ScreenOS Firewalls (NOT SRX)
Reply
Visitor
chan.puilai@gmail.com
Posts: 6
Registered: ‎01-02-2012
0

Install NetScreen-Remote_VPN_Client_9.0r5 Problem


 

I use Lenovo Thinkpad Win7 32bit Traditional Chinese Version.

 

Anybody can help? 

Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: Install NetScreen-Remote_VPN_Client_9.0r5 Problem

Hi,

 

The product is discontinued, not supported on Win 7 and EOL (KB8343). Use NCP VPN Client (www.ncp-e.com) or Shrew Soft VPN Client (freeware) (www.shrewsoft.com) instead.

Kind regards,
Edouard
Visitor
chan.puilai@gmail.com
Posts: 6
Registered: ‎01-02-2012
0

Re: Install NetScreen-Remote_VPN_Client_9.0r5 Problem

: ) Thanks. I got it.

 

One more question: below is the log when connecting the dialup VPN. Is it the Security Policy setting Problem?

 1-12: 07:08:42.890 NetScreen-Remote Version 10.8.10 (Build 4).
 1-12: 07:08:44.203 No Interfaces detected.
 1-12: 07:08:44.359 My Connections\New Connection - Preshared Key has 0 length
 1-12: 07:08:44.375 Filter table loaded (2 entries).
 1-12: 07:08:44.390 This is a GA version of NetScreen-Remote.
 1-12: 07:08:54.906 Interface added: 223.18.205.100/255.255.240.0 on LAN "Atheros AR5007EG Wireless Network Adapter".
 1-12: 07:08:55.000 Clearing arp for adapter 2
 1-12: 07:08:55.015 Filter table loaded (2 entries).
 1-12: 07:29:33.125 Interface lost: 223.18.205.100
 1-12: 07:29:33.125 Filter table loaded (2 entries).
 1-12: 07:29:33.125 No Interfaces detected.
 1-12: 07:29:44.781 Interface added: 192.168.11.5/255.255.255.0 on LAN "Atheros AR5007EG Wireless Network Adapter".
 1-12: 07:29:45.562 Clearing arp for adapter 2
 1-12: 07:29:46.359 Filter table loaded (2 entries).
 1-12: 07:33:37.390 Interface added: 202.1.1.2/255.255.255.0 on LAN "Realtek RTL8102E/RTL8103E Family PCI-E Fast Ethernet NIC".
 1-12: 07:33:37.390 Clearing arp for adapter 3
 1-12: 07:33:37.406 Filter table loaded (2 entries).
 1-12: 07:33:38.437 Failed to register for driver notifications.
 1-12: 07:33:45.171 Registration for driver notifications succeeded.
 1-12: 07:51:41.984 This is a GA version of NetScreen-Remote.
 1-12: 07:51:42.125 My Connections\New Connection - Preshared Key has 0 length
 1-12: 07:51:42.140 Filter table loaded (2 entries).
 1-12: 07:51:48.609 Host unreachable: 192.168.12.1.
 1-12: 07:51:48.640
 1-12: 07:51:48.640 My Connections\New Connection - Initiating IKE Phase 1 (IP ADDR=202.1.1.1)
 1-12: 07:51:49.015 My Connections\New Connection - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 6x)
 1-12: 07:51:49.062 My Connections\New Connection - RECEIVED<<< ISAKMP OAK AG (SA, VID 3x, KE, NON, ID, HASH, VID, NAT-D 2x)
 1-12: 07:51:49.078 My Connections\New Connection - Peer supports Dead Peer Detection Version 1.0
 1-12: 07:51:49.078 My Connections\New Connection - Dead Peer Detection enabled
