Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Dial UP VPN

    Posted 09-20-2011 08:55

    Hi,

    I have been trying to set up a dial up VPN but i have not been able to establish the connection.

    The Juniper Firewall device is an SSG 550 and i use a Netscreen Remote client to connect to the firewall.

    The Phase 1 completes but Phase 2 fails.

     

    Can somebody help me with this and tell me where i'm missing it.

     

     

    Below is the log i got:

    12:43:58.921 My Connections\Dialup - Initiating IKE Phase 1 (IP ADDR=2.2.2.2)
     9-20: 12:43:59.343 My Connections\Dialup - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 6x)
     9-20: 12:44:00.296 My Connections\Dialup - RECEIVED<<< ISAKMP OAK AG (SA, VID 3x, KE, NON, ID, HASH)
     9-20: 12:44:00.296 My Connections\Dialup - Peer supports Dead Peer Detection Version 1.0
     9-20: 12:44:00.296 My Connections\Dialup - Dead Peer Detection enabled
     9-20: 12:44:00.515 My Connections\Dialup - SENDING>>>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_REPLAY_STATUS, NOTIFY:STATUS_INITIAL_CONTACT)
     9-20: 12:44:00.515 My Connections\Dialup - Established IKE SA
     9-20: 12:44:00.515 My Connections\Dialup -   MY COOKIE 69 f8 45 c ff 43 8d e2
     9-20: 12:44:00.515 My Connections\Dialup -   HIS COOKIE 90 9f 8d 20 12 2d 28 86
     9-20: 12:44:00.671 My Connections\Dialup - Initiating IKE Phase 2 with Client IDs (message id: CE739C3A)
     9-20: 12:44:00.671 My Connections\Dialup -   Initiator = IP ADDR=192.168.1.232, prot = 0 port = 0
     9-20: 12:44:00.671 My Connections\Dialup -   Responder = IP ADDR=10.40.1.0, prot = 0 port = 0
     9-20: 12:44:00.671 My Connections\Dialup - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, KE, ID 2x)
     9-20: 12:44:15.671 My Connections\Dialup - QM re-keying timed out. Retry count: 1
     9-20: 12:44:15.671 My Connections\Dialup - SENDING>>>> ISAKMP OAK QM *(Retransmission)
     9-20: 12:44:30.687 My Connections\Dialup - QM re-keying timed out. Retry count: 2
     9-20: 12:44:30.687 My Connections\Dialup - SENDING>>>> ISAKMP OAK QM *(Retransmission)
     9-20: 12:44:43.718 My Connections\Other Connections - Exceeded 3 IKE SA negotiation attempts
     9-20: 12:44:43.718 My Connections\Dialup - Deleting IKE SA (IP ADDR=2.2.2.2)
     9-20: 12:44:43.718 My Connections\Dialup -   MY COOKIE 69 f8 45 c ff 43 8d e2
     9-20: 12:44:43.718 My Connections\Dialup -   HIS COOKIE 90 9f 8d 20 12 2d 28 86
     9-20: 12:44:43.718 My Connections\Dialup - SENDING>>>> ISAKMP OAK INFO *(HASH, DEL)

     

     



  • 2.  RE: Dial UP VPN

    Posted 09-21-2011 01:58

    You'll also need to look at the event logs on the SSG itself.

    The client logs just show a timeout - the SSG is dropping the VPN traffic, and it's event logs will tell you why.

     

    Sam.

    JNCIS-FWV JNCIS-SSL JNCIS-ER JNCIS-SEC



  • 3.  RE: Dial UP VPN

    Posted 09-24-2011 22:44

    hi,

     

    can you please upload the link to download remote netscreen vpn client.



  • 4.  RE: Dial UP VPN
    Best Answer

    Posted 09-30-2011 03:37

    Hi All,

    Thanks the issue has been resolved.I had to change the  ID Type on the Remote Party Identity and Addressing:

    ID Type was changed from IP Address to Subnet Address 'cos i specified ID Type:IP Address for 10.1.1.0 instead of ID Type:Subnet for 10.1.1.0 and mask 255.255.255.0

     

    To download the Netscreen remote client go to

    https://softserv.juniper.net/cgi-bin/nssd.cgi