Screen OS

Dear all,

I'm newbie for VPN setting. I try to follow the below setting for setup a dialup VPN to connect to our office SSG5 device.

I try to setup the shrew VPN client and follow the instruction in the URL

http://www.shrew.net/support/wiki/HowtoJuniperSsg

I'm failed and below are the debug output. Sorry, I don't know to interrpt the output. Please help!

Remote Management Console
HK_SSG5-> get sa
total configured sa: 1
HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys
00000001<         0.0.0.0  500 esp:3des/sha1 00000000 expir unlim I/I     9 0
00000001>         0.0.0.0  500 esp:3des/sha1 00000000 expir unlim I/I    -1 0
HK_SSG5-> undebug all
HK_SSG5-> set db size 4096
HK_SSG5-> clear db
HK_SSG5-> debug ike detail
HK_SSG5-> debug pki all
HK_SSG5-> get db stream
## 2010-04-09 17:51:11 : check certificate renew:
## 2010-04-09 17:51:11 : check poll pending cert:
## 2010-04-09 17:54:11 : check certificate renew:
## 2010-04-09 17:54:11 : check poll pending cert:
## 2010-04-09 17:55:21 : IKE<221.126.96.175> ike packet, len 1202, action 1
## 2010-04-09 17:55:21 : IKE<221.126.96.175> Catcher: received 1174 bytes from s
ocket.
## 2010-04-09 17:55:21 : IKE<221.126.96.175> ****** Recv packet if <ethernet0/0>
 of vsys <Root> ******
## 2010-04-09 17:55:21 : IKE<221.126.96.175> Catcher: get 1174 bytes. src port 1
179
## 2010-04-09 17:55:21 : IKE<0.0.0.0        >   ISAKMP msg: len 1174, nxp 1[SA],
 exch 4[AG], flag 00
## 2010-04-09 17:55:21 : IKE<221.126.96.175 > Recv : [SA] [KE] [NONCE] [ID] [VID
] [VID] [VID] [VID] [VID]
## 2010-04-09 17:55:21 : [VID] [VID] [VID] [VID] [VID] [VID] [VID]
## 2010-04-09 17:55:21 : valid id checking, id type:FQDN, len:34.
## 2010-04-09 17:55:21 : IKE<0.0.0.0        >     Validate (1146): SA/716 KE/132
 NONCE/24 ID/34 VID/12 VID/20 VID/20 VID/20 VID/20
## 2010-04-09 17:55:21 : IKE<221.126.96.175> Receive Id in AG mode, id-type=2, i
d=client.xxx.com.hk, idlen = 26
## 2010-04-09 17:55:21 :   locate peer entry for (2/client.xxx.com.hk),
 by identity.
## 2010-04-09 17:55:21 :   Found identity<client.xxx.com.hk> in group <
1> user id <1>.
## 2010-04-09 17:55:21 : IKE<221.126.96.175> Found peer entry (vpnclient_gateway
) from 221.126.96.175.
## 2010-04-09 17:55:21 : IKE<221.126.96.175> Peer(vpnclient_gateway) is in main
mode(2) but received packet mode is 4, packet discarded.
## 2010-04-09 17:55:21 : IKE<221.126.96.175> Rejected an initial Phase 1 packet
from an unrecognized peer gateway.
## 2010-04-09 17:55:26 : IKE<221.126.96.175> ike packet, len 1202, action 1
## 2010-04-09 17:55:26 : IKE<221.126.96.175> Catcher: received 1174 bytes from s
ocket.
## 2010-04-09 17:55:26 : IKE<221.126.96.175> ****** Recv packet if <ethernet0/0>
 of vsys <Root> ******
## 2010-04-09 17:55:26 : IKE<221.126.96.175> Catcher: get 1174 bytes. src port 1
179
## 2010-04-09 17:55:26 : IKE<0.0.0.0        >   ISAKMP msg: len 1174, nxp 1[SA],
 exch 4[AG], flag 00
## 2010-04-09 17:55:26 : IKE<221.126.96.175 > Recv : [SA] [KE] [NONCE] [ID] [VID
] [VID] [VID] [VID] [VID]
## 2010-04-09 17:55:26 : [VID] [VID] [VID] [VID] [VID] [VID] [VID]
## 2010-04-09 17:55:26 : valid id checking, id type:FQDN, len:34.
## 2010-04-09 17:55:26 : IKE<0.0.0.0        >     Validate (1146): SA/716 KE/132
 NONCE/24 ID/34 VID/12 VID/20 VID/20 VID/20 VID/20
## 2010-04-09 17:55:26 : IKE<221.126.96.175> Receive Id in AG mode, id-type=2, i
d=client.xxx.com.hk, idlen = 26
## 2010-04-09 17:55:26 :   locate peer entry for (2/client.xxx.com.hk),
 by identity.
