Hi everyone!
I have setup VPN from client running Shrew client software version 2.2.0 connect to SRX. Configure on SRX below:
security {
ike {
traceoptions {
file ike-debug;
flag all;
}
proposal PSK-3DES-MD5-DH2 {
authentication-method pre-shared-keys;
authentication-algorithm md5;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}
policy dialup-ike-policy {
mode aggressive;
proposals PSK-3DES-MD5-DH2;
pre-shared-key ascii-text "$9$L0.7dsaZjP5F245Fn/0OX7-"; ## SECRET-DATA
}
gateway dial-ike {
ike-policy dialup-ike-policy;
dynamic {
hostname srx210.svtech.com.vn;
ike-user-type shared-ike-id;
}
no-nat-traversal;
nat-keepalive 300;
external-interface fe-0/0/7;
xauth access-profile xauth-users;
}
}
ipsec {
proposal ESP-3DES-MD5 {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}
policy dial-ipsec-policy {
perfect-forward-secrecy {
keys group2;
}
proposals ESP-3DES-MD5;
}
vpn dialup-vpn {
ike {
gateway dial-ike;
ipsec-policy dial-ipsec-policy;
}
establish-tunnels immediately;
}
}
policies {
from-zone MGT to-zone WAN {
policy dialup-MGT-to-WAN {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn dialup-vpn;
}
}
}
}
}
default-policy {
permit-all;
}
}
}
access {
profile xauth-users {
client user3 {
firewall-user {
password "$9$o3ZDk5Qnp0I.P0IEcvMaZUj.PTz39tu"; ## SECRET-DATA
}
}
address-assignment {
pool vpn-pool;
}
}
address-assignment {
pool vpn-pool {
family inet {
network 10.10.99.0/24;
range vpn-pool {
low 10.10.99.10;
high 10.10.99.100;
}
xauth-attributes {
primary-dns 8.8.8.8/32;
}
}
}
}
}
I can connect VPN from Shrew software but affter 1 min, session is close: errror "session terminated by gateway"
log on Shrew:
12/06/11 15:38:36 <- : recv IKE packet 192.168.3.103:500 -> 192.168.2.222:500 ( 92 bytes )
12/06/11 15:38:36 DB : phase1 found
12/06/11 15:38:36 ii : processing config packet ( 92 bytes )
12/06/11 15:38:36 DB : config found
12/06/11 15:38:36 !! : config packet ignored ( config already mature )
12/06/11 15:38:46 <- : recv IKE packet 192.168.3.103:500 -> 192.168.2.222:500 ( 92 bytes )
12/06/11 15:38:46 DB : phase1 found
12/06/11 15:38:46 ii : processing config packet ( 92 bytes )
12/06/11 15:38:46 DB : config found
12/06/11 15:38:46 !! : config packet ignored ( config already mature )
12/06/11 15:38:56 <- : recv IKE packet 192.168.3.103:500 -> 192.168.2.222:500 ( 76 bytes )
12/06/11 15:38:56 DB : phase1 found
12/06/11 15:38:56 ii : processing informational packet ( 76 bytes )
12/06/11 15:38:56 == : new informational iv ( 8 bytes )
12/06/11 15:38:56 =< : cookies 3c08f89bb76275d0:b1e098d483368a97
12/06/11 15:38:56 =< : message 687b0350
12/06/11 15:38:56 =< : decrypt iv ( 8 bytes )
12/06/11 15:38:56 == : decrypt packet ( 76 bytes )
12/06/11 15:38:56 <= : stored iv ( 8 bytes )
12/06/11 15:38:58 << : hash payload
12/06/11 15:38:58 << : delete payload
12/06/11 15:38:58 == : informational hash_i ( computed ) ( 16 bytes )