 1-12: 07:51:49.078 My Connections\New Connection - Peer is NAT-T draft-02 capable
 1-12: 07:51:49.078 My Connections\New Connection - Dead Peer Detection enabled
 1-12: 07:51:49.171 There is no pre-shared key for this Policy Entry
 1-12: 07:51:49.171 Failed to compute keys
 1-12: 07:51:49.187 My Connections\New Connection - Discarding IKE SA negotiation
 1-12: 07:51:49.187 My Connections\New Connection -   MY COOKIE b9 38 47 6c 98 2e a6 23
 1-12: 07:51:49.187 My Connections\New Connection -   HIS COOKIE 11 64 1b 8 fb 4 4d 69
 1-12: 07:51:53.218 My Connections\New Connection - RECEIVED<<< ISAKMP OAK AG (SA, VID 3x, KE, NON, ID, HASH, VID, NAT-D 2x)
 1-12: 07:51:53.218 My Connections\New Connection - Received message for non-active SA
 1-12: 07:51:57.218 My Connections\New Connection - RECEIVED<<< ISAKMP OAK AG (SA, VID 3x, KE, NON, ID, HASH, VID, NAT-D 2x)
 1-12: 07:51:57.218 My Connections\New Connection - Received message for non-active SA
 1-12: 07:52:01.218 My Connections\New Connection - RECEIVED<<< ISAKMP OAK AG (SA, VID 3x, KE, NON, ID, HASH, VID, NAT-D 2x)
 1-12: 07:52:01.218 My Connections\New Connection - Received message for non-active SA
 1-12: 07:52:05.218 My Connections\New Connection - RECEIVED<<< ISAKMP OAK AG (SA, VID 3x, KE, NON, ID, HASH, VID, NAT-D 2x)
 1-12: 07:52:05.218 My Connections\New Connection - Received message for non-active SA
 1-12: 07:52:09.218 My Connections\New Connection - RECEIVED<<< ISAKMP OAK AG (SA, VID 3x, KE, NON, ID, HASH, VID, NAT-D 2x)
 1-12: 07:52:09.218 My Connections\New Connection - Received message for non-active SA
 1-12: 07:52:13.218 My Connections\New Connection - RECEIVED<<< ISAKMP OAK AG (SA, VID 3x, KE, NON, ID, HASH, VID, NAT-D 2x)
 1-12: 07:52:13.218 My Connections\New Connection - Received message for non-active SA
 1-12: 07:52:17.218 My Connections\New Connection - RECEIVED<<< ISAKMP OAK AG (SA, VID 3x, KE, NON, ID, HASH, VID, NAT-D 2x)
 1-12: 07:52:17.218 My Connections\New Connection - Received message for non-active SA
 1-12: 07:52:21.218 My Connections\New Connection - RECEIVED<<< ISAKMP OAK AG (SA, VID 3x, KE, NON, ID, HASH, VID, NAT-D 2x)
 1-12: 07:52:21.218 My Connections\New Connection - Received message for non-active SA
 1-12: 07:52:25.218 My Connections\New Connection - RECEIVED<<< ISAKMP OAK AG (SA, VID 3x, KE, NON, ID, HASH, VID, NAT-D 2x)
 1-12: 07:52:25.218 My Connections\New Connection - Received message for non-active SA
 1-12: 07:52:29.218 My Connections\New Connection - RECEIVED<<< ISAKMP OAK AG (SA, VID 3x, KE, NON, ID, HASH, VID, NAT-D 2x)
 1-12: 07:52:29.218 My Connections\New Connection - Received message for non-active SA
 1-12: 07:52:33.218 My Connections\New Connection - RECEIVED<<< ISAKMP OAK AG (SA, VID 3x, KE, NON, ID, HASH, VID, NAT-D 2x)
 1-12: 07:52:33.218 My Connections\New Connection - Received message for non-active SA

Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: Install NetScreen-Remote_VPN_Client_9.0r5 Problem

Hi,

 

You did not configure a pre-shared key:

 

1-12: 07:51:49.171 There is no pre-shared key for this Policy Entry

Kind regards,
Edouard
Visitor
chan.puilai@gmail.com
Posts: 6
Registered: ‎01-02-2012
0

Re: Install NetScreen-Remote_VPN_Client_9.0r5 Problem


I found Phase 1 success but phase 2 failed:
 1-13: 01:21:48.500 This is a GA version of NetScreen-Remote.
 1-13: 01:21:48.687 Filter table loaded (2 entries).
 1-13: 01:21:53.890 Host unreachable: 192.168.12.1.
 1-13: 01:21:53.906
 1-13: 01:21:53.906 My Connections\New Connection - Initiating IKE Phase 1 (IP ADDR=202.1.1.1)
 1-13: 01:21:54.375 My Connections\New Connection - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 6x)
 1-13: 01:21:54.421 My Connections\New Connection - RECEIVED<<< ISAKMP OAK AG (SA, VID 3x, KE, NON, ID, HASH, VID, NAT-D 2x)
 1-13: 01:21:54.421 My Connections\New Connection - Peer supports Dead Peer Detection Version 1.0
 1-13: 01:21:54.421 My Connections\New Connection - Dead Peer Detection enabled
 1-13: 01:21:54.421 My Connections\New Connection - Peer is NAT-T draft-02 capable
 1-13: 01:21:54.421 My Connections\New Connection - Dead Peer Detection enabled
 1-13: 01:21:54.671 My Connections\New Connection - SENDING>>>> ISAKMP OAK AG *(HASH, NAT-D 2x, NOTIFY:smileyfrustrated:TATUS_REPLAY_STATUS, NOTIFY:smileyfrustrated:TATUS_INITIAL_CONTACT)
 1-13: 01:21:54.671 My Connections\New Connection - Established IKE SA
 1-13: 01:21:54.671 My Connections\New Connection -   MY COOKIE c2 f de 4b 9e 6b f8 ae
 1-13: 01:21:54.671 My Connections\New Connection -   HIS COOKIE 81 c9 43 d4 c0 f7 94 5b
 1-13: 01:21:54.812 My Connections\New Connection - Initiating IKE Phase 2 with Client IDs (message id: 2FFF1EBC)
 1-13: 01:21:54.812 My Connections\New Connection -   Initiator = IP ADDR=0.0.0.0, prot = 0 port = 0
 1-13: 01:21:54.812 My Connections\New Connection -   Responder = IP SUBNET/MASK=192.168.12.0/255.255.255.0, prot = 0 port = 0
 1-13: 01:21:54.812 My Connections\New Connection - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, ID 2x)
 1-13: 01:22:10.546 My Connections\New Connection - QM re-keying timed out. Retry count: 1
 1-13: 01:22:10.546 My Connections\New Connection - SENDING>>>> ISAKMP OAK QM *(Retransmission)
 1-13: 01:22:25.750 My Connections\New Connection - QM re-keying timed out. Retry count: 2
 1-13: 01:22:25.750 My Connections\New Connection - SENDING>>>> ISAKMP OAK QM *(Retransmission)
 1-13: 01:22:41.078 My Connections\New Connection - QM re-keying timed out. Retry count: 3
 1-13: 01:22:41.078 My Connections\New Connection - SENDING>>>> ISAKMP OAK QM *(Retransmission)
 1-13: 01:22:56.343 My Connections\New Connection - Exceeded 3 attempts (message id: 2FFF1EBC)
 1-13: 01:22:56.343 My Connections\New Connection - Disconnecting IKE SA negotiation
 1-13: 01:22:56.343 My Connections\New Connection - Deleting IKE SA (IP ADDR=202.1.1.1)
 1-13: 01:22:56.343 My Connections\New Connection -   MY COOKIE c2 f de 4b 9e 6b f8 ae
 1-13: 01:22:56.343 My Connections\New Connection -   HIS COOKIE 81 c9 43 d4 c0 f7 94 5bhttps://mail.google.com/mail/?tab=wm#inbox/1348d22ccf3a68ba
 1-13: 01:22:56.343 My Connections\New Connection - SENDING>>>> ISAKMP OAK INFO *(HASH, DEL)

my VPN tunnel phase 2 setting at SSG5 is:
set vpn RASCON gateway RAS sec-level standard
set vpn RASCON monitor

What is the problem?
Thank you.

Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: Install NetScreen-Remote_VPN_Client_9.0r5 Problem

Hi,

 

You should run a debug on the SSG:

clear db

debug ike all

...try to connect

undebug all

get db str

If you cannot find a mismatch/error in the IKE Phase2 output attach it to your posting.

 

Kind regards,
Edouard
Visitor
chan.puilai@gmail.com
Posts: 6
Registered: ‎01-02-2012
0

Re: Install NetScreen-Remote_VPN_Client_9.0r5 Problem

Hi, Is it Proxy ID mismatch problem? But is that the attached page to set the "Proxy ID"?

 


