Which kind of VPN to choose for my custom case?



  • Hi all,

    I’m trying to set up a VPN dialup, I tried policy-based and route-based but didn’t get to work.

    But I’m not sure which kind of VPN to use, so I’m asking.

    Below, a description of my network (public and private) and my SSG550.

    • public: we have a public b.b.b.0/24 routed on a public a.a.a.a/29. My interface ethernet0/1 is connected on the router of my ISP and have the ip a.a.a.1. I’m using the /24 for my public IPs (b.b.b.0/24).
    • private: on my interface ethernet0/2, I have VLANs. So I’m using sub-interfaces eth0/2.1, eth0/2.2, etc, with dedicated subnet, c.c.X.0/24 for each of my VLAN.
      For a computer in VLAN 1 for example, I use a DIP from VLAN to Internet and a NAT translation  from Internet to the VLAN (for a server for example).

    About interfaces, ethernet0/1 is in Untrust zone in untrust-vr and ethernet0/2.X in created zones (like client1, client2, etc) in trust-vr.

    About routing:

    • in trust-vr: the only static route is the default one, towards the a.a.a.2 (the IP of my ISP’s router).
    • in untrust-vr: the default route is the same (a.a.a.2). For my servers, I created static routes. For example, the trafic from Internet to b.b.b.1 goes to the sub-interfaces eth0/2.1 to the adress c.c.1.1

    I hope I was clear enough…

    So, my goal is to create a vpn between an Internet dialup user (with netscreen remote ) and a VLAN subnet, in order this client reaches his private subnet c.c.X.0/24.

    I tried with policy and route based vpn. I think I had a route problem because with the route-based, the message was:
    Responder sending IPv4 IP X.X.X.X/port 500

    2008-01-07 07:31:03 : IKE <x.x.x.x>Send Phase 1 packet (len=416)

    2008-01-07 07:31:07 : IKE <x.x.x.x>re-trans timer expired, msg retry (2) (11180f/5)

    And the remote client didn’t get any answer.

    But I’m not sure I tried the best way, so I’m would like to have your advices.

    Thank you very much!

    Gauthier</x.x.x.x></x.x.x.x>



  • Hi,

    To close the topic, I succeed setting a VPN, but only with an public IP from my /29 and not from my public /24.
    For the phase 2, I took the policy based autokey ike.

    It was important to have the vpn up for this week.
    Now I will try to get it work with my /24, I think a problem of routing or natting to resolve.

    Thanks for all your advices.

    Gauthier



  • Hi,

    I got the phase 1 complete with a gateway on the a.a.a.1 IP…

    Now I will try to get the phase 2 complete and after try to change the a.a.a.1 IP with a public IP from /24 (b.b.b.0/24).



  • Oh I’m sorry, I paid attention but this line was forgotten:

    set interface ethernet0/1 ext ip b.b.b.77 255.255.255.255 dip 9 b.b.b.77 b.b.b.77

    And I tried with a MIP, it didn’t change anything.


  • Global Moderator

    Maybe I’m overlooking something but I don’t see DIP pool 9 defiend. In any case make sure, very sure your using the same address as source and destination.  If your not sure: use a MIP and connect to public side of the MIP.



  • I realized I didn’t post my config.
    At this moment, these are parts of my config files corresponding to the logs I posted previously.

