Shrew Soft client will not successfully connect to Juniper Netscreen SSG140 Dial-Up VPN

I have setup a dial-up VPN gateway in our SSG140 per several guides I found online.  The VPN works fine with Netscreen Remote software on Windows XP.  But on the Windows 7 Shrew client, I am unable to connect.  The client seems to say that everything connects properly, however the second screenshot shows 0 established security connections.  I have also attached a selection from the Netscreen event log where it seems to stop when it rejects a packet..."because A Phase 2 packet arrived while XAuth was still pending."  I have tried tweaking the firewall, the Shrew connection options, starting over from scratch, all to no avail.  Any ideas on some settings I may be missing or other things to try?

I also verified the Shrew client works on a Vista machine at a different site.

Juniper would not support it any further because the Netscreen Remote software connected just fine.
2010-04-07 11:26:05	info	IKE 99.xx.xxx.xxx: XAuth login was passed for gateway GWIVPN_Gateway, username gwiuser, retry: 0, Client IP Addr 10.2.2.3, IPPool name: GWI_VPN_Client, Session-Timeout: 0s, Idle-Timeout: 0s.
2010-04-07 11:26:05	info	IKE 99.xxx.xxx.xxx: XAuth login was refreshed for username gwiuser at 10.2.2.3/255.255.255.255.
2010-04-07 11:26:05	info	Rejected an IKE packet on ethernet0/2 from xxx.xxx.xxx.xxx:4500 to 69.xxx.xxx.xxx:4500 with cookies 8636e1f5900cdd8d and 6a7f5f6f0f56c688 because A Phase 2 packet arrived while XAuth was still pending.
2010-04-07 11:26:05	info	IKE 99.xxx.xxx.xxx Phase 1: Completed Aggressive mode negotiations with a 28800-second lifetime.
2010-04-07 11:26:05	info	IKE 99.xxx.xxx.xxx Phase 1: Completed for user GWIVPN.
2010-04-07 11:26:05	info	IKE<99.xxx.xxx.xxx> Phase 1: IKE responder has detected NAT in front of the remote device.
2010-04-07 11:26:05	info	IKE<99.xxx.xxx.xxx> Phase 1: IKE responder has detected NAT in front of the local device.
2010-04-07 11:26:05	info	IKE 99.xxx.xxx.xxx Phase 1: Responder starts AGGRESSIVE mode negotiations.

Open in new window

untitled.JPG
untitled2.JPG
wega1985Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Did you recreate the dial-in VPN according to the ShrewSoft Wiki?

I recommend to use the Shrew Trace Tool to record a trace of what is going on. The log shown above seems to say that Shrew is not waiting for completition of XAuth, which could be an issue with different XAuth settings (like "ike pull" and "ike push").
0
wega1985Author Commented:
Yeah, the ShrewSoft Wiki was one of the original guides I used to initially configure the VPN.

Attached is the trace log.  

10/04/14 13:39:16 ## : IKE Daemon, ver 2.1.5
10/04/14 13:39:16 ## : Copyright 2009 Shrew Soft Inc.
10/04/14 13:39:16 ## : This product linked OpenSSL 0.9.8h 28 May 2008
10/04/14 13:42:53 ii : opened 'C:\Program Files\ShrewSoft\VPN Client\debug\iked.log'
10/04/14 13:42:53 ii : opened 'C:\Program Files\ShrewSoft\VPN Client/debug/dump-ike-decrypt.cap'
10/04/14 13:42:53 ii : rebuilding vnet device list ...
10/04/14 13:42:53 ii : device ROOT\VNET\0000 disabled
10/04/14 13:42:53 ii : network process thread begin ...
10/04/14 13:42:53 ii : pfkey process thread begin ...
10/04/14 13:42:53 ii : ipc server process thread begin ...
10/04/14 13:43:04 ii : ipc client process thread begin ...
