Solved

Connect to Juniper VPN from Android

Posted on 2014-12-03
18
404 Views
Last Modified: 2014-12-10
Hi.

I need to connect my Android tablet to the VPN of a client of mine. This VPN is Juniper based.

Currently I'm connecting from my Windows-based PC using Shrew soft VPN Client. However now I need to connect from my Android and I have tested some apps but none of them seems to achieve the VPN.

These are some of the parameters I can see on my client software in Windows:
- Port: 500
- ike config push
- NAT Traversal port 4500
- IKE Fragmentation: enable
- Enable ISAKMP Failure Notifications
- Auth Method: Mutual PSK + XAuth
- Name Resolution: Enable DNS (with a couple of some static IPs)
- DNS suffix: xxxx.xxx
- FDDN String: xxxx.xxxx
- Pre-shared key

So I understand that Android app should be able to allow me to configure all these things. Which app should I use?

Thanks.
0
Comment
Question by:gplana
  • 10
  • 8
18 Comments
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
In theory, the in-build VPN client of Android should work, if you copy the gateway, ID, PSK, and user info. Also make sure to provide a remote network. Make sure to use AES encryption with 128 or 256 bit, and DH-2.
But sadly, I was not able to connect either, there is a severe protocol issue in exchange 3 of phase 1, which is almost at the beginning of negotiation (usually a PSK mismatch). So try yourself. But: There is no debug option or log available on Android (AFAIK).
0
 
LVL 15

Author Comment

by:gplana
Comment Utility
I think the enctryptation used is IPSec. I'm trying an app called NPD, but currently I'm waiting for my client to provide the pre-shared key to me...
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
IPSec is a protocol, no encryption. AES, DES and 3DES are encryption methods (and BlowFish and ...).
0
 
LVL 15

Author Comment

by:gplana
Comment Utility
Ok, I have looked at my windows client program (the one that is working) and this option is configured in "auto".
How can I test with the in-build VPN client of Android? My tablet is a Samsung Galaxy Tab 3 7" tablet.

Thanks.
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
You need to make sure those encryption settings are set on the Juniper device as one of the available proposals. You can't set it up on Android at all.
0
 
LVL 15

Author Comment

by:gplana
Comment Utility
I have put the pre-shared key and now the error is on phase-2: Error VPN. IKE phase 2. Waiting for Msg 2
What could be the cause?
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
You see that on the Juniper? P2 Msg 2 needs o be sent by the responder - Juniper, so this log message has to appear at your VPN client, but I never saw the Android client telling anything useful at any time...
I would have to look that up for being sure, but IIRC there are two reasons for negotiation errors at that stage: XAuth settings or Phase 2 encryption parameter mismatch. In P2 the same parameters for AES etc. need to be in the proposals.
0
 
LVL 15

Author Comment

by:gplana
Comment Utility
This is the message I get on my tablet. I don't have access to Juniper (I would need to ask to system administrator but he won't be available for about a month).
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
Without acccess to Juniper device, your options are limited to none (on tablet). You can't do more than setting up a few things on the tablet, as you already did.

But at least the messages pops up where it belongs ;-).

Since Shrew is more informative (if you use the trace tool and switch on logging for IKE and IPSec - remember to restart the services if you have to change that), you can try to change the "Auto" setting in both Phase tabs to AES 128, group 2, SHA1, and try to connect that way. It should not make a difference, if the Juniper is set up correctly.
The issue with AUTO is that most devices (and I reckon Shrew too) starts with negotiating 3DES instead of AES, and so Juniper might be set up that way. But this does not work with the built-in Android VPN app.
If it does not work, I'm right, and you can change back to AUTO again.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 15

Author Comment

by:gplana
Comment Utility
Thank you for your answer.
The problem is on tablet, not on Shrew. On tablet I'm using NCP VPN Client (Premium version). I have looked at the profile options but I don't see how can I set the encryptation method on NCP. I can try to add some screenshots of NCP confuguration, however, I don't know how to capture screen on my Samsung Galaxy Tab 3 7.0 tablet (Android 4.4.2 based)
0
 
LVL 15

Author Comment

by:gplana
Comment Utility
I tryied to configure on my PC the Shrew software to connect by using AES 128 SHA1 as enctryptation method on phase-1 and also on phase-2 and then connection is not established, so I guess you are right.
However I don't fully understand the problem. Is the problem that our administrator has configured Juniper just to accept 3DES encryptations? If so, is it possible to connect from tablet by using this crypt algorithm? And finally, is it as safe AES 128 SHA1 as 3DES ?