    Firewall SSG

    set zone “Trust” vrouter "trust-vr"
    set zone “Untrust” vrouter "untrust-vr"
    set zone “Untrust” screen tear-drop
    set zone “Untrust” screen syn-flood
    set zone “Untrust” screen ping-death
    set zone “Untrust” screen ip-filter-src
    set zone “Untrust” screen land
    set interface “ethernet0/1” zone "Untrust"
    set interface “ethernet0/2.77” tag 77 zone "Trust"
    set interface “tunnel.77” zone “Trust"
    set interface ethernet0/1 ip a.a.a.1/29
    set interface ethernet0/1 route
    set interface ethernet0/2.77 ip c.c.77.254/24
    set interface ethernet0/2.77 nat
    set interface tunnel.77 ip unnumbered interface ethernet0/2.77
    set interface ethernet0/1 ip manageable
    set interface ethernet0/2.77 ip manageable
    set interface ethernet0/1 manage ping
    set interface ethernet0/1 ext ip b.b.b.77 255.255.255.255 dip 9 b.b.b.77 b.b.b.77
    unset flow no-tcp-seq-check
    set flow tcp-syn-check
    set ike gateway “fabienP1” address 0.0.0.0 id "fabien@example.com” Aggr outgoing-interface “ethernet0/2.77” preshare “4FksxXTNGthl6sRfwC3u5rJLmnR/K7mYA==” proposal "pre-g2-3des-sha"
    set ike gateway “fabienP1” nat-traversal udp-checksum
    set ike gateway “fabienP1” nat-traversal keepalive-frequency 100
    set ike respond-bad-spi 1
    unset ike ikeid-enumeration
    unset ike dos-protection
    unset ipsec access-session enable
    set ipsec access-session maximum 5000
    set ipsec access-session upper-threshold 0
    set ipsec access-session lower-threshold 0
    set ipsec access-session dead-p2-sa-timeout 0
    unset ipsec access-session log-error
    unset ipsec access-session info-exch-connected
    unset ipsec access-session use-error-log
    set vpn “fabienP2” gateway “fabienP1” replay tunnel idletime 0 sec-level compatible
    set vpn “fabienP2” id 33 bind interface tunnel.77
    set policy id 20 from “Trust” to “Untrust”  “Any” “Any” “ANY” nat src dip-id 9 permit log count
    set policy id 19 name “FabienVPN” from “Untrust” to “Trust”  “Any” “Any” “ANY” nat dst ip c.c.77.254 permit log
    set vrouter "untrust-vr"
    set route 0.0.0.0/0 interface ethernet0/1 gateway a.a.a.2 preference 20
    set route b.b.b.77/32 interface ethernet0/2.77 preference 20 tag 77
    exit
    set vrouter "trust-vr"
    unset add-default-route
    set route 0.0.0.0/0 interface ethernet0/1 gateway a.a.a.2 preference 20
    exit
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    exit

    NSR client (with the public IP 9.9.9.9)

    VPN:

    Secure
    selected Only Connect Manually
    ID Type: IP Subnet (I tried to with IP address and the IP c.c.77.254)
    Subnet: c.c.77.0
    Mask: 255.255.255.0
    Protocol: All
    Use Secure gateway tunnel
    ID Type: IP Address
    b.b.b.77

    My Identity

    Select certificate: none
    ID Type: Email adress, fabien@example.com
    Secure interface configuration: disabled
    Internet Interface: any

    Security Policy:

    Selected Phase 1 Negotiation Mode: Aggressive
    Selected Enabled PFs (DH group 2)
    Selected Replay Detection

    Authentication Proposal 1

    Pre-shared key
    Triple DES
    SHA-1
    120 seconds
    DH group 2

    Key Exchange Proposal 1

    SA Life: unspecified
    Compression: none
    ESP Triple DES SHA-1 Tunnel

    Key Exchange Proposal 2

    SA Life: unspecified
    Compression: none
    ESP Triple DES MD5 Tunnel

    Key Exchange Proposal 1

    SA Life: unspecified
    Compression: none
    ESP DES SHA-1 Tunnel

    Thanks for the time spend to read my “spam”… 🙂

    Gauthier



  • Yes I have a policy which allows trafic from untrust zone to trust zone (where is my sub interface). This policy is doing nat destination to translate my IP public (b.b.b.77) to the IP of the sub interface gateway (c.c.77.254).

