SSG & Shrew: Why the traffic is denied?!?!?!

[How to run the NSM GUI under Mac OS X]

How to run the NSM GUI under Mac OS X
How to setup a route-based VPN on a NetScreen
How to make your PPTP VPN client work through a NetScreen/SSG
Setting up a dial-up VPN and NetScreen Remote
How the Global Zone Works (It's probably not what you think)
How to configure NetScreen/SSG devices to work with the built in Mac OS X VPN client
How to Configure Dial-up VPN with route-based tunnels, XAuth, and use IPSecuritas

[Di4bLo]

Hi to everybody,
I have a Dial up VPN connection between an SSG-5 and the Shrew Soft VPN Client.

Date / Time    Level    Description
2010-02-01 16:24:32   info   IKE 195.110.154.82: XAuth login was passed for gateway vpnclient_gateway, username leo, retry: 0, Client IP Addr 10.70.7.170, IPPool name: vpn_video, Session-Timeout: 0s, Idle-Timeout: 0s.
2010-02-01 16:24:32   info   IKE 195.110.154.82: XAuth login was refreshed for username leo at 10.70.7.170/255.255.255.255.
2010-02-01 16:24:32   info   Rejected an IKE packet on ethernet0/0 from 195.110.154.82:2396 to 83.211.53.180:4500 with cookies 1fe0bfb40a83b910 and 90543ac11172044e because A Phase 2 packet arrived while XAuth was still pending.
2010-02-01 16:24:32   info   IKE 195.110.154.82 Phase 1: Completed Aggressive mode negotiations with a 28800-second lifetime.
2010-02-01 16:24:32   info   IKE 195.110.154.82 Phase 1: Completed for user vpnclient_phase1_id.
2010-02-01 16:24:32   info   IKE<195.110.154.82> Phase 1: IKE responder has detected NAT in front of the remote device.
2010-02-01 16:24:32   info   IKE<195.110.154.82> Phase 1: IKE responder has detected NAT in front of the local device.
2010-02-01 16:24:32   info   IKE 195.110.154.82 Phase 1: Responder starts AGGRESSIVE mode negotiations.

The VPN is ok but I can't ping because the policy denied all the traffic inside the tunnel:

2010-02-01 16:18:52   10.70.7.170:137           10.70.7.150:137   0.0.0.0:0   0.0.0.0:0   NETBIOS (NS)   0 sec.   0   0   Traffic Denied
2010-02-01 16:18:52   10.70.7.170:55135   10.70.7.125:53   0.0.0.0:0   0.0.0.0:0   DNS   0 sec.   0           0           Traffic Denied
2010-02-01 16:18:51   10.70.7.170:137           10.70.7.150:137   0.0.0.0:0   0.0.0.0:0   NETBIOS (NS)   0 sec.   0   0   Traffic Denied
2010-02-01 16:18:50   10.70.7.170:55135   10.70.7.125:53   0.0.0.0:0   0.0.0.0:0   DNS   0 sec.   0           0           Traffic Denied

What I wrong?

Thank you.

[marty]

How do you say the VPN is is OK...cant see the Phase 2 completing in the logs you have pasted above...can you paste your conf so we can check the policies and other config details.

[Di4bLo]

Right.
This is the config file.

Thank you for the answer.