10/04/14 13:43:04 <A : peer config add message
10/04/14 13:43:04 DB : peer added ( obj count = 1 )
10/04/14 13:43:04 ii : local address 192.168.1.68 selected for peer
10/04/14 13:43:05 DB : tunnel added ( obj count = 1 )
10/04/14 13:43:05 <A : proposal config message
10/04/14 13:43:05 <A : proposal config message
10/04/14 13:43:05 <A : client config message
10/04/14 13:43:05 <A : xauth username message
10/04/14 13:43:05 <A : xauth password message
10/04/14 13:43:05 <A : local id 'GWIVPN' message
10/04/14 13:43:05 <A : preshared key message
10/04/14 13:43:05 <A : remote resource message
10/04/14 13:43:05 <A : peer tunnel enable message
10/04/14 13:43:05 DB : new phase1 ( ISAKMP initiator )
10/04/14 13:43:05 DB : exchange type is aggressive
10/04/14 13:43:05 DB : 192.168.1.68:500 <-> 69.xxx.xxx.xxx:500
10/04/14 13:43:05 DB : 08f3e9b542728675:0000000000000000
10/04/14 13:43:05 DB : phase1 added ( obj count = 1 )
10/04/14 13:43:05 >> : security association payload
10/04/14 13:43:05 >> : - proposal #1 payload 
10/04/14 13:43:05 >> : -- transform #1 payload 
10/04/14 13:43:05 >> : key exchange payload
10/04/14 13:43:05 >> : nonce payload
10/04/14 13:43:05 >> : identification payload
10/04/14 13:43:05 >> : vendor id payload
10/04/14 13:43:05 ii : local supports XAUTH
10/04/14 13:43:05 >> : vendor id payload
10/04/14 13:43:05 ii : local supports nat-t ( draft v00 )
10/04/14 13:43:05 >> : vendor id payload
10/04/14 13:43:05 ii : local supports nat-t ( draft v01 )
10/04/14 13:43:05 >> : vendor id payload
10/04/14 13:43:05 ii : local supports nat-t ( draft v02 )
10/04/14 13:43:05 >> : vendor id payload
10/04/14 13:43:05 ii : local supports nat-t ( draft v03 )
10/04/14 13:43:05 >> : vendor id payload
10/04/14 13:43:05 ii : local supports nat-t ( rfc )
10/04/14 13:43:05 >> : vendor id payload
10/04/14 13:43:05 ii : local supports FRAGMENTATION
10/04/14 13:43:05 >> : vendor id payload
10/04/14 13:43:05 ii : local supports DPDv1
10/04/14 13:43:05 >> : vendor id payload
10/04/14 13:43:05 ii : local is SHREW SOFT compatible
10/04/14 13:43:05 >> : vendor id payload
10/04/14 13:43:05 ii : local is NETSCREEN compatible
10/04/14 13:43:05 >> : vendor id payload
10/04/14 13:43:05 ii : local is SIDEWINDER compatible
10/04/14 13:43:05 >> : vendor id payload
10/04/14 13:43:05 ii : local is CISCO UNITY compatible
10/04/14 13:43:05 >= : cookies 08f3e9b542728675:0000000000000000
10/04/14 13:43:05 >= : message 00000000
10/04/14 13:43:05 -> : send IKE packet 192.168.1.68:500 -> 69.xxx.xxx.xxx:500 ( 522 bytes )
10/04/14 13:43:05 DB : phase1 resend event scheduled ( ref count = 2 )
10/04/14 13:43:05 <- : recv IKE packet 69.xxx.xxx.xxx:500 -> 192.168.1.68:500 ( 420 bytes )
10/04/14 13:43:05 DB : phase1 found
10/04/14 13:43:05 ii : processing phase1 packet ( 420 bytes )
10/04/14 13:43:05 =< : cookies 08f3e9b542728675:d1d23502e4e03a4e
10/04/14 13:43:05 =< : message 00000000
10/04/14 13:43:05 << : security association payload
10/04/14 13:43:05 << : - propsal #1 payload 
10/04/14 13:43:05 << : -- transform #1 payload 
10/04/14 13:43:05 ii : matched isakmp proposal #1 transform #1
10/04/14 13:43:05 ii : - transform    = ike
10/04/14 13:43:05 ii : - cipher type  = 3des
10/04/14 13:43:05 ii : - key length   = default
10/04/14 13:43:05 ii : - hash type    = md5
10/04/14 13:43:05 ii : - dh group     = modp-1024
10/04/14 13:43:05 ii : - auth type    = xauth-initiator-psk