    The log is different now on my NSR is:

    My Connections - Initiating IKE Phase 1 (IP ADDR=b.b.b.77)
    My Connections - SENDING>>> ISAKMP OAK AG (SAn KE, NON, ID, VID 6X)
    My Connections - Received message from wrong IP Adress = XXXX
    My Connections \VPN- Received message from wrong IP Adress = XXXX
    My Connections\VPN - Received message from wrong IP Adress = XXXX
    My Connections\VPN - Received message from wrong IP Adress = XXXX
    My Connections\VPN - Received message from wrong IP Adress = XXXX
    My Connections\VPN - Exceed 0 IKE SA negocaition attempts
    (messages below appear after I have the window saying: Unable to connect to My Connections\VPN Please check log for further details)
    NO MATCHING CONNECTION - RECEIVED <<<isakmp oak="" ag="" (sa,="" vid="" 3x,="" ke,="" no,="" id,="" hash)<br="">NO MATCHING CONNECTION - Received message from unrecognized peer: c.c.77.254
    NO MATCHING CONNECTION - SENDING >>> ISAKMP INFO(NOTIFY:NO_PROPOSAL_CHOSEN)
    NO MATCHING CONNECTION - RECEIVED <<<isakmp oak="" ag="" (sa,="" vid="" 3x,="" ke,="" no,="" id,="" hash)<br="">NO MATCHING CONNECTION - Received message from unrecognized peer: c.c.77.254
    NO MATCHING CONNECTION - SENDING >>> ISAKMP INFO(NOTIFY:NO_PROPOSAL_CHOSEN)
    NO MATCHING CONNECTION - RECEIVED <<<isakmp oak="" ag="" (sa,="" vid="" 3x,="" ke,="" no,="" id,="" hash)<br="">NO MATCHING CONNECTION - Received message from unrecognized peer: c.c.77.254</isakmp></isakmp></isakmp>

    And the end of the log on the firewall:

    2008-01-08 14:27:59 : IKE<9.9.9.9> Responder sending IPv4 IP 62.147.236.177/port 500

    2008-01-08 14:27:59 : IKE<9.9.9.9> Send Phase 1 packet (len=416)

    2008-01-08 14:28:03 : IKE<9.9.9.9> re-trans timer expired, msg retry (11) (11180f/5)

    2008-01-08 14:28:03 : IKE<9.9.9.9> Phase 1: Retransmission limit has been reached.

    2008-01-08 14:28:06 : reap_db. deleting p1sa 1bac99c

    2008-01-08 14:28:06 : IKE<9.9.9.9> xauth_cleanup()

    2008-01-08 14:28:06 : IKE<9.9.9.9> Done cleaning up IKE Phase 1 SA

    2008-01-08 14:28:06 : peer_identity_unregister_p1_sa.

    2008-01-08 14:28:06 : IKE<0.0.0.0        >  delete peer identity 0x5c9480dc

    2008-01-08 14:28:06 : peer_idt.c peer_identity_unregister_p1_sa 509: pidt deleted.

    I think it’s strange, it’s initiating the IKE PHase 1 with the public IP (b.b.b.77) and after, it’s talking about sub interface gateway ip c.c.77.254.
    Maybe the problem is coming from here and this is the reason why it says:

    Received message from unrecognized peer: c.c.77.254

    ?

    Gauthier


  • Global Moderator

    When you terminate not on untrust interface but on some inside interface, you probably need to setup a policy allowing udp 500 and 4500 from untrust tothe zone you have your terminating interfacein!



  • Hi,

    I change the way of connection to Internet for the NSR and now, it receives this message:

    Received message from wrong IP Adress = XXXX
    Received message from wrong IP Adress = XXXX
    Received message from wrong IP Adress = XXXX
    Received message from wrong IP Adress = XXXX
    Received message from wrong IP Adress = XXXX
    Exceed 0 IKE SA negocaition attempts
    NO MATCHING CONNECTION - RECEIVED <<<isakmp oak="" ag="" (sa,="" vid="" 3x,="" ke,="" no,="" id,="" hash)<br="">NO MATCHING CONNECTION - RECEIVED <<<received message="" from="" unrecognized="" peer:="" c.c.77.254<br="">NO MATCHING CONNECTION - RECEIVED <<<isakmp oak="" info="" (notify:="" no_proposal_chosen)<br="">NO MATCHING CONNECTION - RECEIVED <<<isakmp oak="" ag="" (sa,="" vid="" 3x,="" ke,="" no,="" id,="" hash)<br="">NO MATCHING CONNECTION - RECEIVED <<<received message="" from="" unrecognized="" peer:="" c.c.77.254<br="">NO MATCHING CONNECTION - RECEIVED <<<isakmp oak="" ag="" (sa,="" vid="" 3x,="" ke,="" no,="" id,="" hash)<br="">NO MATCHING CONNECTION - RECEIVED <<<received message="" from="" unrecognized="" peer:="" c.c.77.254<br="">NO MATCHING CONNECTION - RECEIVED <<<isakmp oak="" info="" (notify:="" no_proposal_chosen)<br=""></isakmp></received></isakmp></received></isakmp></isakmp></received></isakmp>

    And the firewall logs:

    2008-01-08 08:39:59 : IKE<9.9.9.9> re-trans timer expired, msg retry (8) (1180f/5)

    2008-01-08 08:39:59 : IKE<9.9.9.9> Responder sending IPv4 IP 69.9.9.9/port 500

    2008-01-08 08:39:59 : IKE<9.9.9.9> Send Phase 1 packet (len=348)

    I will check what these message mean and go back.

    Thanks, we make progress!

    Gauthier



  • I see this in your logs when using e0/2.x

    2008-01-07 23:05:10 : IKE<9.9.9.9> Responder sending IPv4 IP 9.9.9.9/port 500

    2008-01-07 23:05:10 : IKE<9.9.9.9> Send Phase 1 packet (len=408)

    That implies that the SSG is attempting to respond to the client. A few seconds later I see this:

    2008-01-07 23:05:15 : IKE<9.9.9.9> re-trans timer expired, msg retry (0) (11180f/5)

    2008-01-07 23:05:15 : IKE<9.9.9.9> Responder sending IPv4 IP 9.9.9.9/port 500

    2008-01-07 23:05:15 : IKE<9.9.9.9> Send Phase 1 packet (len=408)

    That implies that the SSG never got the third message and therefore retransmitted. The third message with Nat-traversal would use UDP port 4500. So there are three questions that need to be asked.

    1. Did the NSR client receive the 2nd message from the SSG?

    2. Did the NSR client transmit 3rd message using port 4500?

    3. Did that UDP 4500 message get lost in transit?

    To answer questions 1 and 2, I’d suggest running a sniffer on your NSR client PC. You can download Ethereal or Wireshark (google search it) and run that on the NSR client PC to see what is sent/received. The third question may be either the NAT device or perhaps some other device is not permitting the UDP 4500 traffic through. I would look into that and find out if perhaps some device in the path between the client and the SSG is denying UDP 4500.



  • Yes I tried with and without but didn’t change.
    I know where is it for the firewall, but for the Netscreen Remote, I didn’t know, where is it?

    And I enabled NAT traversal, because I thank it was necessary for my situation

    Gauthier


  • Global Moderator

    If I understand well your Natting the ike traffic?! Did you enable NAT traversel on both sides?



  • Hi,

    Thanks for the link, very instructive!

    I followed the instructions and now I have to situations depending on the interface chosen for the IKE gateway.

    1. If I choose the Untrust eth0/1, I have the message (with debug ike detail):

    2008-01-07 23:08:51 : IKE<9.9.9.9> ike packet, len 426, action 1

    2008-01-07 23:08:51 : IKE<9.9.9.9> Catcher: received 398 bytes from socket.

