jenit
asked on
Shrew VPN 64 bit client will not connect to SSG20 Phase2 fails Xauth
I have read the posts, tried the various things...and nothing. I keep getting a connected status on the client but when I look at the logs on my SSG - I'm failing on phase2 so cannot pass any traffic on the VPN. I originally had 2.1.5 release on - but read that the new beta might work - so Now I have 2.1.6beta 7
This is a copy of the connection...changed my public IP I'm trying to connect to...but am currently coming from a Panera - so the starting destination was left.
The IP pool is only a bit off on the subnet as I saw that was one of the things to change. I ususally am on 10. but but the shrew on 15. Now..I believe I'm configured for 192.168.0.0 to all be internal...so maybe that is acting as internal?? I do not use any IP pools for my existing winxp juniper vpn connections.
2010-04-23 09:41:52 info IKE<64.241.37.140>: XAuth login was passed for gateway <vpnshrew5_gw>, username <joann>, retry: 0, Client IP Addr<192.168.15.210>, IPPool name:<vpnshrew>, Session-Timeout:<0s>, Idle-Timeout:<0s>.
2010-04-23 09:41:52 info IKE<64.241.37.140>: XAuth login was refreshed for username <joann> at <192.168.15.210/255.255.25 5.255>.
2010-04-23 09:41:52 info Rejected an IKE packet on ethernet0/0 from 64.241.37.140:17541 to 68.143.xx.xxx:4500 with cookies ffacbbaab3ac0067 and a3aa5ee40c92c0b7 because a Phase 2 packet arrived while XAuth was still pending.
2010-04-23 09:41:52 info IKE<64.241.37.140> Phase 1: Completed Aggressive mode negotiations with a <28800>-second lifetime.
2010-04-23 09:41:52 info IKE<64.241.37.140> Phase 1: Completed for user <vpnshrew_5>.
2010-04-23 09:41:52 info IKE<64.241.37.140> Phase 1: IKE responder has detected NAT in front of the remote device.
2010-04-23 09:41:52 info IKE<64.241.37.140> Phase 1: IKE responder has detected NAT in front of the local device.
2010-04-23 09:41:52 info IKE<64.241.37.140> Phase 1: Responder starts AGGRESSIVE mode negotiations.
Routes/switches/firwalls are not my speciality - so I really could you some help. I need to get this connected as I have a new program coming in house that will require this for a few of my remote workers.
This is a copy of the connection...changed my public IP I'm trying to connect to...but am currently coming from a Panera - so the starting destination was left.
The IP pool is only a bit off on the subnet as I saw that was one of the things to change. I ususally am on 10. but but the shrew on 15. Now..I believe I'm configured for 192.168.0.0 to all be internal...so maybe that is acting as internal?? I do not use any IP pools for my existing winxp juniper vpn connections.
2010-04-23 09:41:52 info IKE<64.241.37.140>: XAuth login was passed for gateway <vpnshrew5_gw>, username <joann>, retry: 0, Client IP Addr<192.168.15.210>, IPPool name:<vpnshrew>, Session-Timeout:<0s>, Idle-Timeout:<0s>.
2010-04-23 09:41:52 info IKE<64.241.37.140>: XAuth login was refreshed for username <joann> at <192.168.15.210/255.255.25
2010-04-23 09:41:52 info Rejected an IKE packet on ethernet0/0 from 64.241.37.140:17541 to 68.143.xx.xxx:4500 with cookies ffacbbaab3ac0067 and a3aa5ee40c92c0b7 because a Phase 2 packet arrived while XAuth was still pending.
2010-04-23 09:41:52 info IKE<64.241.37.140> Phase 1: Completed Aggressive mode negotiations with a <28800>-second lifetime.
2010-04-23 09:41:52 info IKE<64.241.37.140> Phase 1: Completed for user <vpnshrew_5>.
2010-04-23 09:41:52 info IKE<64.241.37.140> Phase 1: IKE responder has detected NAT in front of the remote device.
2010-04-23 09:41:52 info IKE<64.241.37.140> Phase 1: IKE responder has detected NAT in front of the local device.
2010-04-23 09:41:52 info IKE<64.241.37.140> Phase 1: Responder starts AGGRESSIVE mode negotiations.
Routes/switches/firwalls are not my speciality - so I really could you some help. I need to get this connected as I have a new program coming in house that will require this for a few of my remote workers.
Is that all you get from your log? I cannot see any Phase 2 trials.
ASKER
I did not see anything more at the time and my logs do not keep that much before clearing. I had to come back in office - so since I'm on the same subnet - cannot test until later. I will let you know as soon as I look at it again.
ASKER
I double checked and that is all I get from the Juniper side. I tried to connect to an RDP session as well as an internal citrix connection and there is no record of the traffic hitting the Juniper to even be denied. I cannot also seem to get the logs running from the shrew - I did read to lauch from a right click and run as administrator - but this does not help. I never get an option to start the logs.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.