ScreenOS Firewalls (NOT SRX)
Reply
Visitor
mky212
Posts: 1
Registered: ‎11-15-2010
0

Client VPN with NCP Client on windows 7 -SSG20 Firewall

Hi Everybody,

I  want to configure Client VPN  with NCP Client application – SSG20 on Windows 7, but it gives some error below I shared.

We are  able to do this process  with no  problem on windows XP with  Netscreen Client application, but NCP not working Could you please help me,

 

 

Errorrs;

vpn client error:

7/11/2011 3:12:31 PM  IPSec: Start building connection
7/11/2011 3:12:31 PM  Ike: Outgoing connect request AGGRESSIVE mode – gateway=85.97.128.182 : xxx-vpn
7/11/2011 3:12:31 PM  Ike: XMIT_MSG1_AGGRESSIVE – turcas-vpn
7/11/2011 3:12:31 PM  Ike: RECV_MSG2_AGGRESSIVE – turcas-vpn
7/11/2011 3:12:31 PM  Ike: IKE phase I: Setting LifeTime to 28800 seconds
7/11/2011 3:12:31 PM  Ike: Turning on XAUTH mode – turcas-vpn
7/11/2011 3:12:31 PM  Ike: IkeSa negotiated with the following properties -
7/11/2011 3:12:31 PM    Authentication=XAUTH_INIT_PSK,Encryption=DES3,Hash=SHA,DHGroup=2,KeyLen=0
7/11/2011 3:12:31 PM  IPSec: Final Tunnel EndPoint is:085.097.128.182
7/11/2011 3:12:31 PM  Ike: turcas-vpn ->Support for NAT-T version – 2
7/11/2011 3:12:31 PM  Ike: Turning on NATD mode – xxx-vpn – 1
7/11/2011 3:12:31 PM  Ike: XMIT_MSG3_AGGRESSIVE – turcas-vpn
7/11/2011 3:12:31 PM  Ike: IkeSa negotiated with the following properties -
7/11/2011 3:12:31 PM    Authentication=XAUTH_INIT_PSK,Encryption=DES3,Hash=SHA,DHGroup=2,KeyLen=0
7/11/2011 3:12:31 PM  Ike: Turning on DPD mode – turcas-vpn
7/11/2011 3:12:31 PM  Ike: phase1:name(xxx-vpn) – connected
7/11/2011 3:12:31 PM  SUCCESS: IKE phase 1 ready
7/11/2011 3:12:31 PM  IPSec: Phase1 is Ready,AdapterIndex=200,IkeIndex=30,PubIpAdr=10.11.1.5,AltRekey=1
7/11/2011 3:12:31 PM  IkeXauth: RECV_XAUTH_REQUEST
7/11/2011 3:12:31 PM  IkeXauth: XMIT_XAUTH_REPLY
7/11/2011 3:12:31 PM  IkeCfg: RECV_IKECFG_SET – xxx-vpn
7/11/2011 3:12:31 PM  IkeCfg: XMIT_IKECFG_ACK – xxx-vpn
7/11/2011 3:12:31 PM  IkeXauth: RECV_XAUTH_SET
7/11/2011 3:12:31 PM  IkeXauth: XMIT_XAUTH_ACK
7/11/2011 3:12:31 PM  IkeCfg: name <turcas-v> – IkeXauth: enter state open
7/11/2011 3:12:31 PM  SUCCESS: Ike Extended Authentication is ready
7/11/2011 3:12:31 PM  IPSec: Quick Mode is Ready: IkeIndex = 0000001e , VpnSrcPort = 10954
7/11/2011 3:12:31 PM  IPSec: Assigned IP Address: 172.16.3.1
7/11/2011 3:12:31 PM  IPSec: DNS Server: 10.1.0.31
7/11/2011 3:12:31 PM  IPSec: WINS Server: 10.1.0.31
7/11/2011 3:12:31 PM  IkeQuick: XMIT_MSG1_QUICK – turcas-vpn
7/11/2011 3:12:51 PM  IkeQuick: phase2:name(turcas-vpn) – error – cleared by phase1
7/11/2011 3:12:51 PM  ERROR – 4037: IKE(phase2):Waiting for message2, cleared by phase1 – turcas-vpn.
7/11/2011 3:12:51 PM  IPSec: Disconnected from turcas-vpn on channel 1.

 

firewall event log;

 

2011-07-11 15:50:22 info IKE 88.247.84.246 Phase 2 msg ID 84920f27: Negotiations have failed.
2011-07-11 15:50:22 info Rejected an IKE packet on ethernet0/3 from 88.247.84.246:10954 to 85.97.128.182:4500 with cookies 7644350b05be71ca and 05e06c92dfac08ac because The VPN does not have an application SA configured.
2011-07-11 15:50:22 info IKE 88.247.84.246 Phase 2: No policy exists for the proxy ID received: local ID (172.16.3.0/255.255.255.0, 0, 0) remote ID (172.16.3.1/255.255.255.255, 0, 0).
2011-07-11 15:50:22 info IKE 88.247.84.246 Phase 2 msg ID 84920f27: Responded to the peer's first message.
2011-07-11 15:50:22 info IKE 88.247.84.246: XAuth login was passed for gateway ravpn.ph1, username hasan.evin, retry: 0, Client IP Addr 172.16.3.1, IPPool name: , Session-Timeout: 0s, Idle-Timeout: 0s.
2011-07-11 15:50:22 info IKE 88.247.84.246: Received initial contact notification and removed Phase 1 SAs.
2011-07-11 15:50:22 info IKE 88.247.84.246 Phase 1: Completed Aggressive mode negotiations with a 28800-second lifetime.
2011-07-11 15:50:22 info IKE 88.247.84.246 Phase 1: Completed for user hasan.evin.
2011-07-11 15:50:22 info IKE 88.247.84.246: Received initial contact notification and removed Phase 2 SAs.
2011-07-11 15:50:22 info IKE 88.247.84.246: Received a notification message for DOI 1 24578 INITIAL-CONTACT.
2011-07-11 15:50:22 info IKE<88.247.84.246> Phase 1: IKE responder has detected NAT in front of the remote device.
2011-07-11 15:50:22 info IKE 88.247.84.246 phase 1:The symmetric crypto key has been generated successfully.
2011-07-11 15:50:22 info IKE 88.247.84.246 Phase 1: Responder starts AGGRESSIVE mode negotiations.

Visitor
Athome
Posts: 5
Registered: ‎10-30-2009
0

Re: Client VPN with NCP Client on windows 7 -SSG20 Firewall

Hi,

 

for me it looks like that the Proxy ID will not match.

It is useful to set a "Dialin Proxy ID" for these case.

 

Try to set local: 0.0.0.0 and Remote 255.255.255.255 with Service "any" in the Phase 2 

this will force all Traffic inside the Tunnel.

 

can you please post your Configuration here ?

 

--> Config of the VPN only

--> output from debug_ike_detail

 

Regards

Martin



Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.