    2008-01-07 23:08:51 : IKE<9.9.9.9> ****** Recv packet if <ethernet0 2.77="">of vsys <root>******

    2008-01-07 23:08:51 : IKE<9.9.9.9> Catcher: get 398 bytes. src port 500

    2008-01-07 23:08:51 : IKE<0.0.0.0        >  ISAKMP msg: len 398, nxp 1[SA], exch 4[AG], flag 00

    2008-01-07 23:08:51 : IKE<9.9.9.9  > Recv : [SA] [KE] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]

    2008-01-07 23:08:51 : [VID]

    2008-01-07 23:08:51 : IKE<0.0.0.0        >    Validate (370): SA/44 KE/132 NONCE/36 ID/26 VID/48 VID/12 VID/20 VID/12 VID/20

    2008-01-07 23:08:51 : IKE<9.9.9.9  >  Receive Id in AG mode, id-type=3, id=fabien@trinaps.com

    2008-01-07 23:08:51 : IKE<0.0.0.0        > IKE: attempt to get group ike id user fabien@trinaps.comfrom empty sort list.

    2008-01-07 23:08:51 : IKE<0.0.0.0        > no group IKE id user found <-1>.

    2008-01-07 23:08:51 : IKE<0.0.0.0        >  No peer_ent by peer ID fabien@trinaps.com/3 and local IP

    2008-01-07 23:08:51 : IKE<0.0.0.0        >  Find NATT enabled peer with matching ID and ifp.

    2008-01-07 23:08:51 :  peer <fabienp1>is not a static-ip peer.

    2008-01-07 23:08:51 : IKE<0.0.0.0        >  failed to find natt static peer by IKE id and ifp.

    2008-01-07 23:08:51 : IKE<9.9.9.9> Rejected an initial Phase 1 packet from an unrecognized peer gateway.</fabienp1>/fabien@trinaps.com/fabien@trinaps.com</root></ethernet0>

    1. If I choose the interface eth0/2.X (so a sub interface like described in my first post), I have the message:

    2008-01-07 23:05:10 : IKE<9.9.9.9> ike packet, len 426, action 1

    2008-01-07 23:05:10 : IKE<9.9.9.9> Catcher: received 398 bytes from socket.

    2008-01-07 23:05:10 : IKE<9.9.9.9> ****** Recv packet if <ethernet0 2.77="">of vsys <root>******

    2008-01-07 23:05:10 : IKE<9.9.9.9> Catcher: get 398 bytes. src port 500

    2008-01-07 23:05:10 : IKE<0.0.0.0        >  ISAKMP msg: len 398, nxp 1[SA], exch 4[AG], flag 00

    2008-01-07 23:05:10 : IKE<9.9.9.9  > Recv : [SA] [KE] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]

    2008-01-07 23:05:10 : [VID]

    2008-01-07 23:05:10 : IKE<0.0.0.0        >    Validate (370): SA/44 KE/132 NONCE/36 ID/26 VID/48 VID/12 VID/20 VID/12 VID/20

    2008-01-07 23:05:10 : IKE<9.9.9.9> found peer fabienP1

    2008-01-07 23:05:10 : IKE<9.9.9.9> Found peer entry (fabienP1) from 9.9.9.9.

    2008-01-07 23:05:10 : responder create sa: 9.9.9.9->c.c.77.254

    2008-01-07 23:05:10 : init p1sa, pidt = 0x0

    2008-01-07 23:05:10 : change peer identity for p1 sa, pidt = 0x0

    2008-01-07 23:05:10 : IKE<0.0.0.0        >  create peer identity 085c947e30

    2008-01-07 23:05:10 : peer identity 5c947e30 created.

    2008-01-07 23:05:10 : IKE<0.0.0.0        >  EDIPI disabled

    2008-01-07 23:05:10 : IKE<9.9.9.9> getProfileFromP1Proposal->

    2008-01-07 23:05:10 : IKE<9.9.9.9> find profile[0]=<00000005 00000002 00000001 00000002> for p1 proposal (id 5), xauth(0)

    2008-01-07 23:05:10 : IKE<9.9.9.9> responder create sa: 9.9.9.9->c.c.77.254

    2008-01-07 23:05:10 : IKE<9.9.9.9> Phase 1: Responder starts AGGRESSIVE mode negotiations.