10/04/14 13:43:05 ii : - life seconds = 86400
10/04/14 13:43:05 ii : - life kbytes  = 0
10/04/14 13:43:05 << : vendor id payload
10/04/14 13:43:05 ii : unknown vendor id ( 28 bytes )
10/04/14 13:43:05 0x : 5acb91f7 39425cb2 c5c090da 57e9ff4a 6d2ad135 00000016 0000060a
10/04/14 13:43:05 << : vendor id payload
10/04/14 13:43:05 ii : peer supports XAUTH
10/04/14 13:43:05 << : vendor id payload
10/04/14 13:43:05 ii : peer supports DPDv1
10/04/14 13:43:05 << : vendor id payload
10/04/14 13:43:05 ii : peer supports HEARTBEAT-NOTIFY
10/04/14 13:43:05 << : key exchange payload
10/04/14 13:43:05 << : nonce payload
10/04/14 13:43:05 << : identification payload
10/04/14 13:43:05 ii : phase1 id target is any
10/04/14 13:43:05 ii : phase1 id match 
10/04/14 13:43:05 ii : received = ipv4-host 69.xxx.xxx.xxx
10/04/14 13:43:05 << : hash payload
10/04/14 13:43:05 << : vendor id payload
10/04/14 13:43:05 ii : peer supports nat-t ( draft v02 )
10/04/14 13:43:05 << : nat discovery payload
10/04/14 13:43:05 << : nat discovery payload
10/04/14 13:43:05 ii : nat discovery - local address is translated
10/04/14 13:43:05 ii : switching to src nat-t udp port 4500
10/04/14 13:43:05 ii : switching to dst nat-t udp port 4500
10/04/14 13:43:05 == : DH shared secret ( 128 bytes )
10/04/14 13:43:05 == : SETKEYID ( 16 bytes )
10/04/14 13:43:05 == : SETKEYID_d ( 16 bytes )
10/04/14 13:43:05 == : SETKEYID_a ( 16 bytes )
10/04/14 13:43:05 == : SETKEYID_e ( 16 bytes )
10/04/14 13:43:05 == : cipher key ( 32 bytes )
10/04/14 13:43:05 == : cipher iv ( 8 bytes )
10/04/14 13:43:05 == : phase1 hash_i ( computed ) ( 16 bytes )
10/04/14 13:43:05 >> : hash payload
10/04/14 13:43:05 >> : nat discovery payload
10/04/14 13:43:05 >> : nat discovery payload
10/04/14 13:43:05 >= : cookies 08f3e9b542728675:d1d23502e4e03a4e
10/04/14 13:43:05 >= : message 00000000
10/04/14 13:43:05 >= : encrypt iv ( 8 bytes )
10/04/14 13:43:05 == : encrypt packet ( 88 bytes )
10/04/14 13:43:05 == : stored iv ( 8 bytes )
10/04/14 13:43:05 DB : phase1 resend event canceled ( ref count = 1 )
10/04/14 13:43:05 -> : send NAT-T:IKE packet 192.168.1.68:4500 -> 69.xxx.xxx.xxx:4500 ( 124 bytes )
10/04/14 13:43:05 == : phase1 hash_r ( computed ) ( 16 bytes )
10/04/14 13:43:05 == : phase1 hash_r ( received ) ( 16 bytes )
10/04/14 13:43:05 ii : phase1 sa established
10/04/14 13:43:05 ii : 69.xxx.xxx.xxx:4500 <-> 192.168.1.68:4500
10/04/14 13:43:05 ii : 8f3e9b542728675:d1d23502e4e03a4e
10/04/14 13:43:05 ii : sending peer INITIAL-CONTACT notification
10/04/14 13:43:05 ii : - 192.168.1.68:4500 -> 69.xxx.xxx.xxx:4500
10/04/14 13:43:05 ii : - isakmp spi = 08f3e9b542728675:d1d23502e4e03a4e
10/04/14 13:43:05 ii : - data size 0
10/04/14 13:43:05 >> : hash payload
10/04/14 13:43:05 >> : notification payload
10/04/14 13:43:05 == : new informational hash ( 16 bytes )
10/04/14 13:43:05 == : new informational iv ( 8 bytes )
10/04/14 13:43:05 >= : cookies 08f3e9b542728675:d1d23502e4e03a4e
10/04/14 13:43:05 >= : message 284e6048
10/04/14 13:43:05 >= : encrypt iv ( 8 bytes )
10/04/14 13:43:05 == : encrypt packet ( 76 bytes )
10/04/14 13:43:05 == : stored iv ( 8 bytes )
10/04/14 13:43:05 -> : send NAT-T:IKE packet 192.168.1.68:4500 -> 69.xxx.xxx.xxx:4500 ( 108 bytes )
10/04/14 13:43:05 DB : phase2 not found
10/04/14 13:43:05 <- : recv NAT-T:IKE packet 69.xxx.xxx.xxx:4500 -> 192.168.1.68:4500 ( 76 bytes )
10/04/14 13:43:05 DB : phase1 found
