I am running vpnc as an ipsec xauth client against a remote Juniper SSG20 running screenOS 6.1.x
I appear to be establishing my Ph1 and Ph2 portions successfully, but subsequently cannot get anywhere beyond the SSG20 with my client. I can ping the IP pool host he has been assigned (natch) and can ping the trusted side of the Juniper, but I cannot ping the inside default GW address, or anything else.
Here is an anonymized session from the SSG20's perspective:
2010-10-15 12:59:16 crit VPN 'RAS-VPN-P2' XAuth from 64.129.60.222 is down.
2010-10-15 12:57:26 crit VPN 'RAS-VPN-P2' XAuth from 64.129.60.222 is up.
2010-10-15 12:55:56 crit VPN 'RAS-VPN-P2' XAuth from 64.129.60.222 is down.
2010-10-15 12:49:49 info IKE x.x.x.x Phase 2 msg ID fc8676d1: Completed negotiations with SPI 48c5c684, tunnel ID 32769, and lifetime 3600 seconds/0 KB.
2010-10-15 12:49:49 info IKE x.x.x.x Phase 2 msg-id fc8676d1: Completed for user xauth@site.com.
2010-10-15 12:49:48 info IKE x.x.x.x Phase 2 msg ID fc8676d1: Responded to the peer's first message from user xauth@site.com.
2010-10-15 12:49:47 info IKE x.x.x.x : XAuth login was passed for gateway RAS-VPN-P1GW, username xauthuser, retry: 0, Client IP Addr 10.10.10.10, IPPool name: vpnpool, Session-Timeout: 0s, Idle-Timeout: 0s.
2010-10-15 12:49:47 info IKE x.x.x.x : Received initial contact notification and removed Phase 1 SAs.
2010-10-15 12:49:47 info IKE x.x.x.x Phase 1: Completed Aggressive mode negotiations with a 28800-second lifetime.
2010-10-15 12:49:47 info IKE x.x.x.x Phase 1: Completed for user xauth@site.com.
2010-10-15 12:49:47 info IKE x.x.x.x: Received initial contact notification and removed Phase 2 SAs.
2010-10-15 12:49:47 info IKE x.x.x.x: Received a notification message for DOI 1 24578 INITIAL-CONTACT.
2010-10-15 12:49:46 info IKE x.x.x.x Phase 1: Responder starts AGGRESSIVE mode negotiations.
My DG is defined on the untrust-vr.
The IP Pool route is associated with tunnel.1 interface
The route to my internal nets is associated with bgroup0, which is in the trust zone.
tunnel.1 is unnumbered, is in the trust zone and is associated with bgroup0.
This is a route based VPN with 2 simple "any-any" policies (trust-untrust / untrust-trust).
I suppose that the link up/ link down are symptoms of what's going on.
At this point I assume that it Layer3 related, but I can't figure it out and I have played a lot with the routes.
Thanks,
Andy
I appear to be establishing my Ph1 and Ph2 portions successfully, but subsequently cannot get anywhere beyond the SSG20 with my client. I can ping the IP pool host he has been assigned (natch) and can ping the trusted side of the Juniper, but I cannot ping the inside default GW address, or anything else.
Here is an anonymized session from the SSG20's perspective:
2010-10-15 12:59:16 crit VPN 'RAS-VPN-P2' XAuth from 64.129.60.222 is down.
2010-10-15 12:57:26 crit VPN 'RAS-VPN-P2' XAuth from 64.129.60.222 is up.
2010-10-15 12:55:56 crit VPN 'RAS-VPN-P2' XAuth from 64.129.60.222 is down.
2010-10-15 12:49:49 info IKE x.x.x.x Phase 2 msg ID fc8676d1: Completed negotiations with SPI 48c5c684, tunnel ID 32769, and lifetime 3600 seconds/0 KB.
2010-10-15 12:49:49 info IKE x.x.x.x Phase 2 msg-id fc8676d1: Completed for user xauth@site.com.
2010-10-15 12:49:48 info IKE x.x.x.x Phase 2 msg ID fc8676d1: Responded to the peer's first message from user xauth@site.com.
2010-10-15 12:49:47 info IKE x.x.x.x : XAuth login was passed for gateway RAS-VPN-P1GW, username xauthuser, retry: 0, Client IP Addr 10.10.10.10, IPPool name: vpnpool, Session-Timeout: 0s, Idle-Timeout: 0s.
2010-10-15 12:49:47 info IKE x.x.x.x : Received initial contact notification and removed Phase 1 SAs.
2010-10-15 12:49:47 info IKE x.x.x.x Phase 1: Completed Aggressive mode negotiations with a 28800-second lifetime.
2010-10-15 12:49:47 info IKE x.x.x.x Phase 1: Completed for user xauth@site.com.
2010-10-15 12:49:47 info IKE x.x.x.x: Received initial contact notification and removed Phase 2 SAs.
2010-10-15 12:49:47 info IKE x.x.x.x: Received a notification message for DOI 1 24578 INITIAL-CONTACT.
2010-10-15 12:49:46 info IKE x.x.x.x Phase 1: Responder starts AGGRESSIVE mode negotiations.
My DG is defined on the untrust-vr.
The IP Pool route is associated with tunnel.1 interface
The route to my internal nets is associated with bgroup0, which is in the trust zone.
tunnel.1 is unnumbered, is in the trust zone and is associated with bgroup0.
This is a route based VPN with 2 simple "any-any" policies (trust-untrust / untrust-trust).
I suppose that the link up/ link down are symptoms of what's going on.
At this point I assume that it Layer3 related, but I can't figure it out and I have played a lot with the routes.
Thanks,
Andy
