SRX

last person joined: 14 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Shrew VPN Connection issue

     
    Posted 06-06-2018 03:35

    Hi,

     

    I have already read and utilised KB22074

    I have the NCP Client working but the organisation I work for want to test a free VPN Client. The only one I can find is Shrew VPN. I have configured as per the NCP Clinet and when connecting I get the following:

    bringing up tunnel

    network device configured

    tunnel enabled

     

    All looks good and I get an IP address assigned by the SRX1500.... howver, I cannot ping any devices at the far end and I cannot SSH to them. Then after about 30 seconds the tunnel is just dropped.

     

    The Shrew VPN Trace logfile is rather large, but here is some of the ending of it:

     

    18/06/06 11:20:25 == : new informational iv ( 16 bytes )

    18/06/06 11:20:25 =< : cookies 6e0aee610b6a71ac:b334668bf9b0d920

    18/06/06 11:20:25 =< : message 7f3e67aa

    18/06/06 11:20:25 =< : decrypt iv ( 16 bytes )

    18/06/06 11:20:25 == : decrypt packet ( 92 bytes )

    18/06/06 11:20:25 <= : trimmed packet padding ( 12 bytes )

    18/06/06 11:20:25 <= : stored iv ( 16 bytes )

    18/06/06 11:20:25 << : hash payload

    18/06/06 11:20:25 << : delete payload

    18/06/06 11:20:25 == : informational hash_i ( computed ) ( 20 bytes )

    18/06/06 11:20:25 == : informational hash_c ( received ) ( 20 bytes )

    18/06/06 11:20:25 ii : informational hash verified

    18/06/06 11:20:25 ii : received peer DELETE message

    18/06/06 11:20:25 ii : - 175.175.175.175:4500 -> 10.10.10.10:4500

    18/06/06 11:20:25 ii : - isakmp spi = 6e0aee610b6a71ac:b334668bf9b0d920

    18/06/06 11:20:25 DB : phase1 found

    18/06/06 11:20:25 ii : cleanup, marked phase1 6e0aee610b6a71ac:b334668bf9b0d920 for removal

    18/06/06 11:20:25 DB : phase1 soft event canceled ( ref count = 4 )

    18/06/06 11:20:25 DB : phase1 hard event canceled ( ref count = 3 )

    18/06/06 11:20:25 DB : phase1 dead event canceled ( ref count = 2 )

    18/06/06 11:20:25 DB : config deleted ( obj count = 0 )

    18/06/06 11:20:25 ii : phase1 removal before expire time

    18/06/06 11:20:25 DB : phase1 not found

    18/06/06 11:20:25 DB : phase1 deleted ( obj count = 0 )

    18/06/06 11:20:25 DB : policy found

    18/06/06 11:20:25 ii : removing IPSEC INBOUND policy ANY:175.175.0.0/24:* -> ANY:172.16.10.44:*

    18/06/06 11:20:25 K> : send pfkey X_SPDDELETE2 UNSPEC message

    18/06/06 11:20:25 DB : policy found

    18/06/06 11:20:25 ii : removing IPSEC OUTBOUND policy ANY:172.16.10.44:* -> ANY:175.175.0.0/24:*

    18/06/06 11:20:25 K> : send pfkey X_SPDDELETE2 UNSPEC message

    18/06/06 11:20:25 ii : removed IPSEC policy route for ANY:175.175.0.0/24:*

    18/06/06 11:20:25 DB : policy found

    18/06/06 11:20:25 ii : removing IPSEC INBOUND policy ANY:175.175.175.0/24:* -> ANY:172.16.10.44:*

    18/06/06 11:20:25 K> : send pfkey X_SPDDELETE2 UNSPEC message

    18/06/06 11:20:25 DB : policy found

    18/06/06 11:20:25 ii : removing IPSEC OUTBOUND policy ANY:172.16.10.44:* -> ANY:175.175.175.0/24:*

    18/06/06 11:20:25 K> : send pfkey X_SPDDELETE2 UNSPEC message

    18/06/06 11:20:25 ii : removed IPSEC policy route for ANY:175.175.175.0/24:*

    18/06/06 11:20:25 DB : policy found

    18/06/06 11:20:25 ii : removing NONE INBOUND policy ANY:10.10.10.254:* -> ANY:172.16.10.44:*

    18/06/06 11:20:25 K> : send pfkey X_SPDDELETE2 UNSPEC message
    18/06/06 11:20:25 DB : policy found

    18/06/06 11:20:25 ii : removing NONE OUTBOUND policy ANY:172.16.10.44:* -> ANY:10.10.10.254:*

    18/06/06 11:20:25 K> : send pfkey X_SPDDELETE2 UNSPEC message

    18/06/06 11:20:25 DB : policy found

    18/06/06 11:20:25 ii : removing NONE INBOUND policy ANY:175.175.175.17:* -> ANY:10.10.10.19:*