Thanks.
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
AES is more safe than 3DES.  But at the moment you seem to be bound on using latter, so just try.
The NCP client is a well known one on PCs, and I didn't expect you using it. That client allows to do tracing,  sophisticated setup and has online support.
A Auto setting should be available here,  too. Otherwise you'll have to play with P2 settings, better on Shrew (as you know that one works). 3DES,  DH-2,  SHA1 and 3DES, No PFS, sha1 are most likely.
I can't check now, but Shrew should show you what had negotiated with Auto settings.
0
 
LVL 15

Author Comment

by:gplana
Comment Utility
No, I'm using NCP on Android, not on PC. I'm using Shrew on PC and NCP on Android. However it seems to be more options on Shrew (PC) than in NCP (Android) although I bought the Premium version of NCP (for Android).

I will do some extra testing and see if I can see the logs on Shrew, and let you know. Thank you for all the support you are giving to me.
0
 
LVL 15

Author Comment

by:gplana
Comment Utility
I tryied to config phase 2 with AES 128 bits on Shrew Software (on my PC) and it works. The problem on Shrew seems when I change some settings on phase-1. However, on Android it seems I get the error on Phase 2. Strange, isn't it?

I still don't know how to look at the logs neither on Shrew nor NCP. I tryied on Shrew using the VPN Trace utility, however, no new lines appear when I am connected.
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
Comment Utility
For getting a trace in Shrew, go into the Trace tool » File » Options, and select "informational" as log output level. You should also enable dumping of decrypted IKE traffic, and writing to a trace file for detailed analysis.
Then go into IKE tab, click Open Log, and Restart. Do the same for IPSec.
Now you are prepared to see the traffic.
0
 
LVL 15

Author Comment

by:gplana
Comment Utility
I have done what you said. I can see it's using 3DES on phase-1. Here are the logs. What else can I do for making it working on the NCP (on the tablet) ?

This is on tab IKE Service:

14/12/09 09:14:14 ## : IKE Daemon, ver 2.2.2
14/12/09 09:14:14 ## : Copyright 2013 Shrew Soft Inc.
14/12/09 09:14:14 ## : This product linked OpenSSL 1.0.1c 10 May 2012
14/12/09 09:14:14 ii : opened 'C:\Program Files\ShrewSoft\VPN Client\debug\iked.log'
14/12/09 09:14:14 ii : opened 'C:\Program Files\ShrewSoft\VPN Client/debug/dump-ike-decrypt.cap'
14/12/09 09:14:14 ii : opened 'C:\Program Files\ShrewSoft\VPN Client/debug/dump-ike-encrypt.cap'
14/12/09 09:14:14 ii : rebuilding vnet device list ...
14/12/09 09:14:14 ii : device ROOT\VNET\0000 disabled
14/12/09 09:14:14 ii : network process thread begin ...
14/12/09 09:14:14 ii : pfkey process thread begin ...
14/12/09 09:14:14 ii : ipc server process thread begin ...
14/12/09 09:14:44 ii : ipc client process thread begin ...
14/12/09 09:14:44 <A : peer config add message
14/12/09 09:14:44 <A : proposal config message
14/12/09 09:14:44 <A : proposal config message
14/12/09 09:14:44 <A : client config message
14/12/09 09:14:44 <A : xauth username message
14/12/09 09:14:44 <A : xauth password message
14/12/09 09:14:44 <A : local id 'vpn.pius' message
14/12/09 09:14:44 <A : remote id 'gw.pius' message
14/12/09 09:14:44 <A : preshared key message
14/12/09 09:14:44 <A : remote resource message
14/12/09 09:14:44 <A : remote resource message
14/12/09 09:14:44 <A : remote resource message
14/12/09 09:14:44 <A : peer tunnel enable message
14/12/09 09:14:44 ii : local supports XAUTH
14/12/09 09:14:44 ii : local supports nat-t ( draft v00 )
14/12/09 09:14:44 ii : local supports nat-t ( draft v01 )
14/12/09 09:14:44 ii : local supports nat-t ( draft v02 )
14/12/09 09:14:44 ii : local supports nat-t ( draft v03 )
14/12/09 09:14:44 ii : local supports nat-t ( rfc )
14/12/09 09:14:44 ii : local supports FRAGMENTATION
14/12/09 09:14:44 ii : local supports DPDv1
14/12/09 09:14:44 ii : local is SHREW SOFT compatible
14/12/09 09:14:44 ii : local is NETSCREEN compatible
14/12/09 09:14:44 ii : local is SIDEWINDER compatible
14/12/09 09:14:44 ii : local is CISCO UNITY compatible
14/12/09 09:14:44 >= : cookies 2a353a3abaebda3e:0000000000000000
14/12/09 09:14:44 >= : message 00000000
14/12/09 09:14:44 ii : processing phase1 packet ( 435 bytes )
14/12/09 09:14:44 =< : cookies 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:14:44 =< : message 00000000
14/12/09 09:14:44 !! : peer violates RFC, transform number mismatch ( 1 != 13 )
14/12/09 09:14:44 ii : matched isakmp proposal #1 transform #1
14/12/09 09:14:44 ii : - transform    = ike
14/12/09 09:14:44 ii : - cipher type  = 3des
14/12/09 09:14:44 ii : - key length   = default
14/12/09 09:14:44 ii : - hash type    = md5
14/12/09 09:14:44 ii : - dh group     = group2 ( modp-1024 )
14/12/09 09:14:44 ii : - auth type    = xauth-initiator-psk
14/12/09 09:14:44 ii : - life seconds = 86400
14/12/09 09:14:44 ii : - life kbytes  = 0
14/12/09 09:14:44 ii : peer supports XAUTH
14/12/09 09:14:44 ii : peer supports DPDv1
14/12/09 09:14:44 ii : peer supports HEARTBEAT-NOTIFY
14/12/09 09:14:44 ii : phase1 id match 
14/12/09 09:14:44 ii : received = fqdn gw.pius
14/12/09 09:14:44 ii : peer supports nat-t ( draft v02 )
14/12/09 09:14:44 ii : nat discovery - local address is translated
14/12/09 09:14:44 ii : nat discovery - remote address is translated
14/12/09 09:14:44 ii : switching to src nat-t udp port 4500
14/12/09 09:14:44 ii : switching to dst nat-t udp port 4500
14/12/09 09:14:44 >= : cookies 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:14:44 >= : message 00000000
14/12/09 09:14:44 ii : phase1 sa established
14/12/09 09:14:44 ii : 81.43.113.103:4500 <-> 192.168.0.133:4500
14/12/09 09:14:44 ii : 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:14:44 ii : sending peer INITIAL-CONTACT notification
14/12/09 09:14:44 ii : - 192.168.0.133:4500 -> 81.43.113.103:4500
14/12/09 09:14:44 ii : - isakmp spi = 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:14:44 ii : - data size 0
14/12/09 09:14:44 >= : cookies 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:14:44 >= : message ae6fb2c1
14/12/09 09:14:44 ii : processing config packet ( 76 bytes )
14/12/09 09:14:44 =< : cookies 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:14:44 =< : message 0bf41b5d
14/12/09 09:14:44 ii : - xauth authentication type