## 2010-04-09 17:55:26 :   Found identity<client.xxx.com.hk> in group <
1> user id <1>.
## 2010-04-09 17:55:26 : IKE<221.126.96.175> Found peer entry (vpnclient_gateway
) from 221.126.96.175.
## 2010-04-09 17:55:26 : IKE<221.126.96.175> Peer(vpnclient_gateway) is in main
mode(2) but received packet mode is 4, packet discarded.
## 2010-04-09 17:55:26 : IKE<221.126.96.175> Rejected an initial Phase 1 packet
from an unrecognized peer gateway.
## 2010-04-09 17:55:31 : IKE<221.126.96.175> ike packet, len 1202, action 1
## 2010-04-09 17:55:31 : IKE<221.126.96.175> Catcher: received 1174 bytes from s
ocket.
## 2010-04-09 17:55:31 : IKE<221.126.96.175> ****** Recv packet if <ethernet0/0>
 of vsys <Root> ******
## 2010-04-09 17:55:31 : IKE<221.126.96.175> Catcher: get 1174 bytes. src port 1
179
## 2010-04-09 17:55:31 : IKE<0.0.0.0        >   ISAKMP msg: len 1174, nxp 1[SA],
 exch 4[AG], flag 00
## 2010-04-09 17:55:31 : IKE<221.126.96.175 > Recv : [SA] [KE] [NONCE] [ID] [VID
] [VID] [VID] [VID] [VID]
## 2010-04-09 17:55:31 : [VID] [VID] [VID] [VID] [VID] [VID] [VID]
## 2010-04-09 17:55:31 : valid id checking, id type:FQDN, len:34.
## 2010-04-09 17:55:31 : IKE<0.0.0.0        >     Validate (1146): SA/716 KE/132
 NONCE/24 ID/34 VID/12 VID/20 VID/20 VID/20 VID/20
## 2010-04-09 17:55:31 : IKE<221.126.96.175> Receive Id in AG mode, id-type=2, i
d=client.xxx.com.hk, idlen = 26
## 2010-04-09 17:55:31 :   locate peer entry for (2/client.xxx.com.hk),
 by identity.
## 2010-04-09 17:55:31 :   Found identity<client.xxx.com.hk> in group <
1> user id <1>.
## 2010-04-09 17:55:31 : IKE<221.126.96.175> Found peer entry (vpnclient_gateway
) from 221.126.96.175.
## 2010-04-09 17:55:31 : IKE<221.126.96.175> Peer(vpnclient_gateway) is in main
mode(2) but received packet mode is 4, packet discarded.
## 2010-04-09 17:55:31 : IKE<221.126.96.175> Rejected an initial Phase 1 packet
from an unrecognized peer gateway.
## 2010-04-09 17:55:36 : IKE<221.126.96.175> ike packet, len 1202, action 1
## 2010-04-09 17:55:36 : IKE<221.126.96.175> Catcher: received 1174 bytes from s
ocket.
## 2010-04-09 17:55:36 : IKE<221.126.96.175> ****** Recv packet if <ethernet0/0>
 of vsys <Root> ******
## 2010-04-09 17:55:36 : IKE<221.126.96.175> Catcher: get 1174 bytes. src port 1
179
## 2010-04-09 17:55:36 : IKE<0.0.0.0        >   ISAKMP msg: len 1174, nxp 1[SA],
 exch 4[AG], flag 00
## 2010-04-09 17:55:36 : IKE<221.126.96.175 > Recv : [SA] [KE] [NONCE] [ID] [VID
] [VID] [VID] [VID] [VID]
## 2010-04-09 17:55:36 : [VID] [VID] [VID] [VID] [VID] [VID] [VID]
## 2010-04-09 17:55:36 : valid id checking, id type:FQDN, len:34.
## 2010-04-09 17:55:36 : IKE<0.0.0.0        >     Validate (1146): SA/716 KE/132
 NONCE/24 ID/34 VID/12 VID/20 VID/20 VID/20 VID/20
## 2010-04-09 17:55:36 : IKE<221.126.96.175> Receive Id in AG mode, id-type=2, i
d=client.xxx.com.hk, idlen = 26
## 2010-04-09 17:55:36 :   locate peer entry for (2/client.xxx.com.hk),
 by identity.
## 2010-04-09 17:55:36 :   Found identity<client.xxx.com.hk> in group <
1> user id <1>.
## 2010-04-09 17:55:36 : IKE<221.126.96.175> Found peer entry (vpnclient_gateway
) from 221.126.96.175.
## 2010-04-09 17:55:36 : IKE<221.126.96.175> Peer(vpnclient_gateway) is in main
mode(2) but received packet mode is 4, packet discarded.
## 2010-04-09 17:55:36 : IKE<221.126.96.175> Rejected an initial Phase 1 packet
from an unrecognized peer gateway.
HK_SSG5-> unset db size
HK_SSG5-> undebug all
HK_SSG5->