    18/06/06 11:20:25 K> : send pfkey X_SPDDELETE2 UNSPEC message

    18/06/06 11:20:25 DB : policy found

    18/06/06 11:20:25 ii : removing NONE OUTBOUND policy ANY:10.10.10.19:* -> ANY:175.175.175.17:*

    18/06/06 11:20:25 K> : send pfkey X_SPDDELETE2 UNSPEC message

    18/06/06 11:20:25 ii : removed NONE policy route for ANY:175.175.175.17:*

    18/06/06 11:20:26 ii : disable adapter ROOT\VNET\0000

    18/06/06 11:20:26 DB : tunnel natt event canceled ( ref count = 2 )

    18/06/06 11:20:26 DB : tunnel stats event canceled ( ref count = 1 )

    18/06/06 11:20:26 DB : removing tunnel config references

    18/06/06 11:20:26 DB : removing tunnel phase2 references

    18/06/06 11:20:26 DB : removing tunnel phase1 references

    18/06/06 11:20:26 DB : tunnel deleted ( obj count = 0 )

    18/06/06 11:20:26 DB : removing all peer tunnel references

    18/06/06 11:20:26 DB : peer deleted ( obj count = 0 )

    18/06/06 11:20:26 ii : ipc client process thread exit ...:

     

    Anyone got anyperience with configuring the Shrew VPN please or any idea what the issue may be?



  • 2.  RE: Shrew VPN Connection issue
    Best Answer

     
    Posted 06-06-2018 07:35

    Nope, does not matter what settings we use, we cannot get the IPSec Phase 2 to come up, although, actually, something weird occurs:

     

    every now and then Phase 2 associates and I can ping, for about 1 minute and then it fails but gives no real clue as to why.

     

    I'm removing the Shrew Software and we will run with NCP.



  • 3.  RE: Shrew VPN Connection issue

     
    Posted 06-07-2018 07:34

    Just in case anyone wants to know, I managed to get the Shrew VPN working with the SRX1500.

     

    I changed the IKE (Phase 1) Lifetime to 180 and the Shrew VPN Client to 60.

     

    So, the scenario now with the Shrew VPN Client is that if you are idle for 90 seconds (I timed it) then the VPN automatically disconnects. However, if you are utilising the VPN then it stays up for 5 minutes plus..... I have completed tests for the times.

     

    I just need to figure out now why the Client closes the connection after 90 seconds when idle, especially as there is nothing configured anywhere that says 90 seconds.... When I figure this out I will post here for other people who may be experiencing the same issue.

     

    The SRX configuration is the same as I have written on these boards for the NCP client except the lifetime timer....



  • 4.  RE: Shrew VPN Connection issue

    Posted 07-12-2018 07:42

    Hello,

     

    I was also trying the free Shrewsoft VPN, but I was stuck in a "timeout" error. And after some searching and testing I stopped with this one.

    We we're already been using NCP for several customers for some time, but this is a rather expensive VPN client. Now I'am testing the Greenbow vpn client on Win10 64-bit. I'll managed to get the tunnel UP, but unfortunately I cannot communicate through the tunnel.

    I have an NCP (old version Juniper Edition) vpn client installed on my own laptop which connects with the same IPsec configuration and from my machine I can connect to the remote network without any problems.

     

    We have several customers using Pulse Secure Client with the Juniper build-in Dynamic-vpn, but with the latest Windows updates they are experencing a lot of problems. Juniper says we should use an older client, but thats also no a good and working solution.

    According to my colleagues Windows does something strange with the virtual adapter, which is neede for the communication. Maybe that's also the case when using GreenBow. Any ideas?

     

     

     



  • 5.  RE: Shrew VPN Connection issue

     
    Posted 07-13-2018 01:31

    Hi jeepee1970,

     

    Sorry, I have no idea with regards to Windows changing anything with the virtual adaptor.

     

    What I found with the Shrew VPN Client was that it always disconnected after 50% of the lifetime value was reached. The way around that is to obviously double the length of the lifetime for what you require. 

     

    I have stopped using the Shrew software and now use the NCP VPN Client. It's also very, very quick with connectivity compared to any other Client I have tried (Including CIsco Anyconnect).....

     

    I have managed to get all different clients working (NCP, SHrew and Cisco Anyconnect) but found the most stable to be NCP. Also, as an add on, I found configuring the NCP client for Split-Tunneling very intuitive and easy.

     

    Sorry I can't be of more help.



  • 6.  RE: Shrew VPN Connection issue

    Posted 07-20-2018 07:40

    Hello 

     

     



  • 7.  RE: Shrew VPN Connection issue

    Posted 07-16-2019 16:31

    Hi ,

     

    May i know regarding your previous test between shrew and srx1500 is it stable after u change the idle timeout? I'm looking the free vpn client software such as shrew.

     

     

    Thanks and appreciate anyone feedback