10/04/14 13:43:05 ii : processing config packet ( 76 bytes )
10/04/14 13:43:05 DB : config not found
10/04/14 13:43:05 DB : config added ( obj count = 1 )
10/04/14 13:43:05 == : new config iv ( 8 bytes )
10/04/14 13:43:05 =< : cookies 08f3e9b542728675:d1d23502e4e03a4e
10/04/14 13:43:05 =< : message 5ac48180
10/04/14 13:43:05 =< : decrypt iv ( 8 bytes )
10/04/14 13:43:05 == : decrypt packet ( 76 bytes )
10/04/14 13:43:05 <= : trimmed packet padding ( 8 bytes )
10/04/14 13:43:05 <= : stored iv ( 8 bytes )
10/04/14 13:43:05 << : hash payload
10/04/14 13:43:05 << : attribute payload
10/04/14 13:43:05 == : configure hash_i ( computed ) ( 16 bytes )
10/04/14 13:43:05 == : configure hash_c ( computed ) ( 16 bytes )
10/04/14 13:43:05 ii : configure hash verified
10/04/14 13:43:05 ii : - xauth authentication type
10/04/14 13:43:05 ii : - xauth username
10/04/14 13:43:05 ii : - xauth password
10/04/14 13:43:05 ii : received basic xauth request - 
10/04/14 13:43:05 ii : - standard xauth username
10/04/14 13:43:05 ii : - standard xauth password
10/04/14 13:43:05 ii : sending xauth response for gwiuser
10/04/14 13:43:05 >> : hash payload
10/04/14 13:43:05 >> : attribute payload
10/04/14 13:43:05 == : new configure hash ( 16 bytes )
10/04/14 13:43:05 >= : cookies 08f3e9b542728675:d1d23502e4e03a4e
10/04/14 13:43:05 >= : message 5ac48180
10/04/14 13:43:05 >= : encrypt iv ( 8 bytes )
10/04/14 13:43:05 == : encrypt packet ( 82 bytes )
10/04/14 13:43:05 == : stored iv ( 8 bytes )
10/04/14 13:43:05 -> : send NAT-T:IKE packet 192.168.1.68:4500 -> 69.xxx.xxx.xxx:4500 ( 116 bytes )
10/04/14 13:43:05 DB : config resend event scheduled ( ref count = 2 )
10/04/14 13:43:05 <- : recv NAT-T:IKE packet 69.xxx.xxx.xxx:4500 -> 192.168.1.68:4500 ( 92 bytes )
10/04/14 13:43:05 DB : phase1 found
10/04/14 13:43:05 ii : processing config packet ( 92 bytes )
10/04/14 13:43:05 DB : config found
10/04/14 13:43:05 == : new config iv ( 8 bytes )
10/04/14 13:43:05 =< : cookies 08f3e9b542728675:d1d23502e4e03a4e
10/04/14 13:43:05 =< : message fb0956c4
10/04/14 13:43:05 =< : decrypt iv ( 8 bytes )
10/04/14 13:43:05 == : decrypt packet ( 92 bytes )
10/04/14 13:43:05 <= : trimmed packet padding ( 4 bytes )
10/04/14 13:43:05 <= : stored iv ( 8 bytes )
10/04/14 13:43:05 << : hash payload
10/04/14 13:43:05 << : attribute payload
10/04/14 13:43:05 == : configure hash_i ( computed ) ( 16 bytes )
10/04/14 13:43:05 == : configure hash_c ( computed ) ( 16 bytes )
10/04/14 13:43:05 ii : configure hash verified
10/04/14 13:43:05 ii : received config push request
10/04/14 13:43:05 ii : - IP4 Address = 10.2.2.3
10/04/14 13:43:05 ii : - IP4 Netmask = 255.255.255.255
10/04/14 13:43:05 ii : - IP4 DNS Server
10/04/14 13:43:05 ii : - IP4 DNS Server
10/04/14 13:43:05 ii : building config attribute list
10/04/14 13:43:05 ii : - IP4 Address
10/04/14 13:43:05 ii : - Address Expiry
10/04/14 13:43:05 ii : - IP4 Netamask
10/04/14 13:43:05 ii : - IP4 WINS Server
10/04/14 13:43:05 ii : sending config push acknowledge
10/04/14 13:43:05 >> : hash payload
10/04/14 13:43:05 >> : attribute payload
10/04/14 13:43:05 == : new configure hash ( 16 bytes )
10/04/14 13:43:05 >= : cookies 08f3e9b542728675:d1d23502e4e03a4e
10/04/14 13:43:05 >= : message fb0956c4
10/04/14 13:43:05 >= : encrypt iv ( 8 bytes )
10/04/14 13:43:05 == : encrypt packet ( 72 bytes )
10/04/14 13:43:05 == : stored iv ( 8 bytes )