set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "admin"
set admin password "xxxxx"
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "Video (5)"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
unset zone "Video (5)" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "bgroup0" zone "Trust"
set interface "bgroup1" zone "Video (5)"
set interface bgroup0 port ethernet0/2
set interface bgroup1 port ethernet0/5
unset interface vlan1 ip
set interface ethernet0/0 ip 83.0.0.180/24
set interface ethernet0/0 route
set interface bgroup0 ip 192.168.10.218/24
set interface bgroup0 nat
set interface bgroup1 ip 10.70.7.218/24
set interface bgroup1 route
set interface ethernet0/0 gateway 83.0.0.177
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface bgroup0 ip manageable
set interface bgroup1 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage web
set interface bgroup0 manage mtrace
set interface bgroup1 manage ping
set interface bgroup1 manage web
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "Video rete" 10.70.7.0 255.255.255.0
set address "Trust" "Video server" 10.70.7.150 255.255.255.255
set address "Untrust" "10.7.70.0/24" 10.7.70.0 255.255.255.0
set ippool "vpn_video" 10.70.7.170 10.70.7.180
set user "leo" uid 10
set user "leo" type xauth
set user "leo" password "yyyyyyy"
unset user "leo" type auth
set user "leo" "enable"
set user "vpnclient_phase1_id" uid 9
set user "vpnclient_phase1_id" ike-id fqdn "client.domain" share-limit 1
set user "vpnclient_phase1_id" type ike
set user "vpnclient_phase1_id" "enable"
set user-group "vpnclient_group" id 4
set user-group "vpnclient_group" user "vpnclient_phase1_id"
set ike gateway "vpnclient_gateway" dialup "vpnclient_group" Aggr local-id "vpngw.domain" outgoing-interface "ethernet0/0" preshare "zzzzzzzz" proposal "pre-g2-3des-sha" "pre-g2-3des-md5" "pre-g2-aes128-sha" "pre-g2-aes128-md5"
set ike gateway "vpnclient_gateway" cert peer-ca all
set ike gateway "vpnclient_gateway" dpd-liveness interval 30
unset ike gateway "vpnclient_gateway" nat-traversal udp-checksum
set ike gateway "vpnclient_gateway" nat-traversal keepalive-frequency 5
set ike gateway "vpnclient_gateway" xauth server "Local"
unset ike gateway "vpnclient_gateway" xauth do-edipi-auth
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set xauth default ippool "vpn_video"
set xauth default dns1 10.70.7.125
set xauth default wins1 10.70.7.150
set vpn "vpnclient_tunnel" gateway "vpnclient_gateway" replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"  "nopfs-esp-3des-md5"  "nopfs-esp-aes128-sha"  "nopfs-esp-aes128-md5"
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set policy id 2 from "Untrust" to "Trust"  "Dial-Up VPN" "Video rete" "ANY" tunnel vpn "vpnclient_tunnel" id 0x19 log
set policy id 2
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit log
set policy id 1
exit
set policy id 3 from "Trust" to "Untrust"  "Video rete" "Dial-Up VPN" "ANY" tunnel vpn "vpnclient_tunnel" id 0x1a log
set policy id 3
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

[Di4bLo]

... and this is the new report (after some modify to the client configuration):

Date / Time    Level    Description
2010-02-02 14:26:46   info   IKE 195.110.154.82 Phase 2 msg ID 628477c5: Completed negotiations with SPI fbd57a31, tunnel ID 32785, and lifetime 3600 seconds/0 KB.
2010-02-02 14:26:46   info   IKE 195.110.154.82 Phase 2 msg ID 628477c5: Responded to the peer's first message.
2010-02-02 14:26:41   info   IKE 195.110.154.82: XAuth login was passed for gateway vpnclient_gateway, username leo, retry: 0, Client IP Addr 10.70.7.170, IPPool name: vpn_video, Session-Timeout: 0s, Idle-Timeout: 0s.
2010-02-02 14:26:41   info   IKE 195.110.154.82: XAuth login was refreshed for username leo at 10.70.7.170/255.255.255.255.
2010-02-02 14:26:41   info   Rejected an IKE packet on ethernet0/0 from 195.110.154.82:1100 to 83.211.53.180:4500 with cookies 980d90d964fb183b and f806c02ddf520baf because A Phase 2 packet arrived while XAuth was still pending.
2010-02-02 14:26:41   info   IKE 195.110.154.82 Phase 1: Completed Aggressive mode negotiations with a 28800-second lifetime.
2010-02-02 14:26:41   info   IKE 195.110.154.82 Phase 1: Completed for user vpnclient_phase1_id.
2010-02-02 14:26:41   info   IKE<195.110.154.82> Phase 1: IKE responder has detected NAT in front of the remote device.
2010-02-02 14:26:41   info   IKE<195.110.154.82> Phase 1: IKE responder has detected NAT in front of the local device.
2010-02-02 14:26:41   info   IKE 195.110.154.82 Phase 1: Responder starts AGGRESSIVE mode negotiations.