    2008-01-07 23:05:10 : IKE<9.9.9.9> AG in state OAK_AG_NOSTATE.

    2008-01-07 23:05:10 : IKE<9.9.9.9> Process [VID]:

    2008-01-07 23:05:10 : IKE<9.9.9.9  >  Vendor ID:

    2008-01-07 23:05:10 : 47 bb e7 c9 93 f1 fc 13  b4 e6 d0 db 56 5c 68 e5

    2008-01-07 23:05:10 : 01 02 01 01 02 01 01 03  10 31 30 2e 37 2e 37 20

    2008-01-07 23:05:10 : 28 42 75 69 6c 64 20 36  29 00 00 00

    2008-01-07 23:05:10 : IKE<9.9.9.9> receive unknown vendor ID payload

    2008-01-07 23:05:10 : IKE<9.9.9.9> Process [VID]:

    2008-01-07 23:05:10 : IKE<9.9.9.9  >  Vendor ID:

    2008-01-07 23:05:10 : da 8e 93 78 80 01 00 00

    2008-01-07 23:05:10 : IKE<9.9.9.9> receive unknown vendor ID payload

    2008-01-07 23:05:10 : IKE<9.9.9.9> Process [VID]:

    2008-01-07 23:05:10 : IKE<9.9.9.9  >  Vendor ID:

    2008-01-07 23:05:10 : af ca d7 13 68 a1 f1 c9  6b 86 96 fc 77 57 01 00

    2008-01-07 23:05:10 : IKE<9.9.9.9> Process [VID]:

    2008-01-07 23:05:10 : IKE<9.9.9.9  >  Vendor ID:

    2008-01-07 23:05:10 : 09 00 26 89 df d6 b7 12

    2008-01-07 23:05:10 : IKE<9.9.9.9> rcv XAUTH v6.0 vid

    2008-01-07 23:05:10 : IKE<9.9.9.9> Process [VID]:

    2008-01-07 23:05:10 : IKE<9.9.9.9  >  Vendor ID:

    2008-01-07 23:05:10 : 44 85 15 2d 18 b6 bb cd  0b e8 a8 46 95 79 dd cc

    2008-01-07 23:05:10 : IKE<9.9.9.9> rcv NAT-Traversal VID payload (draft-ietf-ipsec-nat-t-ike-00).

    2008-01-07 23:05:10 : IKE<9.9.9.9> Process [VID]:

    2008-01-07 23:05:10 : IKE<9.9.9.9  >  Vendor ID:

    2008-01-07 23:05:10 : 90 cb 80 91 3e bb 69 6e  08 63 81 b5 ec 42 7b 1f

    2008-01-07 23:05:10 : IKE<9.9.9.9> rcv NAT-Traversal VID payload (draft-ietf-ipsec-nat-t-ike-02).

    2008-01-07 23:05:10 : IKE<9.9.9.9> Process [SA]:

    2008-01-07 23:05:10 : IKE<9.9.9.9> Proposal received: xauthflag c

    2008-01-07 23:05:10 : IKE<9.9.9.9> auth(1)<preshrd>, encr(5)<3DES>, hash(2)<sha>, group(2)

    2008-01-07 23:05:10 : IKE<9.9.9.9> xauth attribute: disabled

    2008-01-07 23:05:10 : IKE<9.9.9.9> Phase 1 proposal [0] selected.

    2008-01-07 23:05:10 : IKE<0.0.0.0        >    dh group 2

    2008-01-07 23:05:10 : IKE<9.9.9.9> DH_BG_consume OK. p1 resp

    2008-01-07 23:05:10 : IKE<9.9.9.9> Process [KE]:

    2008-01-07 23:05:10 : IKE<9.9.9.9> processing ISA_KE in phase 1.

    2008-01-07 23:05:10 : IKE<9.9.9.9> Process [NONCE]:

    2008-01-07 23:05:10 : IKE<9.9.9.9> processing NONCE in phase 1.