14/12/09 09:14:44 ii : - xauth username
14/12/09 09:14:44 ii : - xauth password
14/12/09 09:14:44 ii : received basic xauth request - 
14/12/09 09:14:44 ii : - standard xauth username
14/12/09 09:14:44 ii : - standard xauth password
14/12/09 09:14:44 ii : sending xauth response for gplana
14/12/09 09:14:44 >= : cookies 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:14:44 >= : message 0bf41b5d
14/12/09 09:14:44 ii : processing config packet ( 92 bytes )
14/12/09 09:14:44 =< : cookies 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:14:44 =< : message bbaf667b
14/12/09 09:14:44 ii : received config push request
14/12/09 09:14:44 ii : building config attribute list
14/12/09 09:14:44 ii : sending config push acknowledge
14/12/09 09:14:44 >= : cookies 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:14:44 >= : message bbaf667b
14/12/09 09:14:44 ii : processing config packet ( 68 bytes )
14/12/09 09:14:44 =< : cookies 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:14:44 =< : message c7402af3
14/12/09 09:14:44 ii : received xauth result - 
14/12/09 09:14:44 ii : user gplana authentication succeeded
14/12/09 09:14:44 ii : sending xauth acknowledge
14/12/09 09:14:44 >= : cookies 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:14:44 >= : message c7402af3
14/12/09 09:14:48 ii : adapter ROOT\VNET\0000 unavailable, retrying ...
14/12/09 09:14:49 ii : creating NONE INBOUND policy ANY:81.43.113.103:* -> ANY:192.168.0.133:*
14/12/09 09:14:49 ii : creating NONE OUTBOUND policy ANY:192.168.0.133:* -> ANY:81.43.113.103:*
14/12/09 09:14:49 ii : created NONE policy route for 81.43.113.103/32
14/12/09 09:14:49 ii : creating NONE INBOUND policy ANY:192.168.0.1:* -> ANY:192.168.152.26:*
14/12/09 09:14:49 ii : creating NONE OUTBOUND policy ANY:192.168.152.26:* -> ANY:192.168.0.1:*
14/12/09 09:14:49 ii : creating IPSEC INBOUND policy ANY:146.219.196.0/24:* -> ANY:192.168.152.26:*
14/12/09 09:14:49 ii : creating IPSEC OUTBOUND policy ANY:192.168.152.26:* -> ANY:146.219.196.0/24:*
14/12/09 09:14:49 ii : created IPSEC policy route for 146.219.196.0/24
14/12/09 09:14:49 ii : creating IPSEC INBOUND policy ANY:192.168.200.0/24:* -> ANY:192.168.152.26:*
14/12/09 09:14:49 ii : creating IPSEC OUTBOUND policy ANY:192.168.152.26:* -> ANY:192.168.200.0/24:*
14/12/09 09:14:49 ii : created IPSEC policy route for 192.168.200.0/24
14/12/09 09:14:49 ii : creating IPSEC INBOUND policy ANY:192.168.199.0/24:* -> ANY:192.168.152.26:*
14/12/09 09:14:49 ii : creating IPSEC OUTBOUND policy ANY:192.168.152.26:* -> ANY:192.168.199.0/24:*
14/12/09 09:14:49 ii : created IPSEC policy route for 192.168.199.0/24
14/12/09 09:14:49 ii : split DNS is disabled
14/12/09 09:14:52 >= : cookies 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:14:52 >= : message e3e18d02
14/12/09 09:14:52 ii : processing phase2 packet ( 172 bytes )
14/12/09 09:14:52 =< : cookies 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:14:52 =< : message e3e18d02
14/12/09 09:14:52 ii : matched ipsec-esp proposal #1 transform #1
14/12/09 09:14:52 ii : - transform    = esp-aes
14/12/09 09:14:52 ii : - key length   = 128 bits
14/12/09 09:14:52 ii : - encap mode   = udp-tunnel ( draft )
14/12/09 09:14:52 ii : - msg auth     = hmac-sha1
14/12/09 09:14:52 ii : - pfs dh group = none
14/12/09 09:14:52 ii : - life seconds = 3600
14/12/09 09:14:52 ii : - life kbytes  = 0
14/12/09 09:14:52 ii : phase2 ids accepted
14/12/09 09:14:52 ii : - loc ANY:192.168.152.26:* -> ANY:192.168.200.0/24:*
14/12/09 09:14:52 ii : - rmt ANY:192.168.200.0/24:* -> ANY:192.168.152.26:*
14/12/09 09:14:52 ii : phase2 sa established
14/12/09 09:14:52 ii : 192.168.0.133:4500 <-> 81.43.113.103:4500
14/12/09 09:14:52 >= : cookies 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:14:52 >= : message e3e18d02
14/12/09 09:14:59 ii : sending peer DPDV1-R-U-THERE notification
14/12/09 09:14:59 ii : - 192.168.0.133:4500 -> 81.43.113.103:4500
14/12/09 09:14:59 ii : - isakmp spi = 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:14:59 ii : - data size 4
14/12/09 09:14:59 >= : cookies 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:14:59 >= : message dcd67947
14/12/09 09:14:59 ii : processing informational packet ( 84 bytes )