10/04/14 13:43:05 DB : config resend event canceled ( ref count = 1 )
10/04/14 13:43:05 -> : send NAT-T:IKE packet 192.168.1.68:4500 -> 69.xxx.xxx.xxx:4500 ( 108 bytes )
10/04/14 13:43:05 DB : config resend event scheduled ( ref count = 2 )
10/04/14 13:43:05 <- : recv NAT-T:IKE packet 69.xxx.xxx.xxx:4500 -> 192.168.1.68:4500 ( 68 bytes )
10/04/14 13:43:05 DB : phase1 found
10/04/14 13:43:05 ii : processing config packet ( 68 bytes )
10/04/14 13:43:05 DB : config found
10/04/14 13:43:05 == : new config iv ( 8 bytes )
10/04/14 13:43:05 =< : cookies 08f3e9b542728675:d1d23502e4e03a4e
10/04/14 13:43:05 =< : message 250c8247
10/04/14 13:43:05 =< : decrypt iv ( 8 bytes )
10/04/14 13:43:05 == : decrypt packet ( 68 bytes )
10/04/14 13:43:05 <= : trimmed packet padding ( 8 bytes )
10/04/14 13:43:05 <= : stored iv ( 8 bytes )
10/04/14 13:43:05 << : hash payload
10/04/14 13:43:05 << : attribute payload
10/04/14 13:43:05 == : configure hash_i ( computed ) ( 16 bytes )
10/04/14 13:43:05 == : configure hash_c ( computed ) ( 16 bytes )
10/04/14 13:43:05 ii : configure hash verified
10/04/14 13:43:05 ii : received xauth result - 
10/04/14 13:43:05 ii : user gwiuser authentication succeeded
10/04/14 13:43:05 ii : sending xauth acknowledge
10/04/14 13:43:05 >> : hash payload
10/04/14 13:43:05 >> : attribute payload
10/04/14 13:43:05 == : new configure hash ( 16 bytes )
10/04/14 13:43:05 >= : cookies 08f3e9b542728675:d1d23502e4e03a4e
10/04/14 13:43:05 >= : message 250c8247
10/04/14 13:43:05 >= : encrypt iv ( 8 bytes )
10/04/14 13:43:05 == : encrypt packet ( 56 bytes )
10/04/14 13:43:05 == : stored iv ( 8 bytes )
10/04/14 13:43:05 DB : config resend event canceled ( ref count = 1 )
10/04/14 13:43:05 -> : send NAT-T:IKE packet 192.168.1.68:4500 -> 69.xxx.xxx.xxx:4500 ( 92 bytes )
10/04/14 13:43:05 DB : config resend event scheduled ( ref count = 2 )
10/04/14 13:43:05 DB : config resend event canceled ( ref count = 1 )
10/04/14 13:43:05 ii : VNET adapter MTU is 1500
10/04/14 13:43:05 ii : enabled adapter ROOT\VNET\0000
10/04/14 13:43:05 ii : creating IPSEC INBOUND policy ANY:10.0.0.0/24:* -> ANY:10.2.2.3:*
10/04/14 13:43:05 DB : policy added ( obj count = 1 )
10/04/14 13:43:05 K> : send pfkey X_SPDADD UNSPEC message
10/04/14 13:43:05 ii : creating IPSEC OUTBOUND policy ANY:10.2.2.3:* -> ANY:10.0.0.0/24:*
10/04/14 13:43:05 K< : recv pfkey X_SPDADD UNSPEC message
10/04/14 13:43:05 DB : policy found
10/04/14 13:43:05 ii : created IPSEC policy route for 10.0.0.0/24
10/04/14 13:43:05 DB : policy added ( obj count = 2 )
10/04/14 13:43:05 K> : send pfkey X_SPDADD UNSPEC message
10/04/14 13:43:05 ii : split DNS bypassed ( no split domains defined )
10/04/14 13:43:05 K< : recv pfkey X_SPDADD UNSPEC message
10/04/14 13:43:05 DB : policy found
10/04/14 13:43:20 DB : phase1 found
10/04/14 13:43:20 ii : sending peer DPDV1-R-U-THERE notification
10/04/14 13:43:20 ii : - 192.168.1.68:4500 -> 69.xxx.xxx.xxx:4500
10/04/14 13:43:20 ii : - isakmp spi = 08f3e9b542728675:d1d23502e4e03a4e
10/04/14 13:43:20 ii : - data size 4
10/04/14 13:43:20 >> : hash payload
10/04/14 13:43:20 >> : notification payload
10/04/14 13:43:20 == : new informational hash ( 16 bytes )
10/04/14 13:43:20 == : new informational iv ( 8 bytes )
10/04/14 13:43:20 >= : cookies 08f3e9b542728675:d1d23502e4e03a4e
10/04/14 13:43:20 >= : message 96e5b2cf
10/04/14 13:43:20 >= : encrypt iv ( 8 bytes )
