > configuration for identifier "remote.client.com" found > > Additionally, the routing table on the client contains an entry for the > external IP address of the NAS (which I was not expecting) but contains no > entry for 192.168.0.0/22. > > Any help would be greatly appreciated. > > -- > > /jona. > > > _______________________________________________ > vpn-help mailing list > [email protected] > https://lists.shrew.net/mailman/listinfo/vpn-help >
_______________________________________________ vpn-help mailing list [email protected] https://lists.shrew.net/mailman/listinfo/vpn-help