## 2012-02-21 14:16:06 : IKE<202.1.1.2      >   hdr
## 2012-02-21 14:16:06 : f1 f6 a4 b4 27 25 ea 52  40 e1 65 4d 6d 56 d8 66
## 2012-02-21 14:16:06 : 08 10 20 01 da 91 94 40  00 00 00 9c 1d fc 2e 40
## 2012-02-21 14:16:06 : IKE<202.1.1.2> ike packet, len 184, action 0
## 2012-02-21 14:16:06 : IKE<202.1.1.2> Catcher: received 156 bytes from socket.
## 2012-02-21 14:16:06 : IKE<202.1.1.2> ****** Recv packet if <untrust> of vsys <Root> ******
## 2012-02-21 14:16:06 : IKE<202.1.1.2> Catcher: get 156 bytes. src port 500
## 2012-02-21 14:16:06 : IKE<0.0.0.0        >   ISAKMP msg: len 156, nxp 8[HASH], exch 32[QM], flag 01  E
## 2012-02-21 14:16:06 : IKE<202.1.1.2> Create conn entry...
## 2012-02-21 14:16:06 : IKE<202.1.1.2>   ...done(new da919440)
## 2012-02-21 14:16:06 : IKE<202.1.1.2> Phase 2 msg-id <da919440>: Responded to the first peer message.
## 2012-02-21 14:16:06 : IKE<202.1.1.2> Decrypting payload (length 128)
## 2012-02-21 14:16:06 : IKE<202.1.1.2      > iv:
## 2012-02-21 14:16:06 : 19 61 5f e2 ba c2 21 29
## 2012-02-21 14:16:06 : IKE<202.1.1.2      > new iv:
## 2012-02-21 14:16:06 : 2c f1 2a 17 4b f2 98 13
## 2012-02-21 14:16:06 : IKE<202.1.1.2      > Recv*: [HASH] [SA] [NONCE] [ID] [ID]
## 2012-02-21 14:16:06 : valid id checking, id type:IP Address, len:12.
## 2012-02-21 14:16:06 : valid id checking, id type:IP Subnet, len:16.
## 2012-02-21 14:16:06 : IKE<0.0.0.0        >   extract payload (128):
## 2012-02-21 14:16:06 : valid id checking, id type:IP Address, len:12.
## 2012-02-21 14:16:06 : valid id checking, id type:IP Subnet, len:16.
## 2012-02-21 14:16:06 : IKE<202.1.1.2> QM in state OAK_QM_SA_ACCEPT.
## 2012-02-21 14:16:06 : IKE<202.1.1.2> receive init proxy id type ID_IPV4_ADDR with mask 0: force mask to all 1.
## 2012-02-21 14:16:06 : IKE<202.1.1.2> Start by finding matching member SA (verify -1/-1)
## 2012-02-21 14:16:06 : IKE<202.1.1.2> IKE: Matching policy: gw ip <202.1.1.2> peer entry id<0>
## 2012-02-21 14:16:06 : IKE<0.0.0.0        >   protocol matched expected<0>.
## 2012-02-21 14:16:06 : IKE<0.0.0.0        >   port matched expect l:<0>, r<0>.
## 2012-02-21 14:16:06 : ipvx = IPV4
## 2012-02-21 14:16:06 : rcv_local_addr = 192.168.12.0, rcv_local_mask = 255.255.255.0, p_rcv_local_real = 192.168.12.0
## 2012-02-21 14:16:06 : rcv_remote_addr = 0.0.0.0, rcv_remote_mask = 255.255.255.255, p_rcv_remote_real = 0.0.0.0
## 2012-02-21 14:16:06 : ike_p2_id->local_ip = 10.0.0.0, cfg_local_mask = 255.0.0.0, p_cfg_local_real = 10.0.0.0
## 2012-02-21 14:16:06 : ike_p2_id->remote_ip = 192.168.1.2, cfg_remote_mask = 255.255.255.255, p_cfg_remote_real = 192.168.1.2
## 2012-02-21 14:16:06 : local address NOT matched.
## 2012-02-21 14:16:06 : IKE<202.1.1.2> Proxy ID match: No policy exists for the proxy ID received
## 2012-02-21 14:16:06 : IKE<202.1.1.2> proxy-id do not match ipsec sa config
## 2012-02-21 14:16:06 : IKE<202.1.1.2> oakley_process_quick_mode():exit
## 2012-02-21 14:16:06 : IKE<202.1.1.2> Phase 2 msg-id <da919440>: Negotiations have failed.
## 2012-02-21 14:16:06 : IKE<202.1.1.2>   Delete conn entry...
## 2012-02-21 14:16:06 : IKE<202.1.1.2>  ...found conn entry(da919440)
## 2012-02-21 14:16:06 : IKE<202.1.1.2> IKE msg done: PKI state<0> IKE state<6/1097182f>

Visitor
chan.puilai@gmail.com
Posts: 6
Registered: ‎01-02-2012
0

Re: Install NetScreen-Remote_VPN_Client_9.0r5 Problem

It is my proposal 2.

It seems to me I cannot find the page to set the proxy id.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.