[j-nsp] Juniper Remote IPSec Dynamic with xAuth - Upgrade from 12.1R3.5 to 12.1X44

Jed Laundry jlaundry at jlaundry.com
Thu Dec 4 17:32:29 EST 2014 

Hi Fraser, Laxmana,

Sorry, should've said I once tried Shrewsoft with 10.4, and had the same
issue - works, then disconnected after 60s. We shortly upgraded to 11.4
(cuz web UI crashing issues), had the same issue, but then found others had
patches to make vpnc work instead, and never looked back.

If I had to guess, I'd point the finger at DPD or NATT, because 60 seconds
is too perfect, and I've seen DPD issues in cross-vendor tunnels before.
But I didn't go into the pcaps, so take that with a grain of salt.

Thanks,
Jed.

Sent from a small screen.
On 5 Dec 2014 09:12, "Fraser McGlinn" <fraser at frizianz.com> wrote:

> Sorry yes - Mine is 60 seconds as well. Typo on my end. :)
>
> I’ll mention this PR in the case and will see how we go.
>
> Thanks heaps everyone,
>
>
> Fraser
>
>
>
> > On 5/12/2014, at 9:07 am, Laxmana Polisetti <laxmana at juniper.net> wrote:
> >
> > Jed and Fraser,
> >       In our QA lab we found this issue sometime ago, it was a hard one
> and we
> > were able to trace back to a working build X45.D10 and 11.4R9.
> >
> >       For me the tunnel fails after every 60 seconds.
> >
> >       Gnats PR is 1041967.  (Currently in open state).
> >
> > Thanks.,
> > Laxmana
> >
> > On 12/4/14, 11:30 AM, "Fraser McGlinn" <fraser at frizianz.com> wrote:
> >
> >> Hey Jed,
> >>
> >> Yep sounds about right from my poking around. So from your experience do
> >> you reckon its the client causing this? My interpretation of the debug
> >> suggests its the SRX killing it. I¹ve managed to get it working in Shrew
> >> with leaving the IKE life to 180 seconds on the juniper but configuring
> >> it to 60 seconds on the Client config. Annoying, but it works.
> >> Haven¹t tried it getting it working on my XUbuntu desktop, but i¹m sure
> >> one of these days i¹ll try :)
> >>
> >> I¹ve been bouncing stuff backwards and forwards with Graham Brown, but
> >> haven¹t got any real reason why it does this. However, I do have a JTAC
> >> case open, and they seem to be co-operating in terms of requesting
> >> information. But they did point out that some of the VPN features seemed
> >> to miss the 12.1R line, which would mean that this is probably an issue
> >> that has existed since 11.4 as you¹ve said. See -
> >>
> http://kb.juniper.net/InfoCenter/index?page=content&id=TSB16042&smlogin=tr
> >> ue
> >> <
> http://kb.juniper.net/InfoCenter/index?page=content&id=TSB16042&smlogin=t
> >> rue>
> >>
> >> I¹ll keep everyone updates on where this gets, but a workaround is
> >> possible by configuring the above.
> >>
> >> Cheers,
> >>
> >> Fraser
> >>
> >>> On 5/12/2014, at 7:20 am, Jed Laundry <jlaundry at jlaundry.com> wrote:
> >>>
> >>> Hi Fraser,
> >>>
> >>> On 1 Dec 2014 15:41, "Fraser McGlinn" <fraser at frizianz.com
> >>> <mailto:fraser at frizianz.com>> wrote:
> >>>>
> >>>> Basically the symptoms are that the VPN connects and remains active
> >>> for 30 seconds exactly then drops. Phase 1 Life is 180 seconds so not
> >>> even getting close to this.
> >>>
> >>> I had the same issue with Shrewsoft on 11.4. In the end I gave up, and
> >>> used a patched version of vpnc instead, which has the advantage of
> >>> integrating nicely with Gnome (assuming you're wanting to use it with
> >>> Linux, as the official pulse client supports MacOS now).
> >>>
> >>> Details on how to patch Fedora are on my blog. Ubuntu is there to, but
> >>> probably out of date. I've successfully used this with 11.4 and
> 12.1x44.
> >>>
> >>> http://tinyurl.com/q25rzpv <http://tinyurl.com/q25rzpv>
> >>> Thanks,
> >>> Jed.
> >>>
> >>> Sent from a small screen.
> >>>
> >>
> >> _______________________________________________
> >> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
>
>

More information about the juniper-nsp mailing list