After the connection i can't ping the server. The policy log is clear now(not traffic deny anymore but it's simply empty).

I'm lost....

[marty]

Config seems to be fine also the logs show that the phase 2 is also passing....there should be some setting on the Shrew VPN Client which might have to do somthing with the VPN traffic, pasting a link below which is about NetScreen remote client check if that gives you any clues about your Shrew VPN Client. Something about the interface to be chosen to pass the VPN traffic.

http://kb.juniper.net/index?page=content&id=KB6731&actp=search&searchid=1265128891738

[Di4bLo]

Thank you for your reply.

I still have the same problem.
VPN is ok both phases, but when i ping the plocy close everything.

Date/Time     Source Address/Port     Destination Address/Port     Translated Source Address/Port     Translated Destination Address/Port     Service     Duration     Bytes Sent     Bytes Received     Close Reason
2010-02-05 15:08:09   10.70.7.170:137   10.70.7.150:137   0.0.0.0:0   0.0.0.0:0   NETBIOS (NS)   0 sec.   0   0   Traffic Denied
2010-02-05 15:08:08   10.70.7.170:137   10.70.7.150:137   0.0.0.0:0   0.0.0.0:0   NETBIOS (NS)   0 sec.   0   0   Traffic Denied
2010-02-05 15:08:06   10.70.7.170:137   10.70.7.150:137   0.0.0.0:0   0.0.0.0:0   NETBIOS (NS)   0 sec.   0   0   Traffic Denied
2010-02-05 15:08:05   10.70.7.170:3328   10.70.7.150:768   0.0.0.0:0   0.0.0.0:0   ICMP   0 sec.   0   0   Traffic Denied
   
I think it's only a policy problem. Packets arrives but thay are blocked by that bastard policy...

Any hint?
Please...

[marty]

Thanks for the policy logs...I rekon that the Policy that you have configured has the issue...

set policy id 2 from "Untrust" to "Trust"  "Dial-Up VPN" "Video rete" "ANY" tunnel vpn "vpnclient_tunnel" id 0x19 log
set policy id 2
exit

Instead it should be

set policy id 2 from "Untrust" to "Video (5)"  "Dial-Up VPN" "Video rete" "ANY" tunnel vpn "vpnclient_tunnel" id 0x19 log
set policy id 2
exit

Configure the above policy and that should make the things fine...

[deanb]

Change IP pool settings for dialup users (ip subnet).  

[marty]

Ignore my update above think I was drunk ....change the IP Pool as per deanb and check..........Apologies...

[Di4bLo]

Thanks to both for replies.

How can I change the IP Pools subnet? In Object -> IP Pools I can only set the IP Range (10.70.7.170->10.70.7.180).

[marty]

Is might not be giving you an option to change the pool, you would have to do teh config again, unbind the user from the policy and then remove the pool from the user setting.

Better create a new pool a new user and make a new Dial-up to LAN policy and bind that to the user.

[deanb]

Or just delete dialup policy and you will be able to change ip pool settings.

10.70.7.170->10.70.7.180 to 10.70.30.170->10.70.30.180 for example

and create policy again..

[Di4bLo]

Or just delete dialup policy and you will be able to change ip pool settings.

10.70.7.170->10.70.7.180 to 10.70.30.170->10.70.30.180 for example

and create policy again..

I have done but the problem still remain.

There is another thing to say. The server is 10.70.7.150, and it's in a VLAN. I have setup a trust interface on that VLAN: 10.70.7.218. Maybe I have to tell to netscreen to send everything through that interface?  