14/12/09 09:14:59 =< : cookies 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:14:59 =< : message 733be550
14/12/09 09:14:59 ii : received peer DPDV1-R-U-THERE-ACK notification
14/12/09 09:14:59 ii : - 81.43.113.103:4500 -> 192.168.0.133:4500
14/12/09 09:14:59 ii : - isakmp spi = 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:14:59 ii : - data size 4
14/12/09 09:15:14 ii : sending peer DPDV1-R-U-THERE notification
14/12/09 09:15:14 ii : - 192.168.0.133:4500 -> 81.43.113.103:4500
14/12/09 09:15:14 ii : - isakmp spi = 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:15:14 ii : - data size 4
14/12/09 09:15:14 >= : cookies 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:15:14 >= : message ca7ebbf2
14/12/09 09:15:14 ii : processing informational packet ( 84 bytes )
14/12/09 09:15:14 =< : cookies 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:15:14 =< : message 17160e14
14/12/09 09:15:14 ii : received peer DPDV1-R-U-THERE-ACK notification
14/12/09 09:15:14 ii : - 81.43.113.103:4500 -> 192.168.0.133:4500
14/12/09 09:15:14 ii : - isakmp spi = 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:15:14 ii : - data size 4
14/12/09 09:15:29 ii : sending peer DPDV1-R-U-THERE notification
14/12/09 09:15:29 ii : - 192.168.0.133:4500 -> 81.43.113.103:4500
14/12/09 09:15:29 ii : - isakmp spi = 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:15:29 ii : - data size 4
14/12/09 09:15:29 >= : cookies 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:15:29 >= : message 693a75e2
14/12/09 09:15:29 ii : processing informational packet ( 84 bytes )
14/12/09 09:15:29 =< : cookies 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:15:29 =< : message b1553692
14/12/09 09:15:29 ii : received peer DPDV1-R-U-THERE-ACK notification
14/12/09 09:15:29 ii : - 81.43.113.103:4500 -> 192.168.0.133:4500
14/12/09 09:15:29 ii : - isakmp spi = 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:15:29 ii : - data size 4
14/12/09 09:15:44 ii : sending peer DPDV1-R-U-THERE notification
14/12/09 09:15:44 ii : - 192.168.0.133:4500 -> 81.43.113.103:4500
14/12/09 09:15:44 ii : - isakmp spi = 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:15:44 ii : - data size 4
14/12/09 09:15:44 >= : cookies 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:15:44 >= : message d91c3bc3
14/12/09 09:15:44 ii : processing informational packet ( 84 bytes )
14/12/09 09:15:44 =< : cookies 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:15:44 =< : message 7a93ec78
14/12/09 09:15:44 ii : received peer DPDV1-R-U-THERE-ACK notification
14/12/09 09:15:44 ii : - 81.43.113.103:4500 -> 192.168.0.133:4500
14/12/09 09:15:44 ii : - isakmp spi = 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:15:44 ii : - data size 4
14/12/09 09:15:59 ii : sending peer DPDV1-R-U-THERE notification
14/12/09 09:15:59 ii : - 192.168.0.133:4500 -> 81.43.113.103:4500
14/12/09 09:15:59 ii : - isakmp spi = 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:15:59 ii : - data size 4
14/12/09 09:15:59 >= : cookies 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:15:59 >= : message ef9c6446
14/12/09 09:15:59 ii : processing informational packet ( 84 bytes )
14/12/09 09:15:59 =< : cookies 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:15:59 =< : message e4fb9d11
14/12/09 09:15:59 ii : received peer DPDV1-R-U-THERE-ACK notification
14/12/09 09:15:59 ii : - 81.43.113.103:4500 -> 192.168.0.133:4500
14/12/09 09:15:59 ii : - isakmp spi = 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:15:59 ii : - data size 4
14/12/09 09:16:14 ii : sending peer DPDV1-R-U-THERE notification
14/12/09 09:16:14 ii : - 192.168.0.133:4500 -> 81.43.113.103:4500
14/12/09 09:16:14 ii : - isakmp spi = 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:16:14 ii : - data size 4
14/12/09 09:16:14 >= : cookies 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:16:14 >= : message 6463ef28
14/12/09 09:16:14 ii : processing informational packet ( 84 bytes )
14/12/09 09:16:14 =< : cookies 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:16:14 =< : message 1b8633de
14/12/09 09:16:14 ii : received peer DPDV1-R-U-THERE-ACK notification
14/12/09 09:16:14 ii : - 81.43.113.103:4500 -> 192.168.0.133:4500
