02-29-2012 02:57 PM
I have manage to get the Shrew VPN client to connect to my SRX210 and pass traffic but the VPN clients disconnects after 2 minutes for no apparent reason. Does anyone have any idea what might be causing this?
I am running Junos version 10.4R7.5
This is my config:
ike { proposal RemoteVPNPolicy1 { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm 3des-cbc; lifetime-seconds 86400; } policy RemoteVPNIKE { mode aggressive; proposals RemoteVPNPolicy1; pre-shared-key ascii-text ""; ## SECRET-DATA } gateway RemoteVPN { ike-policy RemoteVPNIKE; dynamic { user-at-hostname "vpn@domain.com"; connections-limit 50; ike-user-type shared-ike-id; } external-interface fe-0/0/7.0; xauth access-profile RemoteVPN-access; } } ipsec { proposal RemoteVPNIPSec { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; lifetime-seconds 3600; } policy RemoteVPNIPSec { perfect-forward-secrecy { keys group2; } proposals RemoteVPNIPSec; } vpn RemoteVPN { ike { gateway RemoteVPN; idle-time 600; ipsec-policy RemoteVPNIPSec; } } } policies { from-zone untrust to-zone trust { policy RemoteVPN { match { source-address any; destination-address InternalLAN; application any; } then { permit { tunnel { ipsec-vpn RemoteVPN; } } log { session-init; session-close; } count; } } access { profile RemoteVPN-access { authentication-order password; client joe { firewall-user { password ""; ## SECRET-DATA } } address-assignment { pool RemoteVPN-assign-pool; } } address-assignment { pool RemoteVPN-assign-pool { family inet { network 192.168.80.0/24; range RemoteVPN-range { low 192.168.80.101; high 192.168.80.149; } xauth-attributes { primary-dns 192.168.1.2/32; secondary-dns 192.168.1.3/32; } } } } }
02-29-2012 11:47 PM
Hi
Not sure if it will help, but worth a try
set security ike gateway RemoteVPN nat-keepalive <seconds>
03-01-2012 10:04 AM
Hi,
Please check if you have alllowed host-inbound-traffic system-services ike on your external interface. That might be the reason for disconnect.
03-08-2012 11:04 AM
I tried both of the suggestions and it still times out at exactly 200 seconds.
Interestingly, I tried the old Netscreen Remote VPN client and it does not time out so it must be a Shrew setting.
Anyone else have any ideas?Thanks.
03-08-2012 11:42 AM
May be you can try to do some Wireshark sniffing on the client side to see what exactly happens
or not happens at the time of disconnect (and compare to NS-Remote case).