This are the reports and the client settings:

POLICY LOG:

Date/Time     Source Address/Port     Destination Address/Port     Translated Source Address/Port     Translated Destination Address/Port     Service     Duration     Bytes Sent     Bytes Received     Close Reason
2010-02-09 13:37:29   10.70.0.180:1024   10.70.7.150:768   0.0.0.0:0   0.0.0.0:0   ICMP   0 sec.   0   0   Traffic Denied
2010-02-09 13:37:24   10.70.0.180:768   10.70.7.150:768   0.0.0.0:0   0.0.0.0:0   ICMP   0 sec.   0   0   Traffic Denied
2010-02-09 13:37:18   10.70.0.180:512   10.70.7.150:768   0.0.0.0:0   0.0.0.0:0   ICMP   0 sec.   0   0   Traffic Denied
2010-02-09 13:37:13   10.70.0.180:256   10.70.7.150:768   0.0.0.0:0   0.0.0.0:0   ICMP   0 sec.   0   0   Traffic Denied

EVENT LOG:
Date / Time    Level    Description
2010-02-09 13:37:02   info   IKE 195.110.154.82 Phase 2 msg ID 4902f18d: Completed negotiations with SPI 70ee1653, tunnel ID 32772, and lifetime 3600 seconds/0 KB.
2010-02-09 13:37:02   info   IKE 195.110.154.82 Phase 2 msg ID 4902f18d: Responded to the peer's first message.
2010-02-09 13:36:56   info   IKE 195.110.154.82: XAuth login was passed for gateway vpnclient_gateway, username leo, retry: 0, Client IP Addr 10.70.0.180, IPPool name: vpn_ippool, Session-Timeout: 0s, Idle-Timeout: 0s.
2010-02-09 13:36:56   info   Rejected an IKE packet on ethernet0/0 from 195.110.154.82:2686 to 83.211.53.180:4500 with cookies b81cf57926982fa4 and 153e8784beb70a26 because A Phase 2 packet arrived while XAuth was still pending.
2010-02-09 13:36:56   info   IKE 195.110.154.82 Phase 1: Completed Aggressive mode negotiations with a 28800-second lifetime.
2010-02-09 13:36:56   info   IKE 195.110.154.82 Phase 1: Completed for user vpnclient_phase1_id.
2010-02-09 13:36:56   info   IKE<195.110.154.82> Phase 1: IKE responder has detected NAT in front of the remote device.
2010-02-09 13:36:56   info   IKE<195.110.154.82> Phase 1: IKE responder has detected NAT in front of the local device.
2010-02-09 13:36:56   info   IKE 195.110.154.82 Phase 1: Responder starts AGGRESSIVE mode negotiations.
2010-02-09 13:36:42   notif   All logged events or alarms were cleared by admin admin

CONFIGURATION FILE:

set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "admin"
set admin password "xxxxxxx"
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "Video (5)"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
unset zone "Video (5)" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "bgroup0" zone "Trust"
set interface "bgroup1" zone "Video (5)"
set interface bgroup0 port ethernet0/2
set interface bgroup1 port ethernet0/5
unset interface vlan1 ip
set interface ethernet0/0 ip 83.1.1.1/24
set interface ethernet0/0 route
set interface bgroup0 ip 192.168.10.218/24
set interface bgroup0 nat
set interface bgroup1 ip 10.70.7.218/24
set interface bgroup1 route
set interface ethernet0/0 gateway 83.1.1.2
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface bgroup0 ip manageable
set interface bgroup1 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage web
set interface bgroup0 manage mtrace
set interface bgroup1 manage ping
set interface bgroup1 manage web
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "10.70.0.0/255.255.0.0" 10.70.0.0 255.255.0.0
set address "Trust" "Video rete" 10.70.7.0 255.255.255.0
set address "Trust" "Video server" 10.70.7.150 255.255.255.255
set address "Untrust" "10.7.70.0/24" 10.7.70.0 255.255.255.0
set ippool "vpn_ippool" 10.70.0.180 10.70.0.199
set user "leo" uid 10
set user "leo" type xauth
set user "leo" remote ippool "vpn_ippool"
set user "leo" password "yyyyyyyyyyyyyy"
unset user "leo" type auth
set user "leo" "enable"
set user "vpnclient_phase1_id" uid 9
set user "vpnclient_phase1_id" ike-id fqdn "client.gigli" share-limit 1
set user "vpnclient_phase1_id" type ike
set user "vpnclient_phase1_id" "enable"
set user-group "vpnclient_group" id 4
set user-group "vpnclient_group" user "leo"
set user-group "vpnclient_group" user "vpnclient_phase1_id"
set ike gateway "vpnclient_gateway" dialup "vpnclient_group" Aggr local-id "vpngw.gigli" outgoing-interface "ethernet0/0" preshare "zzzzzzzzzzzz" proposal "pre-g2-3des-sha" "pre-g2-3des-md5" "pre-g2-aes128-sha" "pre-g2-aes128-md5"
set ike gateway "vpnclient_gateway" cert peer-ca all
set ike gateway "vpnclient_gateway" dpd-liveness interval 30
unset ike gateway "vpnclient_gateway" nat-traversal udp-checksum
set ike gateway "vpnclient_gateway" nat-traversal keepalive-frequency 5
set ike gateway "vpnclient_gateway" xauth server "Local"
unset ike gateway "vpnclient_gateway" xauth do-edipi-auth
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "vpnclient_tunnel" gateway "vpnclient_gateway" replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"  "nopfs-esp-3des-md5"  "nopfs-esp-aes128-sha"  "nopfs-esp-aes128-md5"
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set policy id 2 from "Untrust" to "Trust"  "Dial-Up VPN" "Video rete" "ANY" tunnel vpn "vpnclient_tunnel" id 0xb log
set policy id 2
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit log
set policy id 1
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit


CLIENT CONFIGURATION (SHREWSOFT VPN CLIENT):
Auto configuration: ike config push
Address method: Obtain Automatically
MTU: 1380
NAT trasversal: enable (port 4500)
Keep alive: 15 sec
IKE Fragmentation: enable
Name resolution: all settings on Obtain Automatically
Authentication method: Mutual PSK + XAuth
Authentication local identity: FQDN (client.gigli)
Authentication remote identity: FQDN (vpngw.gigli)
Credential PSK: "the key"

Phase1 Exchange type: aggressive
Phase1 DH Exchange: Group 2
Phase1 Cipher Algorithm: auto
Phase1 Hash Algorithm: auto
Phase1  Key Life Time limit: 86400 sec

Phase2 Transofrm Algorithm: auto
Phase2 HMAC Algortihm: auto
Phase2 Compress Algorithm: disabled
Phase2 Key Life Time limit: 3600 sec

Policy Remote Network Resource: 10.70.7.0 / 255.255.255.0

[deanb]

Can you at least ping FW's interface 10.70.7.218?

[Di4bLo]

Can you at least ping FW's interface 10.70.7.218?

No ;_;

[SavageBeast]

set ike gateway "vpnclient_gateway" cert peer-ca all  -- Are you using a cert? If not then change unset this option

Also you eliminated you xauth settings therefore you would establish a tunnel but would never gain an IP from the pool to access the internal network. You had it in your first posting of your config but then it wasn't in your second. You need to add this back. Also, the VPN pool cannot be in the same subnet as your private network. I use 10.10.5.0/28 for my IP pool.

set xauth default ippool "vpn_video"
set xauth default dns1 10.70.7.125
set xauth default wins1 10.70.7.150

Also, post you're entire client config. Obviously eliminate your PSK

[Di4bLo]

It still doesn't work.     