14/12/09 09:16:14 ii : - isakmp spi = 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:16:14 ii : - data size 4
14/12/09 09:16:29 ii : sending peer DPDV1-R-U-THERE notification
14/12/09 09:16:29 ii : - 192.168.0.133:4500 -> 81.43.113.103:4500
14/12/09 09:16:29 ii : - isakmp spi = 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:16:29 ii : - data size 4
14/12/09 09:16:29 >= : cookies 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:16:29 >= : message 8707befa
14/12/09 09:16:29 ii : processing informational packet ( 84 bytes )
14/12/09 09:16:29 =< : cookies 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:16:29 =< : message 3599a64d
14/12/09 09:16:29 ii : received peer DPDV1-R-U-THERE-ACK notification
14/12/09 09:16:29 ii : - 81.43.113.103:4500 -> 192.168.0.133:4500
14/12/09 09:16:29 ii : - isakmp spi = 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:16:29 ii : - data size 4
14/12/09 09:16:44 ii : sending peer DPDV1-R-U-THERE notification
14/12/09 09:16:44 ii : - 192.168.0.133:4500 -> 81.43.113.103:4500
14/12/09 09:16:44 ii : - isakmp spi = 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:16:44 ii : - data size 4
14/12/09 09:16:44 >= : cookies 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:16:44 >= : message dfe6fcac
14/12/09 09:16:45 ii : processing informational packet ( 84 bytes )
14/12/09 09:16:45 =< : cookies 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:16:45 =< : message b78f1e94
14/12/09 09:16:45 ii : received peer DPDV1-R-U-THERE-ACK notification
14/12/09 09:16:45 ii : - 81.43.113.103:4500 -> 192.168.0.133:4500
14/12/09 09:16:45 ii : - isakmp spi = 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:16:45 ii : - data size 4
14/12/09 09:16:52 ii : hard halt signal received, shutting down
14/12/09 09:16:52 DB : removing all peer tunnel references
14/12/09 09:16:52 DB : removing tunnel config references
14/12/09 09:16:52 DB : removing tunnel phase2 references
14/12/09 09:16:52 ii : sending peer DELETE message
14/12/09 09:16:52 ii : - 192.168.0.133:4500 -> 81.43.113.103:4500
14/12/09 09:16:52 ii : - ipsec-esp spi = 0x7a39d9fe
14/12/09 09:16:52 ii : - data size 0
14/12/09 09:16:52 >= : cookies 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:16:52 >= : message 0dbe8b75
14/12/09 09:16:52 ii : phase2 removal before expire time
14/12/09 09:16:52 DB : removing tunnel phase1 references
14/12/09 09:16:52 ii : sending peer DELETE message
14/12/09 09:16:52 ii : - 192.168.0.133:4500 -> 81.43.113.103:4500
14/12/09 09:16:52 ii : - isakmp spi = 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:16:52 ii : - data size 0
14/12/09 09:16:52 >= : cookies 2a353a3abaebda3e:7ab05f562f8577e9
14/12/09 09:16:52 >= : message 9d8f9ba4
14/12/09 09:16:52 ii : phase1 removal before expire time
14/12/09 09:16:52 ii : removing IPSEC INBOUND policy ANY:146.219.196.0/24:* -> ANY:192.168.152.26:*
14/12/09 09:16:52 ii : removing IPSEC OUTBOUND policy ANY:192.168.152.26:* -> ANY:146.219.196.0/24:*
14/12/09 09:16:52 ii : removed IPSEC policy route for ANY:146.219.196.0/24:*
14/12/09 09:16:52 ii : removing IPSEC INBOUND policy ANY:192.168.200.0/24:* -> ANY:192.168.152.26:*
14/12/09 09:16:52 ii : removing IPSEC OUTBOUND policy ANY:192.168.152.26:* -> ANY:192.168.200.0/24:*
14/12/09 09:16:52 ii : removed IPSEC policy route for ANY:192.168.200.0/24:*
14/12/09 09:16:52 ii : removing IPSEC INBOUND policy ANY:192.168.199.0/24:* -> ANY:192.168.152.26:*
14/12/09 09:16:52 ii : removing IPSEC OUTBOUND policy ANY:192.168.152.26:* -> ANY:192.168.199.0/24:*
14/12/09 09:16:52 ii : removed IPSEC policy route for ANY:192.168.199.0/24:*
14/12/09 09:16:52 ii : removing NONE INBOUND policy ANY:192.168.0.1:* -> ANY:192.168.152.26:*
14/12/09 09:16:52 ii : removing NONE OUTBOUND policy ANY:192.168.152.26:* -> ANY:192.168.0.1:*
14/12/09 09:16:52 ii : removing NONE INBOUND policy ANY:81.43.113.103:* -> ANY:192.168.0.133:*
14/12/09 09:16:52 ii : removing NONE OUTBOUND policy ANY:192.168.0.133:* -> ANY:81.43.113.103:*
14/12/09 09:16:52 ii : removed NONE policy route for ANY:81.43.113.103:*
14/12/09 09:16:52 ii : ipc server process thread exit ...
14/12/09 09:16:52 ii : network process thread exit ...
14/12/09 09:16:52 ii : ipc client process thread exit ...
14/12/09 09:16:52 ii : pfkey process thread exit ...