Hi

What mode that u use ? aggressive mode or main mode ? then could you share your vpn client config and SSG5 vpn config ?

Please also refer to this KB. very usefull

http://kb.juniper.net/kb/documents/public/resolution_path/J_visio_kb9221.htm

thanks

EL

For your reference. Some sensative information is masked.

set clock dst-off
set clock ntp
set clock timezone 8
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "Port_8080" protocol tcp src-port 0-65535 dst-port 8080-8080
set service "Terminal_Server" protocol tcp src-port 0-65535 dst-port 3389-3389
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "masked"
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "Guest"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Guest" tcp-rst
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood
set zone "Untrust" screen port-scan
unset zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ip-spoofing
unset zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
unset zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set zone "Guest" screen port-scan
set zone "Guest" screen ip-spoofing
set zone "Guest" screen ip-filter-src
set interface ethernet0/0 phy full 10mb
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "Trust"
set interface "ethernet0/2" zone "Guest"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip xxx.xxx.74.2/28
set interface ethernet0/0 route
set interface ethernet0/1 ip 192.168.10.2/24
set interface ethernet0/1 nat
set interface ethernet0/2 ip 192.168.11.1/28
set interface ethernet0/2 nat
set interface bgroup0 ip 192.168.1.1/24
set interface bgroup0 nat
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
unset interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
unset interface ethernet0/2 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 vip xxx.xxx.74.14 3389 "Terminal_Server" 192.168.10.21
set interface ethernet0/0 vip xxx.xxx.74.14 + 21 "FTP" 192.168.10.21
set interface ethernet0/2 dhcp server service
set interface bgroup0 dhcp server service
set interface ethernet0/2 dhcp server enable
set interface bgroup0 dhcp server auto
set interface ethernet0/2 dhcp server option lease 1440
set interface ethernet0/2 dhcp server option gateway 192.168.11.1
set interface ethernet0/2 dhcp server option netmask 255.255.255.240
set interface ethernet0/2 dhcp server option dns1 210.0.128.250
set interface ethernet0/2 dhcp server option dns2 210.0.128.251
set interface bgroup0 dhcp server option gateway 192.168.1.1
set interface bgroup0 dhcp server option netmask 255.255.255.0
set interface ethernet0/2 dhcp server ip 192.168.11.2 to 192.168.11.8
set interface bgroup0 dhcp server ip 192.168.1.33 to 192.168.1.62
unset interface ethernet0/2 dhcp server config next-server-ip
unset interface bgroup0 dhcp server config next-server-ip
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set hostname HK_SSG5
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 210.0.128.251 src-interface ethernet0/0
set dns host dns2 210.0.128.250 src-interface ethernet0/0
set dns host dns3 210.0.128.250
set address "Trust" "Administrator" 192.168.10.126 255.255.255.255
set address "Trust" "HP4350" 192.168.10.10 255.255.255.255 "Printer for GUEST"
set address "Trust" "Internal_LAN" 192.168.10.0 255.255.255.0
set address "Trust" "SeaTechPC" 192.168.10.68 255.255.255.255
set address "Trust" "abcAB" 192.168.10.168 255.255.255.255
set address "Trust" "abcAD" 192.168.10.20 255.255.255.255
set address "Trust" "abcAG" 192.168.10.22 255.255.255.255
set address "Trust" "abcSERVERZ" 192.168.10.21 255.255.255.255
set address "Untrust" "ebuddy" www.ebuddy.com  "ebuddy web site"
set address "Untrust" "lcq2go1" 64.236.0.0 255.255.0.0
set address "Untrust" "lcq2go2" 205.188.0.0 255.255.0.0
set address "Untrust" "lcq2go3" 64.12.0.0 255.255.0.0
set address "Untrust" "suspicious address1" 118.121.64.226 255.255.255.255
set address "Guest" "GUEST_LAN" 192.168.11.0 255.255.255.240 "LAN for GUEST"
set group address "Trust" "Administrators"
set group address "Trust" "Administrators" add "Administrator"
set group address "Trust" "abc Server"
set group address "Trust" "abc Server" add "abcAB"
set group address "Trust" "abc Server" add "abcAD"
set group address "Trust" "abc Server" add "abcAG"
set group address "Trust" "abc Server" add "abcSERVERZ"
set group address "Untrust" "Suspicious Address" comment "should be rejected"