    2008-01-07 23:05:10 : IKE<9.9.9.9> Process [ID]:

    2008-01-07 23:05:10 : IKE<9.9.9.9> ID received: type=ID_USER_FQDN, USER FQDN = fabien@example.com, port=500, protocol=17

    2008-01-07 23:05:10 : IKE<0.0.0.0        >  Find NATT enabled peer with matching ID and ifp.

    2008-01-07 23:05:10 : IKE<9.9.9.9>  locate peer entry for (3/fabien@example.com), by identity.

    2008-01-07 23:05:10 : IKE<9.9.9.9>  static-ip peer entry id (3/fabien@example.com).

    2008-01-07 23:05:10 : IKE<9.9.9.9> ID processed. return 0. sa->p1_state = 0.

    2008-01-07 23:05:10 : IKE<9.9.9.9> need to wait for offline p1 DH work done.

    2008-01-07 23:05:10 : IKE<9.9.9.9> IKE msg done: PKI state<0> IKE state<0/201280a>

    2008-01-07 23:05:10 : IKE<0.0.0.0        >  finished job pkaidx <0> dh_len<128> dmax<64>

    2008-01-07 23:05:10 : IKE<0.0.0.0        >  finished job d<6f5dbdd6><a3cf4766><1943e49f> <cae6a0cc>## 2008-01-07 23:05:10 : IKE<9.9.9.9> AG in state OAK_AG_NOSTATE.

    2008-01-07 23:05:10 : IKE<9.9.9.9> re-enter AG after offline DH done

    2008-01-07 23:05:10 : IKE<9.9.9.9> Phase 1 AG Responder constructing 2nd message.

    2008-01-07 23:05:10 : IKE<9.9.9.9> Construct ISAKMP header.

    2008-01-07 23:05:10 : IKE<9.9.9.9> Msg header built (next payload #1)

    2008-01-07 23:05:10 : IKE<9.9.9.9> Construct [SA] for ISAKMP

    2008-01-07 23:05:10 : IKE<9.9.9.9> auth(1)<preshrd>, encr(5)<3DES>, hash(2)<sha>, group(2)

    2008-01-07 23:05:10 : IKE<9.9.9.9> xauth attribute: disabled

    2008-01-07 23:05:10 : IKE<9.9.9.9> lifetime/lifesize (0/0)

    2008-01-07 23:05:10 : IKE<9.9.9.9> Construct NetScreen [VID]

    2008-01-07 23:05:10 : IKE<9.9.9.9> Construct custom [VID]

    2008-01-07 23:05:10 : IKE<9.9.9.9> Construct custom [VID]

    2008-01-07 23:05:10 : IKE<9.9.9.9> Construct [KE] for ISAKMP

    2008-01-07 23:05:10 : IKE<9.9.9.9> Construct [NONCE]

    2008-01-07 23:05:10 : IKE<9.9.9.9> gen_skeyid()

    2008-01-07 23:05:10 : IKE<9.9.9.9> Construct [ID] for ISAKMP

    2008-01-07 23:05:10 : IKE<9.9.9.9> Construct [HASH]

    2008-01-07 23:05:10 : IKE<9.9.9.9> ID, len=8, type=1, pro=17, port=500,

    2008-01-07 23:05:10 : IKE<9.9.9.9> addr=c.c.77.254

    2008-01-07 23:05:10 : IKE<9.9.9.9> Construct NAT-T [VID]: draft 2

    2008-01-07 23:05:10 : IKE<9.9.9.9> Responder psk ag mode: natt vid constructed.

