[j-nsp] [nn] netscreen Vpn

Stefan Fouant sfouant at gmail.com
Wed May 14 12:21:37 EDT 2008


He may be trying to dynamically assign an IP address to the tunnel, in
which case he'll need to use XAuth or L2TP over IPSec.

But otherwise, I agree, if you can use local-id or an email address
for purposes of identity, there is not much benefit to using XAuth for
dialup VPNs and it certainly adds more complexity.

Stefan Fouant

On Wed, May 14, 2008 at 11:03 AM, Greg Conroy <gconroy at peer1.com> wrote:
> Possibly you can set up a preshared key and identity (such as email address)
> instead of an xauth, most third party VPN clients can handle a preshared
> key.
>
>
> Greg
>
> Stefan Fouant wrote:
>>
>> IIRC, XAuth has to take place *after* Phase 1 establishment but *prior
>> to* Phase 2 negotiations.  Therefore I believe you are seeing this
>> message because the XAuth authentication needs to be completed before
>> Phase 2 can begin.
>>
>> If you only saw the error once it just means the XAuth packet wasn't
>> received.  However, if it's happening consistently it probably
>> indicates a compatibility issue with the Shrew Soft VPN client and the
>> 5GT.  Perhaps the Shrew Soft VPN client doesn't conform strictly to
>> (or is interpreting differently) the behavior as defined in the IKE
>> RFC (RFC 2409).
>>
>> Try a different VPN client, perhaps the NS-Remote client and see if
>> you get a different result.
>>
>> Cheers,
>>
>> Stefan Fouant
>>
>> On Wed, May 14, 2008 at 9:12 AM, M.Mihailidis <mixalism at gmail.com> wrote:
>>
>>>
>>> Hello im to set up an ipsec vpn with 5gt using Shrew Soft VPN Client from
>>> my
>>> pc
>>>
>>> I have setup correctly the 5gt and during the dial I get the message:
>>>
>>>
>>>
>>>
>>>
>>> KE<85.72.37.175>: XAuth login expired and was terminated for username
>>> <supportMM> at <10.32.32.10>.2008-05-14
>>>
>>>
>>>
>>> 16:16:49infoIKE<xx.xx.xx.xx>: XAuth login was aborted for gateway
>>> <IKEGW>,
>>> username <supportMM>, retry: 0.2008-05-14
>>>
>>>
>>>
>>> 16:16:49infoRejected an IKE packet on ethernet3 from xx.xx.xx.xx:500 to
>>> xx.xx.xx.xx:500 with cookies 4c7bc23a9116366a and ab93bf2f02c0f461
>>> because a
>>> Phase 2 packet arrived while XAuth was still pending.2008-
>>>
>>> 05-14 16:16:49infoIKE<85.72.37.175> Phase 1: Completed Aggressive mode
>>> negotiations with a <28800>-second lifetime.2008-05-14
>>>
>>>
>>>
>>> 16:16:49infoIKE<xx.xx.xx.xx> Phase 1: Completed for user
>>> <supportMM>.2008-05-14
>>>
>>>
>>>
>>> 16:16:49infoIKE<xx.xx.xx.xx> Phase 1: Responder starts AGGRESSIVE mode
>>> negotiations.
>>>
>>>
>>>
>>> Anyone knows why is this??
>>>
>>> Thank you
>>>
>>>
>>>
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>>
>>
>> _______________________________________________
>> nn mailing list
>> nn at compsoc.com
>> http://www.compsoc.com/cgi-bin/mailman/listinfo/nn
>>
>>
>


More information about the juniper-nsp mailing list