set group address "Untrust" "Suspicious Address" add "suspicious address1"
set group address "Untrust" "WebICQ"
set group address "Untrust" "WebICQ" add "ebuddy"
set group address "Untrust" "WebICQ" add "lcq2go1"
set group address "Untrust" "WebICQ" add "lcq2go2"
set group address "Untrust" "WebICQ" add "lcq2go3"
set group service "common_services"
set group service "common_services" add "DNS"
set group service "common_services" add "FTP"
set group service "common_services" add "HTTP"
set group service "common_services" add "HTTPS"
set group service "common_services" add "IMAP"
set group service "common_services" add "MAIL"
set group service "common_services" add "NTP"
set group service "common_services" add "PING"
set group service "common_services" add "POP3"
set group service "common_services" add "Port_8080"
set group service "seatech_services"
set group service "seatech_services" add "FTP"
set group service "seatech_services" add "Terminal_Server"
set ippool "vpnclient" 192.168.20.1 192.168.20.30
set user "vpnuser" uid 2
set user "vpnuser" type xauth
set user "vpnuser" password "masked"
unset user "vpnuser" type auth
set user "vpnuser" "enable"
set user "vpnclient_ph1id" uid 1
set user "vpnclient_ph1id" ike-id fqdn "client.xxx.com.hk" share-limit 2
set user "vpnclient_ph1id" type ike
set user "vpnclient_ph1id" "enable"
set user-group "vpnclient_group" id 1
set user-group "vpnclient_group" user "vpnclient_ph1id"
set ike gateway "vpnclient_gateway" dialup "vpnclient_group" Main local-id "vpngw.xxx.com.hk" outgoing-interface "ethernet0/0" preshare "aHOaz4i2NDiTALsNQECedkKludnYi4URFIhHblXTgRfAv/gLsg8M6mw=" proposal "pre-g2-3des-sha" "pre-g2-3des-md5" "pre-g2-aes128-sha" "pre-g2-aes128-md5"
set ike gateway "vpnclient_gateway" cert peer-ca all
set ike gateway "vpnclient_gateway" dpd-liveness interval 30
unset ike gateway "vpnclient_gateway" nat-traversal udp-checksum
set ike gateway "vpnclient_gateway" nat-traversal keepalive-frequency 20
set ike gateway "vpnclient_gateway" xauth server "Local"
unset ike gateway "vpnclient_gateway" xauth do-edipi-auth
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set xauth default ippool "vpnclient"
set xauth default dns1 192.168.10.20
set xauth default wins1 192.168.10.20
set vpn "vpnclient_tunnel" gateway "vpnclient_gateway" replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"  "nopfs-esp-3des-md5"  "nopfs-esp-aes128-sha"  "nopfs-esp-aes128-md5"
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set scheduler "SeaTech" recurrent monday start 8:0 stop 20:30 comment "Office Hours"
set scheduler "SeaTech" recurrent tuesday start 8:0 stop 20:30 comment "Office Hours"
set scheduler "SeaTech" recurrent wednesday start 8:0 stop 20:30 comment "Office Hours"
set scheduler "SeaTech" recurrent thursday start 8:0 stop 20:30 comment "Office Hours"
set scheduler "SeaTech" recurrent friday start 8:0 stop 20:30 comment "Office Hours"
set url protocol websense
exit
set policy id 4 name "Administrators" from "Trust" to "Untrust"  "Administrators" "Any" "ANY" permit
set policy id 4
exit
set policy id 2 name "Block WebICQ" from "Trust" to "Untrust"  "Internal_LAN" "WebICQ" "ANY" deny log
set policy id 2
exit
set policy id 1 name "Internet Access" from "Trust" to "Untrust"  "Internal_LAN" "Any" "common_services" permit log
set policy id 1
exit
set policy id 8 from "Untrust" to "Trust"  "Suspicious Address" "VIP(xxx.xxx.74.14)" "ANY" deny log
set policy id 8
exit
set policy id 5 name "SeaTech Support" from "Untrust" to "Trust"  "Any" "VIP(xxx.xxx.74.14)" "seatech_services" permit schedule "SeaTech" log
set policy id 5
exit
set policy id 6 name "Internet access" from "Guest" to "Untrust"  "GUEST_LAN" "Any" "common_services" nat src permit log
set policy id 6
exit
set policy id 7 from "Guest" to "Trust"  "GUEST_LAN" "HP4350" "ANY" permit
set policy id 7 disable
set policy id 7
exit
set policy id 9 name "vpncliient_inbound" from "Untrust" to "Trust"  "Dial-Up VPN" "Internal_LAN" "ANY" tunnel vpn "vpnclient_tunnel" id 0x1 log
set policy id 9
exit
set syslog config "192.168.10.69"
set syslog config "192.168.10.69" facilities local0 local1
set syslog src-interface ethernet0/1
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set ntp server "stdtime.gov.hk"
set ntp interval 120
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/0 gateway xxx.xxx.74.1
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

