SRX Services Gateway
Reply
Visitor
maxwell
Posts: 5
Registered: ‎08-17-2009
0

VPN with Shrew Client disconnects after 200 seconds

I have manage to get the Shrew VPN client to connect to my SRX210 and pass traffic but the VPN clients disconnects after 2 minutes for no apparent reason.  Does anyone have any idea what might be causing this?  

 

I am running Junos version 10.4R7.5

 

This is my config:

 

ike {
	proposal RemoteVPNPolicy1 {
		authentication-method pre-shared-keys;
		dh-group group2;
		authentication-algorithm sha1;
		encryption-algorithm 3des-cbc;
		lifetime-seconds 86400;
	}
	policy RemoteVPNIKE {
		mode aggressive;
		proposals RemoteVPNPolicy1;
		pre-shared-key ascii-text ""; ## SECRET-DATA
	}
	gateway RemoteVPN {
		ike-policy RemoteVPNIKE;
		dynamic {
			user-at-hostname "vpn@domain.com";
			connections-limit 50;
			ike-user-type shared-ike-id;
		}
		external-interface fe-0/0/7.0;
		xauth access-profile RemoteVPN-access;
	}
}
ipsec {
	proposal RemoteVPNIPSec {
		protocol esp;
		authentication-algorithm hmac-sha1-96;
		encryption-algorithm 3des-cbc;
		lifetime-seconds 3600;
	}
	policy RemoteVPNIPSec {
		perfect-forward-secrecy {
			keys group2;
		}
		proposals RemoteVPNIPSec;
	}
	vpn RemoteVPN {
		ike {
			gateway RemoteVPN;
			idle-time 600;
			ipsec-policy RemoteVPNIPSec;
		}
	}
}

policies {
	from-zone untrust to-zone trust {
		policy RemoteVPN {
			match {
				source-address any;
				destination-address InternalLAN;
				application any;
			}
			then {
				permit {
					tunnel {
						ipsec-vpn RemoteVPN;
					}
				}
				log {
					session-init;
					session-close;
				}
				count;
			}
		}

access {
    profile RemoteVPN-access {
        authentication-order password;
        client joe {
            firewall-user {
                password ""; ## SECRET-DATA
            }
        }
        address-assignment {
            pool RemoteVPN-assign-pool;
        }
    }
    address-assignment {
        pool RemoteVPN-assign-pool {
            family inet {
                network 192.168.80.0/24;
                range RemoteVPN-range {
                    low 192.168.80.101;
                    high 192.168.80.149;
                }
                xauth-attributes {
                    primary-dns 192.168.1.2/32;
                    secondary-dns 192.168.1.3/32;
                }
            }
        }
    }
}

 

Distinguished Expert
Distinguished Expert
pk
Posts: 816
Registered: ‎10-09-2008
0

Re: VPN with Shrew Client disconnects after 200 seconds

Hi

 

Not sure if it will help, but worth a try

 

set security ike gateway RemoteVPN nat-keepalive <seconds>

 

Best Regards,
Petr (PK)

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
[Juniper Authorized Education & Support in Russia]
Contributor
Satya1
Posts: 19
Registered: ‎01-17-2011
0

Re: VPN with Shrew Client disconnects after 200 seconds

Hi,

 

Please check  if you have alllowed host-inbound-traffic system-services ike on your external interface. That might be the reason for disconnect.

Visitor
maxwell
Posts: 5
Registered: ‎08-17-2009
0

Re: VPN with Shrew Client disconnects after 200 seconds

I tried both of the suggestions and it still times out at exactly 200 seconds.  

 

Interestingly, I tried the old Netscreen Remote VPN client and it does not time out so it must be a Shrew setting.

 

Anyone else have any ideas?

Thanks. 

Distinguished Expert
Distinguished Expert
pk
Posts: 816
Registered: ‎10-09-2008
0

Re: VPN with Shrew Client disconnects after 200 seconds

Hi

 

May be you can try to do some Wireshark sniffing on the client side to see what exactly happens

or not happens at the time of disconnect (and compare to NS-Remote case).

Best Regards,
Petr (PK)

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
[Juniper Authorized Education & Support in Russia]
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.