Remember that 10.70.7.0 is in a VLAN. I have connected it to bgroup1 (set interface "bgroup1" zone "Video (5)").
This is the situation after checking everything again and after apply your suggestions:


=== CONFIG FILE =======================
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "admin"
set admin password "xxx"
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "Video (5)"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
unset zone "Video (5)" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "bgroup0" zone "Trust"
set interface "bgroup1" zone "Video (5)"
set interface bgroup0 port ethernet0/2
set interface bgroup1 port ethernet0/5
unset interface vlan1 ip
set interface ethernet0/0 ip 83.0.0.180/24
set interface ethernet0/0 route
set interface bgroup0 ip 192.168.10.218/24
set interface bgroup0 nat
set interface bgroup1 ip 10.70.7.218/24
set interface bgroup1 route
set interface ethernet0/0 gateway 83.0.0.177
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface bgroup0 ip manageable
set interface bgroup1 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage web
set interface bgroup0 manage mtrace
set interface bgroup1 manage ping
set interface bgroup1 manage web
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "10.70.0.0/255.255.0.0" 10.70.0.0 255.255.0.0
set address "Trust" "10.70.7.0/24" 10.70.7.0 255.255.255.0
set address "Trust" "Video rete" 10.70.7.0 255.255.255.0
set address "Trust" "Video server" 10.70.7.150 255.255.255.255
set ippool "vpn_ippool" 10.0.0.1 10.0.0.10
set user "leo" uid 10
set user "leo" type xauth
set user "leo" remote ippool "vpn_ippool"
set user "leo" remote dns1 "10.70.7.150"
set user "leo" password "yyy"
unset user "leo" type auth
set user "leo" "enable"
set user "vpnclient_phase1_id" uid 9
set user "vpnclient_phase1_id" ike-id fqdn "client.gigli" share-limit 1
set user "vpnclient_phase1_id" type ike
set user "vpnclient_phase1_id" "enable"
set user-group "vpnclient_group" id 4
set user-group "vpnclient_group" user "leo"
set user-group "vpnclient_group" user "vpnclient_phase1_id"
set ike gateway "vpnclient_gateway" dialup "vpnclient_group" Aggr local-id "vpngw.gigli" outgoing-interface "ethernet0/0" preshare "zzz" proposal "pre-g2-3des-sha" "pre-g2-3des-md5" "pre-g2-aes128-sha" "pre-g2-aes128-md5"
set ike gateway "vpnclient_gateway" dpd-liveness interval 30
unset ike gateway "vpnclient_gateway" nat-traversal udp-checksum
set ike gateway "vpnclient_gateway" nat-traversal keepalive-frequency 5
set ike gateway "vpnclient_gateway" xauth server "Local"
unset ike gateway "vpnclient_gateway" xauth do-edipi-auth
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set xauth default ippool "vpn_ippool"
set xauth default dns1 10.70.7.150
set vpn "vpnclient_tunnel" gateway "vpnclient_gateway" replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"  "nopfs-esp-3des-md5"  "nopfs-esp-aes128-sha"  "nopfs-esp-aes128-md5"
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set policy id 2 from "Untrust" to "Trust"  "Dial-Up VPN" "10.70.7.0/24" "ANY" tunnel vpn "vpnclient_tunnel" id 0x2 pair-policy 3 log
set policy id 2
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit log
set policy id 1
exit
set policy id 3 from "Trust" to "Untrust"  "10.70.7.0/24" "Dial-Up VPN" "ANY" tunnel vpn "vpnclient_tunnel" id 0x2 pair-policy 2 log
set policy id 3
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

====================================

=== REPORT EVENT =====================
2010-02-17 10:58:48   info   IKE 82.0.0.1 Phase 2 msg ID e8cb6bf9: Completed negotiations with SPI 156309f6, tunnel ID 32770, and lifetime 3600 seconds/0 KB.
2010-02-17 10:58:48   info   IKE 82.0.0.1 Phase 2 msg ID e8cb6bf9: Responded to the peer's first message.
2010-02-17 10:58:47   info   IKE 82.0.0.1: XAuth login was passed for gateway vpnclient_gateway, username leo, retry: 0, Client IP Addr 10.0.0.1, IPPool name: vpn_ippool, Session-Timeout: 0s, Idle-Timeout: 0s.
2010-02-17 10:58:47   info   Rejected an IKE packet on ethernet0/0 from 82.0.0.1:13891 to 83.0.0.180:4500 with cookies 7c7553d43857317e and 63a4e9ec5c9d6520 because A Phase 2 packet arrived while XAuth was still pending.
2010-02-17 10:58:47   info   IKE 82.0.0.1 Phase 1: Completed Aggressive mode negotiations with a 28800-second lifetime.
2010-02-17 10:58:47   info   IKE 82.0.0.1 Phase 1: Completed for user vpnclient_phase1_id.
2010-02-17 10:58:47   info   IKE<82.0.0.1> Phase 1: IKE responder has detected NAT in front of the remote device.
====================================