12/06/11 15:38:58 == : informational hash_c ( received ) ( 16 bytes )
12/06/11 15:38:58 ii : informational hash verified
12/06/11 15:38:58 ii : received peer DELETE message
12/06/11 15:38:58 ii : - 192.168.3.103:500 -> 192.168.2.222:500
12/06/11 15:38:58 ii : - isakmp spi = 3c08f89bb76275d0:b1e098d483368a97
12/06/11 15:38:58 DB : phase1 found
12/06/11 15:38:58 ii : cleanup, marked phase1 3c08f89bb76275d0:b1e098d483368a97 for removal
12/06/11 15:38:58 DB : phase1 soft event canceled ( ref count = 4 )
12/06/11 15:38:58 DB : phase1 hard event canceled ( ref count = 3 )
12/06/11 15:38:58 DB : phase1 dead event canceled ( ref count = 2 )
12/06/11 15:38:58 DB : config deleted ( obj count = 0 )
12/06/11 15:38:58 ii : phase1 removal before expire time
12/06/11 15:38:58 DB : phase1 not found
12/06/11 15:38:58 DB : phase1 deleted ( obj count = 0 )
12/06/11 15:38:58 DB : policy found
12/06/11 15:38:58 ii : removing IPSEC INBOUND policy ANY:10.0.0.0/8:* -> ANY:10.10.99.10:*
12/06/11 15:38:58 K> : send pfkey X_SPDDELETE2 UNSPEC message
12/06/11 15:38:58 DB : policy found
12/06/11 15:38:58 ii : removing IPSEC OUTBOUND policy ANY:10.10.99.10:* -> ANY:10.0.0.0/8:*
12/06/11 15:38:58 K> : send pfkey X_SPDDELETE2 UNSPEC message
12/06/11 15:38:58 K< : recv pfkey X_SPDDELETE2 UNSPEC message
12/06/11 15:38:58 ii : removed IPSEC policy route for ANY:10.0.0.0/8:*
12/06/11 15:38:58 DB : policy found
12/06/11 15:38:58 ii : removing NONE INBOUND policy ANY:192.168.3.103:* -> ANY:192.168.2.222:*
12/06/11 15:38:58 K> : send pfkey X_SPDDELETE2 UNSPEC message
12/06/11 15:38:58 DB : policy found
12/06/11 15:38:58 ii : removing NONE OUTBOUND policy ANY:192.168.2.222:* -> ANY:192.168.3.103:*
12/06/11 15:38:58 K> : send pfkey X_SPDDELETE2 UNSPEC message
12/06/11 15:38:58 ii : removed NONE policy route for ANY:192.168.3.103:*
12/06/11 15:38:58 DB : policy found
12/06/11 15:38:58 ii : removing NONE INBOUND policy ANY:192.168.2.1:* -> ANY:10.10.99.10:*
12/06/11 15:38:58 K> : send pfkey X_SPDDELETE2 UNSPEC message
12/06/11 15:38:58 DB : policy found
12/06/11 15:38:58 ii : removing NONE OUTBOUND policy ANY:10.10.99.10:* -> ANY:192.168.2.1:*
12/06/11 15:38:58 K> : send pfkey X_SPDDELETE2 UNSPEC message
12/06/11 15:38:58 DB : policy found
12/06/11 15:38:58 DB : policy deleted ( obj count = 5 )
12/06/11 15:38:58 K< : recv pfkey X_SPDDELETE2 UNSPEC message
12/06/11 15:38:58 DB : policy found
12/06/11 15:38:58 DB : policy deleted ( obj count = 4 )
12/06/11 15:38:58 K< : recv pfkey X_SPDDELETE2 UNSPEC message
12/06/11 15:38:58 DB : policy found
12/06/11 15:38:58 DB : policy deleted ( obj count = 3 )
12/06/11 15:38:58 K< : recv pfkey X_SPDDELETE2 UNSPEC message
12/06/11 15:38:58 DB : policy found
12/06/11 15:38:58 DB : policy deleted ( obj count = 2 )
12/06/11 15:38:58 K< : recv pfkey X_SPDDELETE2 UNSPEC message
12/06/11 15:38:58 DB : policy found