10/04/14 13:43:20 == : encrypt packet ( 80 bytes )
10/04/14 13:43:20 == : stored iv ( 8 bytes )
10/04/14 13:43:20 -> : send NAT-T:IKE packet 192.168.1.68:4500 -> 69.xxx.xxx.xxx:4500 ( 116 bytes )
10/04/14 13:43:20 ii : DPD ARE-YOU-THERE sequence 3ad35629 requested
10/04/14 13:43:20 DB : phase1 found
10/04/14 13:43:20 -> : send NAT-T:KEEP-ALIVE packet 192.168.1.68:4500 -> 69.xxx.xxx.xxx:4500
10/04/14 13:43:20 <- : recv NAT-T:IKE packet 69.xxx.xxx.xxx:4500 -> 192.168.1.68:4500 ( 84 bytes )
10/04/14 13:43:20 DB : phase1 found
10/04/14 13:43:20 ii : processing informational packet ( 84 bytes )
10/04/14 13:43:20 == : new informational iv ( 8 bytes )
10/04/14 13:43:20 =< : cookies 08f3e9b542728675:d1d23502e4e03a4e
10/04/14 13:43:20 =< : message 96770185
10/04/14 13:43:20 =< : decrypt iv ( 8 bytes )
10/04/14 13:43:20 == : decrypt packet ( 84 bytes )
10/04/14 13:43:20 <= : trimmed packet padding ( 4 bytes )
10/04/14 13:43:20 <= : stored iv ( 8 bytes )
10/04/14 13:43:20 << : hash payload
10/04/14 13:43:20 << : notification payload
10/04/14 13:43:20 == : informational hash_i ( computed ) ( 16 bytes )
10/04/14 13:43:20 == : informational hash_c ( received ) ( 16 bytes )
10/04/14 13:43:20 ii : informational hash verified
10/04/14 13:43:20 ii : received peer DPDV1-R-U-THERE-ACK notification
10/04/14 13:43:20 ii : - 69.xxx.xxx.xxx:4500 -> 192.168.1.68:4500
10/04/14 13:43:20 ii : - isakmp spi = 08f3e9b542728675:d1d23502e4e03a4e
10/04/14 13:43:20 ii : - data size 4
10/04/14 13:43:20 ii : DPD ARE-YOU-THERE-ACK sequence 3ad35629 accepted
10/04/14 13:43:20 ii : next tunnel DPD request in 15 secs for peer 69.xxx.xxx.xxx:4500
10/04/14 13:43:35 DB : phase1 found
10/04/14 13:43:35 -> : send NAT-T:KEEP-ALIVE packet 192.168.1.68:4500 -> 69.xxx.xxx.xxx:4500
10/04/14 13:43:35 DB : phase1 found
10/04/14 13:43:35 ii : sending peer DPDV1-R-U-THERE notification
10/04/14 13:43:35 ii : - 192.168.1.68:4500 -> 69.xxx.xxx.xxx:4500
10/04/14 13:43:35 ii : - isakmp spi = 08f3e9b542728675:d1d23502e4e03a4e
10/04/14 13:43:35 ii : - data size 4
10/04/14 13:43:35 >> : hash payload
10/04/14 13:43:35 >> : notification payload
10/04/14 13:43:35 == : new informational hash ( 16 bytes )
10/04/14 13:43:35 == : new informational iv ( 8 bytes )
10/04/14 13:43:35 >= : cookies 08f3e9b542728675:d1d23502e4e03a4e
10/04/14 13:43:35 >= : message 374e3f1b
10/04/14 13:43:35 >= : encrypt iv ( 8 bytes )
10/04/14 13:43:35 == : encrypt packet ( 80 bytes )
10/04/14 13:43:35 == : stored iv ( 8 bytes )
10/04/14 13:43:35 -> : send NAT-T:IKE packet 192.168.1.68:4500 -> 69.xxx.xxx.xxx:4500 ( 116 bytes )
10/04/14 13:43:35 ii : DPD ARE-YOU-THERE sequence 3ad3562a requested
10/04/14 13:43:35 <- : recv NAT-T:IKE packet 69.xxx.xxx.xxx:4500 -> 192.168.1.68:4500 ( 84 bytes )
10/04/14 13:43:35 DB : phase1 found
10/04/14 13:43:35 ii : processing informational packet ( 84 bytes )
10/04/14 13:43:35 == : new informational iv ( 8 bytes )
10/04/14 13:43:35 =< : cookies 08f3e9b542728675:d1d23502e4e03a4e
10/04/14 13:43:35 =< : message 5e4547c3
10/04/14 13:43:35 =< : decrypt iv ( 8 bytes )
10/04/14 13:43:35 == : decrypt packet ( 84 bytes )
10/04/14 13:43:35 <= : trimmed packet padding ( 4 bytes )
10/04/14 13:43:35 <= : stored iv ( 8 bytes )
10/04/14 13:43:35 << : hash payload
10/04/14 13:43:35 << : notification payload
10/04/14 13:43:35 == : informational hash_i ( computed ) ( 16 bytes )
10/04/14 13:43:35 == : informational hash_c ( received ) ( 16 bytes )
