Hello,
I'm trying to setup a dynamic VPN on a SRX240H.
The connection is sucessfull via the junos pulse client. However for interoperability (Linux/MacOS) i would like to use ShrewVPN.
I've seen many post saying this configuration should work but i can't manage to get it work.
I've tried many differents proposals, and the pre shared key is the same on both firewall and client configuration.
Here are the relevants part of my configuration :
# show security ike
traceoptions {
flag all;
}
proposal evtest {
authentication-method pre-shared-keys;
dh-group group5;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
proposal evtest_bis {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm md5;
encryption-algorithm 3des-cbc;
lifetime-seconds 86400;
}
policy IKE_DYN_VPN {
mode aggressive;
proposals evtest_bis;
pre-shared-key ascii-text "$9$bUwgJQz6tu1"; ## SECRET-DATA
}
gateway IKE_DYN_VPN_GW {
ike-policy IKE_DYN_VPN;
dynamic {
hostname evenium.com;
connections-limit 2;
ike-user-type group-ike-id;
}
external-interface ge-0/0/1.0;
xauth access-profile DYN_VPN_PROFILE;
}
# show security ipsec
traceoptions {
flag all;
}
proposal evtest2 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
proposal evtest2_bis {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy IPSEC_DYN_POLICY {
perfect-forward-secrecy {
keys group2;
}
proposals evtest2_bis;
}
vpn DYN_VPN {
ike {
gateway IKE_DYN_VPN_GW;
ipsec-policy IPSEC_DYN_POLICY;
}
}
# show security dynamic-vpn
access-profile DYN_VPN_PROFILE;
clients {
EV_DYN_VPN_USERS {
remote-protected-resources {
192.168.11.0/24;
}
remote-exceptions {
0.0.0.0/0;
}
ipsec-vpn DYN_VPN;
user {
gcharot;
}
}
}
I also activated traceoptions, it ends up with IKEv1 Error : Payload malformed which normally means a pre shared key mismatch but i triple checked key on both side and they are the very same.
I've set the pre shared key with the following command :
# set pre-shared-key ascii-text lol
Thanks a lot for your help !
If you know any better solution to support Dynamic VPN on Linux/Mac feel free to share !
Grégory
Here are the traceoptions logs :
# run show log kmd | no-more
Nov 29 12:53:27 ev-testfw clear-log[1641]: logfile cleared
Nov 29 12:53:39 ikev2_packet_allocate: Allocated packet bdc800 from freelist
Nov 29 12:53:39 ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
Nov 29 12:53:39 ike_get_sa: Start, SA = { 51dfddf7 8d6bcd67 - 00000000 00000000 } / 00000000, remote = 195.154.238.181:500
Nov 29 12:53:39 ike_sa_allocate: Start, SA = { 51dfddf7 8d6bcd67 - 97d4d242 46a0002f }
Nov 29 12:53:39 ike_init_isakmp_sa: Start, remote = 195.154.238.181:500, initiator = 0
Nov 29 12:53:39 ike_decode_packet: Start
Nov 29 12:53:39 ike_decode_packet: Start, SA = { 51dfddf7 8d6bcd67 - 4782acee bfdd0c09} / 00000000, nego = -1
Nov 29 12:53:39 ike_decode_payload_sa: Start
Nov 29 12:53:39 ike_decode_payload_t: Start, # trans = 1
Nov 29 12:53:39 ike_st_i_vid: VID[0..8] = 09002689 dfd6b712 ...
Nov 29 12:53:39 ike_st_i_vid: VID[0..16] = 4485152d 18b6bbcd ...
Nov 29 12:53:39 ike_st_i_vid: VID[0..16] = 16f6ca16 e4a4066d ...
Nov 29 12:53:39 ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
Nov 29 12:53:39 ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ...
Nov 29 12:53:39 ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
Nov 29 12:53:39 ike_st_i_vid: VID[0..20] = 4048b7d5 6ebce885 ...
Nov 29 12:53:39 ike_st_i_vid: VID[0..16] = f14b94b7 bff1fef0 ...
Nov 29 12:53:39 ike_st_i_vid: VID[0..20] = 166f932d 55eb64d8 ...
Nov 29 12:53:39 ike_st_i_vid: VID[0..16] = 8404adf9 cda05760 ...
Nov 29 12:53:39 ike_st_i_vid: VID[0..16] = 12f5f28c 457168a9 ...