12/06/11 15:38:58 DB : policy deleted ( obj count = 1 )
12/06/11 15:38:58 K< : recv pfkey X_SPDDELETE2 UNSPEC message
12/06/11 15:38:58 DB : policy found
12/06/11 15:38:58 DB : policy deleted ( obj count = 0 )
12/06/11 15:38:59 ii : disable adapter ROOT\VNET\0000
12/06/11 15:38:59 DB : tunnel stats event canceled ( ref count = 2 )
12/06/11 15:38:59 DB : removing tunnel config references
12/06/11 15:38:59 DB : removing tunnel phase2 references
12/06/11 15:38:59 DB : phase2 soft event canceled ( ref count = 2 )
12/06/11 15:38:59 DB : phase2 hard event canceled ( ref count = 1 )
12/06/11 15:38:59 DB : phase1 not found
12/06/11 15:38:59 K> : send pfkey DELETE ESP message
12/06/11 15:38:59 K> : send pfkey DELETE ESP message
12/06/11 15:38:59 ii : phase2 removal before expire time
12/06/11 15:38:59 DB : phase2 deleted ( obj count = 0 )
12/06/11 15:38:59 DB : removing tunnel phase1 references
12/06/11 15:38:59 DB : tunnel deleted ( obj count = 0 )
12/06/11 15:38:59 DB : removing all peer tunnel refrences
12/06/11 15:38:59 DB : peer deleted ( obj count = 0 )
12/06/11 15:38:59 K< : recv pfkey DELETE ESP message
12/06/11 15:38:59 K< : recv pfkey DELETE ESP message
12/06/11 15:39:00 ii : ipc client process thread exit ...
log IKE on SRX:
Jun 11 15:36:59 IPSec negotiation done successfully for SA-CFG INSTANCE-dialup-vpn_0002_0005_0000 for local:192.168.3.103, remote:192.168.2.222 IKEv1
Jun 11 15:37:09 ike_retransmit_callback: Start, retransmit SA = { 3c08f89b b76275d0 - b1e098d4 83368a97}, nego = 1
Jun 11 15:37:09 ike_send_packet: Start, retransmit previous packet SA = { 3c08f89b b76275d0 - b1e098d4 83368a97}, nego = 1, dst = 192.168.2.222:500 routing table id = 0
Jun 11 15:37:19 ike_retransmit_callback: Start, retransmit SA = { 3c08f89b b76275d0 - b1e098d4 83368a97}, nego = 1
Jun 11 15:37:19 ike_send_packet: Start, retransmit previous packet SA = { 3c08f89b b76275d0 - b1e098d4 83368a97}, nego = 1, dst = 192.168.2.222:500 routing table id = 0
Jun 11 15:37:29 ike_retransmit_callback: Start, retransmit SA = { 3c08f89b b76275d0 - b1e098d4 83368a97}, nego = 1
Jun 11 15:37:29 ike_send_packet: Start, retransmit previous packet SA = { 3c08f89b b76275d0 - b1e098d4 83368a97}, nego = 1, dst = 192.168.2.222:500 routing table id = 0
Jun 11 15:37:39 ike_retransmit_callback: Start, retransmit SA = { 3c08f89b b76275d0 - b1e098d4 83368a97}, nego = 1
Jun 11 15:37:39 ike_send_packet: Start, retransmit previous packet SA = { 3c08f89b b76275d0 - b1e098d4 83368a97}, nego = 1, dst = 192.168.2.222:500 routing table id = 0
Jun 11 15:37:49 ike_retransmit_callback: Start, retransmit SA = { 3c08f89b b76275d0 - b1e098d4 83368a97}, nego = 1
Jun 11 15:37:49 ike_send_packet: Start, retransmit previous packet SA = { 3c08f89b b76275d0 - b1e098d4 83368a97}, nego = 1, dst = 192.168.2.222:500 routing table id = 0
Jun 11 15:37:59 ike_retransmit_callback: Start, retransmit SA = { 3c08f89b b76275d0 - b1e098d4 83368a97}, nego = 1