=== POLICY LOG =======================
Date/Time     Source Address/Port     Destination Address/Port     Translated Source Address/Port     Translated Destination Address/Port     Service     Duration     Bytes Sent     Bytes Received     Close Reason
2010-02-17 11:00:22   10.0.0.1:50650   10.70.7.150:53   0.0.0.0:0   0.0.0.0:0   DNS   0 sec.   0   0   Traffic Denied
2010-02-17 11:00:21   10.0.0.1:50650   10.70.7.150:53   0.0.0.0:0   0.0.0.0:0   DNS   0 sec.   0   0   Traffic Denied
2010-02-17 10:59:59   10.0.0.1:235   10.70.7.150:1   0.0.0.0:0   0.0.0.0:0   ICMP   0 sec.   0   0   Traffic Denied
2010-02-17 10:59:54   10.0.0.1:234   10.70.7.150:1   0.0.0.0:0   0.0.0.0:0   ICMP   0 sec.   0   0   Traffic Denied
2010-02-17 10:59:49   10.0.0.1:233   10.70.7.150:1   0.0.0.0:0   0.0.0.0:0   ICMP   0 sec.   0   0   Traffic Denied
2010-02-17 10:59:44   10.0.0.1:232   10.70.7.150:1   0.0.0.0:0   0.0.0.0:0   ICMP   0 sec.   0   0   Traffic Denied
2010-02-17 10:59:39   10.0.0.1:56492   10.70.7.150:53   0.0.0.0:0   0.0.0.0:0   DNS   0 sec.   0   0   Traffic Denied
====================================


=== SHREW SOFT CLIENT SETTINGS ==========
Auto configuration: ike config push
Address method: Obtain Automatically
MTU: 1380
NAT trasversal: enable (port 4500)
Keep alive: 15 sec
IKE Fragmentation: enable
Name resolution: all settings on Obtain Automatically
Authentication method: Mutual PSK + XAuth
Authentication local identity: FQDN (client.gigli)
Authentication remote identity: FQDN (vpngw.gigli)
Credential PSK: "the key"

Phase1 Exchange type: aggressive
Phase1 DH Exchange: Group 2
Phase1 Cipher Algorithm: auto
Phase1 Hash Algorithm: auto
Phase1  Key Life Time limit: 86400 sec

Phase2 Transofrm Algorithm: auto
Phase2 HMAC Algortihm: auto
Phase2 PFS Exchange: auto
Phase2 Compress Algorithm: disabled
Phase2 Key Life Time limit: 3600 sec

Policy Remote Network Resource: 10.70.7.0 / 255.255.255.0
Maintein Persistent Security Associations: checked
====================================

[Di4bLo]

question: the server I want to ping is 10.70.7.150 and it's connected through bgroup1 (Video). Should I change the policy like this above?

From:

set policy id 2 from "Untrust" to "Trust"  "Dial-Up VPN" "10.70.7.0/24" "ANY" tunnel vpn "vpnclient_tunnel" id 0x2 pair-policy 3 log
set policy id 2

to:

set policy id 2 from "Untrust" to "Video (5)"  "Dial-Up VPN" "Video rete" "ANY" tunnel vpn "vpnclient_tunnel" id 0x1 log
set policy id 2

[joon]

... and this is the new report (after some modify to the client configuration):