I get this message too

Rejected an IKE packet on ethernet0/0 from 221.xxx.xxx.175:1179 to xxx.xxx.74.2:500 with cookies 45eea4811ed17e28 and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway.

Well it looks like a Phase 1 issue. So you need to check that the public IP address for the gateway is correct on each box. The gateway is the IP address for the other end which you are initiating the tunnel to. You also need to check in the advanced settings of each gateway that you are using the same proposals at each end. You only need one set of proposals e.g. pre-g2-3des-sha. Also check that the pre shared keys are the same at each end. Give that a go and let me know.

To get into the gateway settings go to Autokey IKE in the web interface. The gateway is Phase one, which deals with initiating and securing the tunnel.

ah sry, thought you were doing a site-to-site VPN. But the theory I wrote is still the same. Make sure in the VPN client you select diffie hellman group 2 for the key exchange. I remember in the netscreen remote, the diffie hellman setting was a bit out of the way of the other settings. Make sure you fiddle with the PFS (perfect forward secrecy) settings too in the client, depending on what you are using in the proposal.

Hi

Please change the mode from Main to aggresive mode. wait for VPN client setting

thanks

EL

oh...that should be what I have missing. I can connected now. Thanks!

BTW, what is the different between main and aggresive mode?

Hi

we chose the main mode if peer device using static IP address and we choose aggressive mode if peer device using dynamic ip address

Please give me a kudos if it works.

thanks

EL

hi

how about configuration on client

btw i'm on the way. will update u in next 30 minutes

thanks

EL