Jun 11 15:37:59 ike_retransmit_callback: Isakmp query retry limit reached, deleting
Jun 11 15:37:59 <none>:500 (Initiator) <-> 192.168.2.222:500 { 3c08f89b b76275d0 - b1e098d4 83368a97 [1] / 0x38b25714 } CFG; Error = Timeout (8197)
Jun 11 15:37:59 ike_send_notify: Private notification, do not send notification
Jun 11 15:37:59 ike_delete_negotiation: Start, SA = { 3c08f89b b76275d0 - b1e098d4 83368a97}, nego = 1
Jun 11 15:37:59 ike_free_negotiation_cfg: Start, nego = 1
Jun 11 15:37:59 ike_free_negotiation: Start, nego = 1
Jun 11 15:37:59 iked_pm_ike_sa_delete_notify_done_cb: For p1 sa index 2417611, ref cnt 2, status: Error ok
Jun 11 15:37:59 ike_expire_callback: Start, expire SA = { 3c08f89b b76275d0 - b1e098d4 83368a97}, nego = -1
Jun 11 15:37:59 ike_alloc_negotiation: Start, SA = { 3c08f89b b76275d0 - b1e098d4 83368a97}
Jun 11 15:37:59 ike_encode_packet: Start, SA = { 0x3c08f89b b76275d0 - b1e098d4 83368a97 } / 687b0350, nego = 1
Jun 11 15:37:59 ike_send_packet: Start, send SA = { 3c08f89b b76275d0 - b1e098d4 83368a97}, nego = 1, dst = 192.168.2.222:500, routing table id = 0
Jun 11 15:37:59 ike_delete_negotiation: Start, SA = { 3c08f89b b76275d0 - b1e098d4 83368a97}, nego = 1
Jun 11 15:37:59 ike_free_negotiation_info: Start, nego = 1
Jun 11 15:37:59 ike_free_negotiation: Start, nego = 1
Jun 11 15:37:59 ike_remove_callback: Start, delete SA = { 3c08f89b b76275d0 - b1e098d4 83368a97}, nego = -1
Jun 11 15:37:59 ike_delete_negotiation: Start, SA = { 3c08f89b b76275d0 - b1e098d4 83368a97}, nego = -1
Jun 11 15:37:59 ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
Jun 11 15:37:59 ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
Jun 11 15:37:59 ike_sa_delete: Start, SA = { 3c08f89b b76275d0 - b1e098d4 83368a97 }
Jun 11 15:37:59 ike_free_negotiation_cfg: Start, nego = 0
Jun 11 15:37:59 ike_free_negotiation: Start, nego = 0
Jun 11 15:37:59 ike_free_negotiation_qm: Start, nego = 2
Jun 11 15:37:59 ike_free_negotiation: Start, nego = 2
Jun 11 15:37:59 ike_free_id_payload: Start, id type = 4
Jun 11 15:37:59 ike_free_id_payload: Start, id type = 4
Jun 11 15:37:59 ike_free_id_payload: Start, id type = 1
Jun 11 15:37:59 ike_free_id_payload: Start, id type = 1
Jun 11 15:37:59 ike_free_negotiation_isakmp: Start, nego = -1
Jun 11 15:37:59 ike_free_negotiation: Start, nego = -1
Jun 11 15:37:59 IKE SA delete called for p1 sa 2417611 (ref cnt 1) local:192.168.3.103, remote:192.168.2.222, IKEv1
Jun 11 15:37:59 iked_pm_p1_sa_destroy: p1 sa 2417611 (ref cnt 0), waiting_for_del 0x0
Jun 11 15:37:59 Reducing number of connection for ike gateway dial-ike to 0
Jun 11 15:37:59 ike_free_id_payload: Start, id type = 1
Jun 11 15:37:59 ike_free_id_payload: Start, id type = 2
Jun 11 15:37:59 ike_free_sa: Start
Can everyone help me find out root of issue ? Thanks alot.
Thanks & best regards,
Phuong