[j-nsp] Juniper Remote IPSec Dynamic with xAuth - Upgrade from 12.1R3.5 to 12.1X44

Fraser McGlinn fraser at frizianz.com
Sun Nov 30 21:34:38 EST 2014 

Hi Everyone,

I’ve been testing feature set for a customer to upgrade from 12.1R3.5 to 12.1X44. I’ve come across an issue with a remote VPN that i’ve setup using Shrewsoft as a client and the below configuration. Basically the symptoms are that the VPN connects and remains active for 30 seconds exactly then drops. Phase 1 Life is 180 seconds so not even getting close to this.

Configuration is the same across versions, no config has changed. Literally upgrade router and it exhibits the above symptoms.

Has anyone come across this issue between these versions?

Thanks,

Fraser


set security ike proposal PRESHARE-GROUP2-SHA1-180 authentication-method pre-shared-keys
set security ike proposal PRESHARE-GROUP2-SHA1-180 dh-group group2
set security ike proposal PRESHARE-GROUP2-SHA1-180 authentication-algorithm sha1
set security ike proposal PRESHARE-GROUP2-SHA1-180 encryption-algorithm aes-128-cbc
set security ike proposal PRESHARE-GROUP2-SHA1-180 lifetime-seconds 180

set security ike policy Remote_Access-POLICY-1 mode aggressive
set security ike policy Remote_Access-POLICY-1 proposals PRESHARE-GROUP2-SHA1-180
set security ike policy Remote_Access-POLICY-1 pre-shared-key ascii-text <removed>

set security ike gateway Remote_Access-GATEWAY-1 ike-policy Remote_Access-POLICY-1
set security ike gateway Remote_Access-GATEWAY-1 dynamic hostname remotevpn.local
set security ike gateway Remote_Access-GATEWAY-1 dynamic connections-limit 50
set security ike gateway Remote_Access-GATEWAY-1 dynamic ike-user-type shared-ike-id
set security ike gateway Remote_Access-GATEWAY-1 external-interface vlan.109
set security ike gateway Remote_Access-GATEWAY-1 xauth access-profile Remote_Access-AccessProfile-1

set security ipsec proposal ESP-3DES-MD5 protocol esp
set security ipsec proposal ESP-3DES-MD5 authentication-algorithm hmac-md5-96
set security ipsec proposal ESP-3DES-MD5 encryption-algorithm 3des-cbc

set security ipsec policy Remote_Access-IPSEC_POLICY proposals ESP-3DES-MD5

set security ipsec vpn Remote_Access-VPN-1 ike gateway Remote_Access-GATEWAY-1
set security ipsec vpn Remote_Access-VPN-1 ike ipsec-policy Remote_Access-IPSEC_POLICY

set security policies from-zone Internet to-zone LAN policy RemoteVPN match source-address Remote-VPN
set security policies from-zone Internet to-zone LAN policy RemoteVPN match destination-address any
set security policies from-zone Internet to-zone LAN policy RemoteVPN match application any
set security policies from-zone Internet to-zone LAN policy RemoteVPN then permit tunnel ipsec-vpn Remote_Access-VPN-1

set security zones security-zone Internet address-book address Remote-VPN 10.2.21.0/24
set security zones security-zone Internet interfaces vlan.109 host-inbound-traffic system-services ping
set security zones security-zone Internet interfaces vlan.109 host-inbound-traffic system-services ssh
set security zones security-zone Internet interfaces vlan.109 host-inbound-traffic system-services traceroute
set security zones security-zone Internet interfaces vlan.109 host-inbound-traffic system-services snmp
set security zones security-zone Internet interfaces vlan.109 host-inbound-traffic system-services ike

set access profile Remote_Access-AccessProfile-1 authentication-order password
set access profile Remote_Access-AccessProfile-1 client <removed> firewall-user password <removed>
set access profile Remote_Access-AccessProfile-1 address-assignment pool Remote_Access-xauth-options1
set access address-assignment pool Remote_Access-xauth-options1 family inet network 10.2.21.0/24
set access address-assignment pool Remote_Access-xauth-options1 family inet range remote-vpn1-range low 10.2.21.1
set access address-assignment pool Remote_Access-xauth-options1 family inet range remote-vpn1-range high 10.2.21.254
set access address-assignment pool Remote_Access-xauth-options1 family inet xauth-attributes primary-dns 192.168.240.1/32
set access address-assignment pool Remote_Access-xauth-options1 family inet xauth-attributes secondary-dns 192.168.240.2/32
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20141201/b09310ec/attachment.sig>

More information about the juniper-nsp mailing list