Nov 29 12:53:39 ike_st_i_id: Start
Nov 29 12:53:39 ike_st_i_sa_proposal: Start
Nov 29 12:53:39 ike_free_id_payload: Start, id type = 2
Nov 29 12:53:39 Gateway IKE_DYN_VPN_GW: number of connections=0, limit=2
Nov 29 12:53:39 ike_isakmp_sa_reply: Start
Nov 29 12:53:39 ike_state_restart_packet: Start, restart packet SA = { 51dfddf7 8d6bcd67 - 4782acee bfdd0c09}, nego = -1
Nov 29 12:53:39 ike_st_i_sa_proposal: Start
Nov 29 12:53:39 ike_st_i_nonce: Start, nonce[0..20] = 1b871516 f99e66f8 ...
Nov 29 12:53:39 ike_st_i_cert: Start
Nov 29 12:53:39 ike_st_i_hash_key: Start, no key_hash
Nov 29 12:53:39 ike_st_i_ke: Ke[0..128] = 854d740c 0350f3b1 ...
Nov 29 12:53:39 ike_st_i_cr: Start
Nov 29 12:53:39 ike_st_i_private: Start
Nov 29 12:53:39 ike_st_o_sa_values: Start
Nov 29 12:53:39 ike_st_o_ke: Start
Nov 29 12:53:39 ike_st_o_nonce: Start
Nov 29 12:53:39 ike_policy_reply_isakmp_nonce_data_len: Start
Nov 29 12:53:39 ike_st_o_id: Start
Nov 29 12:53:39 ike_policy_reply_isakmp_id: Start
Nov 29 12:53:39 ike_state_restart_packet: Start, restart packet SA = { 51dfddf7 8d6bcd67 - 4782acee bfdd0c09}, nego = -1
Nov 29 12:53:39 ike_st_o_id: Start
Nov 29 12:53:39 ike_st_o_certs_base: Start
Nov 29 12:53:39 ike_st_o_sig_or_hash: Start, auth_method = 4
Nov 29 12:53:39 ike_st_o_hash: Start
Nov 29 12:53:39 ike_find_pre_shared_key: Find pre shared key key for 195.154.238.186:500, id = ipv4(any:0,[0..3]=195.154.238.186) -> 195.154.238.181:500, id = fqdn(any:0,[0..10]=evenium.com)
Nov 29 12:53:39 Gateway IKE_DYN_VPN_GW: number of connections=0, limit=2
Nov 29 12:53:39 ike_policy_reply_find_pre_shared_key: Start
Nov 29 12:53:39 ike_state_restart_packet: Start, restart packet SA = { 51dfddf7 8d6bcd67 - 4782acee bfdd0c09}, nego = -1
Nov 29 12:53:39 ike_st_o_sig_or_hash: Start, auth_method = 4
Nov 29 12:53:39 ike_st_o_hash: Start
Nov 29 12:53:39 ike_find_pre_shared_key: Find pre shared key key for 195.154.238.186:500, id = ipv4(any:0,[0..3]=195.154.238.186) -> 195.154.238.181:500, id = fqdn(any:0,[0..10]=evenium.com)
Nov 29 12:53:39 ike_calc_mac: Start, initiator = false, local = true
Nov 29 12:53:39 ike_policy_reply_isakmp_vendor_ids: Start
Nov 29 12:53:39 ike_st_o_status_n: Start
Nov 29 12:53:39 ike_st_o_private: Start
Nov 29 12:53:39 ike_policy_reply_private_payload_out: Start
Nov 29 12:53:39 ike_policy_reply_private_payload_out: Start
Nov 29 12:53:39 ike_policy_reply_private_payload_out: Start
Nov 29 12:53:39 ike_st_o_calc_skeyid: Calculating skeyid
Nov 29 12:53:39 ike_encode_packet: Start, SA = { 0x51dfddf7 8d6bcd67 - 4782acee bfdd0c09 } / 00000000, nego = -1
Nov 29 12:53:39 ike_send_packet: Start, send SA = { 51dfddf7 8d6bcd67 - 4782acee bfdd0c09}, nego = -1, dst = 195.154.238.181:500, routing table id = 0
Nov 29 12:53:39 ikev2_packet_allocate: Allocated packet bdcc00 from freelist
Nov 29 12:53:39 ikev2_packet_allocate: Allocated packet bdd000 from freelist