Open in new window



and this is on tab IPSEC:

14/12/09 09:28:46 ## : IPSEC Daemon, ver 2.2.2
14/12/09 09:28:46 ## : Copyright 2013 Shrew Soft Inc.
14/12/09 09:28:46 ## : This product linked OpenSSL 1.0.1c 10 May 2012
14/12/09 09:28:46 ## : This product linked zlib v1.2.3
14/12/09 09:28:46 ii : network send process thread begin ...
14/12/09 09:28:46 ii : vflt send device attached
14/12/09 09:28:46 ii : network recv process thread begin ...
14/12/09 09:28:46 ii : vflt recv device attached
14/12/09 09:28:46 ii : pfkey server process thread begin ...
14/12/09 09:28:46 ii : pfkey client process thread begin ...
14/12/09 09:28:46 ii : pfkey client process thread begin ...
14/12/09 09:28:56 ii : installed accept rule for 81.43.113.103/255.255.255.255
14/12/09 09:28:56 ii : installed accept rule for 192.168.0.1/255.255.255.255
14/12/09 09:28:56 ii : installed divert rule for 146.219.196.0/255.255.255.0
14/12/09 09:28:56 ii : installed divert rule for 192.168.200.0/255.255.255.0
14/12/09 09:28:56 ii : installed divert rule for 192.168.199.0/255.255.255.0
14/12/09 09:28:56 ii : inspecting ARP request ...
14/12/09 09:28:56 ii : inspecting ARP request ...
14/12/09 09:28:57 ii : inspecting ARP request ...
14/12/09 09:28:58 ii : inspecting ARP request ...
14/12/09 09:28:58 ii : inspecting ARP request ...
14/12/09 09:28:59 ii : inspecting ARP request ...
14/12/09 09:29:00 ii : inspecting ARP request ...
14/12/09 09:29:00 ii : inspecting ARP request ...
14/12/09 09:29:00 ii : inspecting ARP request ...
14/12/09 09:29:00 ii : queueing ip packet
14/12/09 09:29:00 ii : added sa divert rule for 81.43.113.103->192.168.0.133
14/12/09 09:29:00 ii : dequeueing ip packet
14/12/09 09:29:00 ii : queueing ip packet
14/12/09 09:29:00 ii : dequeueing ip packet
14/12/09 09:29:00 ii : inspecting ARP request ...
14/12/09 09:29:01 ii : inspecting ARP request ...
14/12/09 09:29:02 ii : inspecting ARP request ...
14/12/09 09:29:02 ii : inspecting ARP request ...
14/12/09 09:29:03 ii : inspecting ARP request ...

Open in new window

0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
3DES DH-2 MD5  is just the first proposal of 13, and found as a match. Other combinations work most likely, too.
Phase 2 uses AES 128, SHA-1, No PFS (no DH). Also I see the proxy IDs to use a local IP of 192.168.152.26, which might be set up in Shrew in the "General" tab, or assigned by the Juniper based in the XAuth login.
The remote network used in the proxy ID is 192.168.200.0/24 only, though later 192.168.199.0/24 is installed as an additional route. This might also be important - NCP should only have the .200 network set up, or have it as the first one. (No clue where you set that up, so don't ask :D). A mismatch here will probably stop negotiation, but you should get something useful as error info (something like "ID mismatch").
0
 
LVL 15

Author Closing Comment

by:gplana
Comment Utility
Problem is still not solved, but now I think I have the tools to communicate with a system administrators company that will help us with this tracing information.

Thanks you for your great support and patience on this case.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now