    2008-01-07 23:05:10 : IKE<9.9.9.9> responder (psk) constructing remote NAT-D

    2008-01-07 23:05:10 : IKE<9.9.9.9> Construct [NATD]

    2008-01-07 23:05:10 : IKE<9.9.9.9> responder (psk) constructing local NAT-D

    2008-01-07 23:05:10 : IKE<9.9.9.9> Construct [NATD]

    2008-01-07 23:05:10 : IKE<9.9.9.9> throw packet to the peer, paket_len=408

    2008-01-07 23:05:10 : IKE<9.9.9.9  > Xmit : [SA] [VID] [VID] [VID] [KE] [NONCE] [ID] [HASH] [VID]

    2008-01-07 23:05:10 : [NATD] [NATD]

    2008-01-07 23:05:10 : IKE<9.9.9.9> Responder sending IPv4 IP 9.9.9.9/port 500

    2008-01-07 23:05:10 : IKE<9.9.9.9> Send Phase 1 packet (len=408)

    2008-01-07 23:05:15 : IKE<9.9.9.9> re-trans timer expired, msg retry (0) (11180f/5)

    2008-01-07 23:05:15 : IKE<9.9.9.9> Responder sending IPv4 IP 9.9.9.9/port 500

    2008-01-07 23:05:15 : IKE<9.9.9.9> Send Phase 1 packet (len=408)

    2008-01-07 23:05:16 : IKE<0.0.0.0        >    dh group 2

    2008-01-07 23:05:16 : IKE<0.0.0.0        >  finished job pkaidx <0> dh_len<128> dmax<64>

    2008-01-07 23:05:16 : IKE<0.0.0.0        >  finished job d<e90b7efb><de2ed24d><86139c94><74d2789f>

    2008-01-07 23:05:16 : IKE<0.0.0.0        > BN, top32 dmax64 zero <no>## 2008-01-07 23:05:19 : IKE<9.9.9.9> re-trans timer expired, msg retry (1) (11180f/5)

    2008-01-07 23:05:19 : IKE<9.9.9.9> Responder sending IPv4 IP 9.9.9.9/port 500

    2008-01-07 23:05:19 : IKE<9.9.9.9> Send Phase 1 packet (len=408)

    2008-01-07 23:05:23 : IKE<9.9.9.9> re-trans timer expired, msg retry (2) (11180f/5)

    2008-01-07 23:05:23 : IKE<9.9.9.9> Responder sending IPv4 IP 9.9.9.9/port 500

    2008-01-07 23:05:23 : IKE<9.9.9.9> Send Phase 1 packet (len=408)

    2008-01-07 23:05:27 : IKE<9.9.9.9> re-trans timer expired, msg retry (3) (11180f/5)

    2008-01-07 23:05:27 : IKE<9.9.9.9> Responder sending IPv4 IP 9.9.9.9/port 500

    2008-01-07 23:05:27 : IKE<9.9.9.9> Send Phase 1 packet (len=408)</no></de2ed24d></e90b7efb></sha></preshrd></cae6a0cc></a3cf4766></sha></preshrd></root></ethernet0>

    To explain:
    -9.9.9.9 is the dynamic IP of the remote client
    -c.c.77.254 is the gateway ip of my subinterface eth0/2.X (linked to a vlan) in my private subnet in trust-vr
    In my remote client, I’m connecting on the public IP b.b.b.77 which does a NAT translation to the private ip c.c.77.254.

    What should I think about these 2 messages ?
    If I’m not wrong, the right way is to put the eth0/1 for the outgoing interface for IKE gateway.

    If I have to put more information (config, debug flow basic log, etc), tell me!

    Thank you very much!

    Gauthier



  • Try this out:

    http://kb.juniper.net/kb/documents/public/resolution_path/J_FW_VPN_Config_or_Trblsh.htm

    I find it to be quite effective for troubleshooting most VPN issues I’ve seen.


  • Global Moderator

    Gauthier,

    before you worry aboute routes or policybased vs routebased your phase I should work. The problem your facing now is that the remote users are not recoginized as VPN peers. What does the NetScreen log tell tou? In general in all VPN’s when someting goes wrong in phase I the initiator will only show a retransmition limit has been reached. The responder tell’s you why it won’t accept a phase I connection request.


 

37
Online

38.4k
Users

12.7k
Topics

44.5k
Posts