Nov 29 12:53:39 ike_sa_find: Found SA = { 51dfddf7 8d6bcd67 - 4782acee bfdd0c09 }
Nov 29 12:53:39 ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
Nov 29 12:53:39 ike_get_sa: Start, SA = { 51dfddf7 8d6bcd67 - 4782acee bfdd0c09 } / 00000000, remote = 195.154.238.181:500
Nov 29 12:53:39 ike_sa_find: Found SA = { 51dfddf7 8d6bcd67 - 4782acee bfdd0c09 }
Nov 29 12:53:39 ike_decode_packet: Start
Nov 29 12:53:39 ike_decode_packet: Start, SA = { 51dfddf7 8d6bcd67 - 4782acee bfdd0c09} / 00000000, nego = -1
Nov 29 12:53:39 195.154.238.186:500 (Responder) <-> 195.154.238.181:500 { 51dfddf7 8d6bcd67 - 4782acee bfdd0c09 [-1] / 0x00000000 } Aggr; Invalid next payload type = 188
Nov 29 12:53:39 195.154.238.186:500 (Responder) <-> 195.154.238.181:500 { 51dfddf7 8d6bcd67 - 4782acee bfdd0c09 [-1] / 0x00000000 } Aggr; Error = Invalid payload type (1)
Nov 29 12:53:39 ike_alloc_negotiation: Start, SA = { 51dfddf7 8d6bcd67 - 4782acee bfdd0c09}
Nov 29 12:53:39 ike_encode_packet: Start, SA = { 0x51dfddf7 8d6bcd67 - 4782acee bfdd0c09 } / 456507b3, nego = 0
Nov 29 12:53:39 ike_send_packet: Start, send SA = { 51dfddf7 8d6bcd67 - 4782acee bfdd0c09}, nego = 0, dst = 195.154.238.181:500, routing table id = 0
Nov 29 12:53:39 ike_delete_negotiation: Start, SA = { 51dfddf7 8d6bcd67 - 4782acee bfdd0c09}, nego = 0
Nov 29 12:53:39 ike_free_negotiation_info: Start, nego = 0
Nov 29 12:53:39 ike_free_negotiation: Start, nego = 0
Nov 29 12:53:39 ike_sa_find: Found SA = { 51dfddf7 8d6bcd67 - 4782acee bfdd0c09 }
Nov 29 12:53:39 ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
Nov 29 12:53:39 ike_get_sa: Start, SA = { 51dfddf7 8d6bcd67 - 4782acee bfdd0c09 } / 7d0dbff3, remote = 195.154.238.181:500
Nov 29 12:53:39 ike_sa_find: Found SA = { 51dfddf7 8d6bcd67 - 4782acee bfdd0c09 }
Nov 29 12:53:39 ike_alloc_negotiation: Start, SA = { 51dfddf7 8d6bcd67 - 4782acee bfdd0c09}
Nov 29 12:53:39 ike_decode_packet: Start
Nov 29 12:53:39 ike_decode_packet: Start, SA = { 51dfddf7 8d6bcd67 - 4782acee bfdd0c09} / 7d0dbff3, nego = 0
Nov 29 12:53:39 <none>:500 (Responder) <-> 195.154.238.181:500 { 51dfddf7 8d6bcd67 - 4782acee bfdd0c09 [0] / 0x7d0dbff3 } Info; Trying to decrypt, but no decryption context initialized
Nov 29 12:53:39 <none>:500 (Responder) <-> 195.154.238.181:500 { 51dfddf7 8d6bcd67 - 4782acee bfdd0c09 [0] / 0x7d0dbff3 } Info; Error = No SA established (8194)
Nov 29 12:53:39 ike_send_notify: Notification to informational exchange ignored
Nov 29 12:53:39 ike_delete_negotiation: Start, SA = { 51dfddf7 8d6bcd67 - 4782acee bfdd0c09}, nego = 0
Nov 29 12:53:39 ike_free_negotiation_info: Start, nego = 0
Nov 29 12:53:39 ike_free_negotiation: Start, nego = 0
Nov 29 12:53:39 IKE negotiation fail for local:195.154.238.186, remote:195.154.238.181 IKEv1 with status: Invalid syntax
Nov 29 12:53:39 IKEv1 Error : Invalid payload type