[j-nsp] netscreen Vpn

Stefan Fouant sfouant at gmail.com
Wed May 14 10:33:49 EDT 2008


IIRC, XAuth has to take place *after* Phase 1 establishment but *prior
to* Phase 2 negotiations.  Therefore I believe you are seeing this
message because the XAuth authentication needs to be completed before
Phase 2 can begin.

If you only saw the error once it just means the XAuth packet wasn't
received.  However, if it's happening consistently it probably
indicates a compatibility issue with the Shrew Soft VPN client and the
5GT.  Perhaps the Shrew Soft VPN client doesn't conform strictly to
(or is interpreting differently) the behavior as defined in the IKE
RFC (RFC 2409).

Try a different VPN client, perhaps the NS-Remote client and see if
you get a different result.

Cheers,

Stefan Fouant

On Wed, May 14, 2008 at 9:12 AM, M.Mihailidis <mixalism at gmail.com> wrote:
> Hello im to set up an ipsec vpn with 5gt using Shrew Soft VPN Client from my
> pc
>
> I have setup correctly the 5gt and during the dial I get the message:
>
>
>
>
>
> KE<85.72.37.175>: XAuth login expired and was terminated for username
> <supportMM> at <10.32.32.10>.2008-05-14
>
>
>
> 16:16:49infoIKE<xx.xx.xx.xx>: XAuth login was aborted for gateway <IKEGW>,
> username <supportMM>, retry: 0.2008-05-14
>
>
>
> 16:16:49infoRejected an IKE packet on ethernet3 from xx.xx.xx.xx:500 to
> xx.xx.xx.xx:500 with cookies 4c7bc23a9116366a and ab93bf2f02c0f461 because a
> Phase 2 packet arrived while XAuth was still pending.2008-
>
> 05-14 16:16:49infoIKE<85.72.37.175> Phase 1: Completed Aggressive mode
> negotiations with a <28800>-second lifetime.2008-05-14
>
>
>
> 16:16:49infoIKE<xx.xx.xx.xx> Phase 1: Completed for user
> <supportMM>.2008-05-14
>
>
>
> 16:16:49infoIKE<xx.xx.xx.xx> Phase 1: Responder starts AGGRESSIVE mode
> negotiations.
>
>
>
> Anyone knows why is this??
>
> Thank you
>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list