Date / Time    Level    Description
2010-02-02 14:26:46   info   IKE 195.110.154.82 Phase 2 msg ID 628477c5: Completed negotiations with SPI fbd57a31, tunnel ID 32785, and lifetime 3600 seconds/0 KB.
2010-02-02 14:26:46   info   IKE 195.110.154.82 Phase 2 msg ID 628477c5: Responded to the peer's first message.
2010-02-02 14:26:41   info   IKE 195.110.154.82: XAuth login was passed for gateway vpnclient_gateway, username leo, retry: 0, Client IP Addr 10.70.7.170, IPPool name: vpn_video, Session-Timeout: 0s, Idle-Timeout: 0s.
2010-02-02 14:26:41   info   IKE 195.110.154.82: XAuth login was refreshed for username leo at 10.70.7.170/255.255.255.255.
2010-02-02 14:26:41   info   Rejected an IKE packet on ethernet0/0 from 195.110.154.82:1100 to 83.211.53.180:4500 with cookies 980d90d964fb183b and f806c02ddf520baf because A Phase 2 packet arrived while XAuth was still pending.
2010-02-02 14:26:41   info   IKE 195.110.154.82 Phase 1: Completed Aggressive mode negotiations with a 28800-second lifetime.
2010-02-02 14:26:41   info   IKE 195.110.154.82 Phase 1: Completed for user vpnclient_phase1_id.
2010-02-02 14:26:41   info   IKE<195.110.154.82> Phase 1: IKE responder has detected NAT in front of the remote device.
2010-02-02 14:26:41   info   IKE<195.110.154.82> Phase 1: IKE responder has detected NAT in front of the local device.
2010-02-02 14:26:41   info   IKE 195.110.154.82 Phase 1: Responder starts AGGRESSIVE mode negotiations.

...

I am also getting the "Rejected an IKE packet on untrust from xxxx:x to yyyy:y with cookies abc123 and xyz789 because A Phase 2 packet arrived while XAuth was still pending" error when trying to connect the Shrewsoft VPN to a Juniper n5gt.  I did follow the directions on the shrewsoft support page precisely (http://www.shrew.net/support/wiki/HowtoJuniperSsg). 

Di4bLo was getting this message but corrected it "after some modify to the client configuration."

Could anyone (Di4bLo?) please describe what changes you made to correct that particular situation?

Thank you very much.

[Di4bLo]

In my case I have changed this:

=== SHREW SOFT CLIENT SETTINGS ==========
Auto configuration: ike config push

And I have put the right policy on the netscreen.

•      Forum/Home
•      Store
•      Articles
•        Tech Articles
•        Industry News
•        Site News
•      Knowledgebase
•        JUNOS/Routing
•        NS/ISG/SSG/NSM
•        SSL VPN
•      Downloads

Please consider donating if we've saved you time or money. It helps pay for the bandwidth, equipment, and hosting charges to keep this site running

Submit Article/KB - Do not submit questions here.

[Today]

• Screening Spam by Joe Vallender [Today at 07:03:09 AM]
• Intrazone Policies by mknll [Today at 06:34:20 AM]
• Two ISPs and one DMZ by mulopaari2 [Today at 06:21:05 AM]
• Problem logging into my n... by fujisan [Today at 04:51:24 AM]
• VPN to cisco pix with two... by Watcher60 [Today at 04:38:27 AM]
• www.nikeincome.com cheap ... by xu_zhongying100 [Today at 02:30:17 AM]
• www.nikeincome.com cheap ... by xu_zhongying100 [Today at 02:29:08 AM]
• www.nikeincome.com cheap ... by xu_zhongying100 [Today at 02:27:32 AM]
• sell nike jordan fusion ... by xu_zhongying100 [Today at 02:25:15 AM]
• sell nike jordan fusion ... by xu_zhongying100 [Today at 02:22:32 AM]

Members

• Total Members: 22514
• Latest: Deepy

Stats

• Total Posts: 40575
• Total Topics: 11249
• Online Today: 77
• Online Ever: 393
• (August 06, 2008, 07:40:57 AM)

Users Online

Users: 3
Guests: 65
Total: 68

federico.basso
mky2
Deepy