SRX Services Gateway
Highlighted
SRX Services Gateway

VPN with Shrew Client disconnects after 200 seconds

02.29.12   |  
‎02-29-2012 02:57 PM

I have manage to get the Shrew VPN client to connect to my SRX210 and pass traffic but the VPN clients disconnects after 2 minutes for no apparent reason.  Does anyone have any idea what might be causing this?  

 

I am running Junos version 10.4R7.5

 

This is my config:

 

ike {
	proposal RemoteVPNPolicy1 {
		authentication-method pre-shared-keys;
		dh-group group2;
		authentication-algorithm sha1;
		encryption-algorithm 3des-cbc;
		lifetime-seconds 86400;
	}
	policy RemoteVPNIKE {
		mode aggressive;
		proposals RemoteVPNPolicy1;
		pre-shared-key ascii-text ""; ## SECRET-DATA
	}
	gateway RemoteVPN {
		ike-policy RemoteVPNIKE;
		dynamic {
			user-at-hostname "vpn@domain.com";
			connections-limit 50;
			ike-user-type shared-ike-id;
		}
		external-interface fe-0/0/7.0;
		xauth access-profile RemoteVPN-access;
	}
}
ipsec {
	proposal RemoteVPNIPSec {
		protocol esp;
		authentication-algorithm hmac-sha1-96;
		encryption-algorithm 3des-cbc;
		lifetime-seconds 3600;
	}
	policy RemoteVPNIPSec {
		perfect-forward-secrecy {
			keys group2;
		}
		proposals RemoteVPNIPSec;
	}
	vpn RemoteVPN {
		ike {
			gateway RemoteVPN;
			idle-time 600;
			ipsec-policy RemoteVPNIPSec;
		}
	}
}

policies {
	from-zone untrust to-zone trust {
		policy RemoteVPN {
			match {
				source-address any;
				destination-address InternalLAN;
				application any;
			}
			then {
				permit {
					tunnel {
						ipsec-vpn RemoteVPN;
					}
				}
				log {
					session-init;
					session-close;
				}
				count;
			}
		}

access {
    profile RemoteVPN-access {
        authentication-order password;
        client joe {
            firewall-user {
                password ""; ## SECRET-DATA
            }
        }
        address-assignment {
            pool RemoteVPN-assign-pool;
        }
    }
    address-assignment {
        pool RemoteVPN-assign-pool {
            family inet {
                network 192.168.80.0/24;
                range RemoteVPN-range {
                    low 192.168.80.101;
                    high 192.168.80.149;
                }
                xauth-attributes {
                    primary-dns 192.168.1.2/32;
                    secondary-dns 192.168.1.3/32;
                }
            }
        }
    }
}

 

4 REPLIES
SRX Services Gateway

Re: VPN with Shrew Client disconnects after 200 seconds

02.29.12   |  
‎02-29-2012 11:47 PM

Hi

 

Not sure if it will help, but worth a try

 

set security ike gateway RemoteVPN nat-keepalive <seconds>

 

Best Regards,
PK

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
[Juniper Authorized Education & Support in Russia]
SRX Services Gateway

Re: VPN with Shrew Client disconnects after 200 seconds

03.01.12   |  
‎03-01-2012 10:04 AM

Hi,

 

Please check  if you have alllowed host-inbound-traffic system-services ike on your external interface. That might be the reason for disconnect.

SRX Services Gateway

Re: VPN with Shrew Client disconnects after 200 seconds

03.08.12   |  
‎03-08-2012 11:04 AM

I tried both of the suggestions and it still times out at exactly 200 seconds.  

 

Interestingly, I tried the old Netscreen Remote VPN client and it does not time out so it must be a Shrew setting.

 

Anyone else have any ideas?

Thanks. 

SRX Services Gateway

Re: VPN with Shrew Client disconnects after 200 seconds

03.08.12   |  
‎03-08-2012 11:42 AM

Hi

 

May be you can try to do some Wireshark sniffing on the client side to see what exactly happens

or not happens at the time of disconnect (and compare to NS-Remote case).

Best Regards,
PK

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
[Juniper Authorized Education & Support in Russia]