10/04/14 13:43:35 ii : informational hash verified
10/04/14 13:43:35 ii : received peer DPDV1-R-U-THERE-ACK notification
10/04/14 13:43:35 ii : - 69.xxx.xxx.xxx:4500 -> 192.168.1.68:4500
10/04/14 13:43:35 ii : - isakmp spi = 08f3e9b542728675:d1d23502e4e03a4e
10/04/14 13:43:35 ii : - data size 4
10/04/14 13:43:35 ii : DPD ARE-YOU-THERE-ACK sequence 3ad3562a accepted
10/04/14 13:43:35 ii : next tunnel DPD request in 15 secs for peer 69.xxx.xxx.xxx:4500
10/04/14 13:43:50 DB : phase1 found
10/04/14 13:43:50 -> : send NAT-T:KEEP-ALIVE packet 192.168.1.68:4500 -> 69.xxx.xxx.xxx:4500
10/04/14 13:43:50 DB : phase1 found
10/04/14 13:43:50 ii : sending peer DPDV1-R-U-THERE notification
10/04/14 13:43:50 ii : - 192.168.1.68:4500 -> 69.xxx.xxx.xxx:4500
10/04/14 13:43:50 ii : - isakmp spi = 08f3e9b542728675:d1d23502e4e03a4e
10/04/14 13:43:50 ii : - data size 4
10/04/14 13:43:50 >> : hash payload
10/04/14 13:43:50 >> : notification payload
10/04/14 13:43:50 == : new informational hash ( 16 bytes )
10/04/14 13:43:50 == : new informational iv ( 8 bytes )
10/04/14 13:43:50 >= : cookies 08f3e9b542728675:d1d23502e4e03a4e
10/04/14 13:43:50 >= : message 10fc52cd
10/04/14 13:43:50 >= : encrypt iv ( 8 bytes )
10/04/14 13:43:50 == : encrypt packet ( 80 bytes )
10/04/14 13:43:50 == : stored iv ( 8 bytes )
10/04/14 13:43:50 -> : send NAT-T:IKE packet 192.168.1.68:4500 -> 69.xxx.xxx.xxx:4500 ( 116 bytes )
10/04/14 13:43:50 ii : DPD ARE-YOU-THERE sequence 3ad3562b requested
10/04/14 13:43:50 <- : recv NAT-T:IKE packet 69.xxx.xxx.xxx:4500 -> 192.168.1.68:4500 ( 84 bytes )
10/04/14 13:43:50 DB : phase1 found
10/04/14 13:43:50 ii : processing informational packet ( 84 bytes )
10/04/14 13:43:50 == : new informational iv ( 8 bytes )
10/04/14 13:43:50 =< : cookies 08f3e9b542728675:d1d23502e4e03a4e
10/04/14 13:43:50 =< : message b2a110de
10/04/14 13:43:50 =< : decrypt iv ( 8 bytes )
10/04/14 13:43:50 == : decrypt packet ( 84 bytes )
10/04/14 13:43:50 <= : trimmed packet padding ( 4 bytes )
10/04/14 13:43:50 <= : stored iv ( 8 bytes )
10/04/14 13:43:50 << : hash payload
10/04/14 13:43:50 << : notification payload
10/04/14 13:43:50 == : informational hash_i ( computed ) ( 16 bytes )
10/04/14 13:43:50 == : informational hash_c ( received ) ( 16 bytes )
10/04/14 13:43:50 ii : informational hash verified
10/04/14 13:43:50 ii : received peer DPDV1-R-U-THERE-ACK notification
10/04/14 13:43:50 ii : - 69.xxx.xxx.xxx:4500 -> 192.168.1.68:4500
10/04/14 13:43:50 ii : - isakmp spi = 08f3e9b542728675:d1d23502e4e03a4e
10/04/14 13:43:50 ii : - data size 4
10/04/14 13:43:50 ii : DPD ARE-YOU-THERE-ACK sequence 3ad3562b accepted
10/04/14 13:43:50 ii : next tunnel DPD request in 15 secs for peer 69.xxx.xxx.xxx:4500
10/04/14 13:44:05 DB : phase1 found
10/04/14 13:44:05 -> : send NAT-T:KEEP-ALIVE packet 192.168.1.68:4500 -> 69.xxx.xxx.xxx:4500
10/04/14 13:44:05 DB : phase1 found
10/04/14 13:44:05 ii : sending peer DPDV1-R-U-THERE notification
10/04/14 13:44:05 ii : - 192.168.1.68:4500 -> 69.xxx.xxx.xxx:4500
10/04/14 13:44:05 ii : - isakmp spi = 08f3e9b542728675:d1d23502e4e03a4e
10/04/14 13:44:05 ii : - data size 4
10/04/14 13:44:05 >> : hash payload
10/04/14 13:44:05 >> : notification payload
10/04/14 13:44:05 == : new informational hash ( 16 bytes )
10/04/14 13:44:05 == : new informational iv ( 8 bytes )
10/04/14 13:44:05 >= : cookies 08f3e9b542728675:d1d23502e4e03a4e
10/04/14 13:44:05 >= : message 7bf10a96
10/04/14 13:44:05 >= : encrypt iv ( 8 bytes )
10/04/14 13:44:05 == : encrypt packet ( 80 bytes )
10/04/14 13:44:05 == : stored iv ( 8 bytes )
10/04/14 13:44:05 -> : send NAT-T:IKE packet 192.168.1.68:4500 -> 69.xxx.xxx.xxx:4500 ( 116 bytes )
10/04/14 13:44:05 ii : DPD ARE-YOU-THERE sequence 3ad3562c requested
10/04/14 13:44:06 <- : recv NAT-T:IKE packet 69.xxx.xxx.xxx:4500 -> 192.168.1.68:4500 ( 84 bytes )
10/04/14 13:44:06 DB : phase1 found
10/04/14 13:44:06 ii : processing informational packet ( 84 bytes )
10/04/14 13:44:06 == : new informational iv ( 8 bytes )
10/04/14 13:44:06 =< : cookies 08f3e9b542728675:d1d23502e4e03a4e
10/04/14 13:44:06 =< : message 194f3a0c
10/04/14 13:44:06 =< : decrypt iv ( 8 bytes )
10/04/14 13:44:06 == : decrypt packet ( 84 bytes )
10/04/14 13:44:06 <= : trimmed packet padding ( 4 bytes )
10/04/14 13:44:06 <= : stored iv ( 8 bytes )
10/04/14 13:44:06 << : hash payload
10/04/14 13:44:06 << : notification payload
10/04/14 13:44:06 == : informational hash_i ( computed ) ( 16 bytes )
10/04/14 13:44:06 == : informational hash_c ( received ) ( 16 bytes )
10/04/14 13:44:06 ii : informational hash verified
10/04/14 13:44:06 ii : received peer DPDV1-R-U-THERE-ACK notification
10/04/14 13:44:06 ii : - 69.xxx.xxx.xxx:4500 -> 192.168.1.68:4500
10/04/14 13:44:06 ii : - isakmp spi = 08f3e9b542728675:d1d23502e4e03a4e
10/04/14 13:44:06 ii : - data size 4
10/04/14 13:44:06 ii : DPD ARE-YOU-THERE-ACK sequence 3ad3562c accepted
10/04/14 13:44:06 ii : next tunnel DPD request in 15 secs for peer 69.xxx.xxx.xxx:4500
10/04/14 13:44:20 DB : phase1 found
10/04/14 13:44:20 -> : send NAT-T:KEEP-ALIVE packet 192.168.1.68:4500 -> 69.xxx.xxx.xxx:4500
10/04/14 13:44:21 DB : phase1 found
10/04/14 13:44:21 ii : sending peer DPDV1-R-U-THERE notification
10/04/14 13:44:21 ii : - 192.168.1.68:4500 -> 69.xxx.xxx.xxx:4500
10/04/14 13:44:21 ii : - isakmp spi = 08f3e9b542728675:d1d23502e4e03a4e
10/04/14 13:44:21 ii : - data size 4
10/04/14 13:44:21 >> : hash payload
10/04/14 13:44:21 >> : notification payload
10/04/14 13:44:21 == : new informational hash ( 16 bytes )
10/04/14 13:44:21 == : new informational iv ( 8 bytes )
10/04/14 13:44:21 >= : cookies 08f3e9b542728675:d1d23502e4e03a4e
10/04/14 13:44:21 >= : message dcb43d04
10/04/14 13:44:21 >= : encrypt iv ( 8 bytes )
10/04/14 13:44:21 == : encrypt packet ( 80 bytes )
10/04/14 13:44:21 == : stored iv ( 8 bytes )
10/04/14 13:44:21 -> : send NAT-T:IKE packet 192.168.1.68:4500 -> 69.xxx.xxx.xxx:4500 ( 116 bytes )
10/04/14 13:44:21 ii : DPD ARE-YOU-THERE sequence 3ad3562d requested
10/04/14 13:44:21 <- : recv NAT-T:IKE packet 69.xxx.xxx.xxx:4500 -> 192.168.1.68:4500 ( 84 bytes )

Open in new window

0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Hmmm, I looked on the trace several times, but I cannot see any error message. DPD is exchanged, and that needs an established Phase 2, so the trace looks fine. Strange.
0
Jeff MorlenNetwork EngineerCommented:
I have published documents for Juniper on how to get this setup and have successfully done it several times.

You can find my documents at:
http://www.the-internet-guy.com/pdf/Juniper_firewall_setup_for_Shrewsoft_VPN_connectivity.pdf
and
http://www.the-internet-guy.com/pdf/Shrew_VPN_Client_Setup_for_Juniper_Connectivity.pdf

I hope this helps.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.