Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[FW] VPN with certificate and XAuth fails.

0

0

Article ID: KB9038 KB Last Updated: 11 Aug 2010Version: 3.0
Summary:
VPN with certificate and XAuth fails when NetScreen Remote is used at the remote end connecting to a Juniper Firewall at the central site.
Symptoms:

A debug trace of the connection reveals the following output.  What is causing this and is there a solution?

## 18:03:19 : IKE<10.1.0.22      >   hdr
## 18:03:19 : 25 8f 53 77 24 ed 53 24  00 00 00 00 00 00 00 00
## 18:03:19 : 01 10 04 00 00 00 00 00  00 00 07 50 04 00 00 44
## 18:03:19 : IKE<10.1.0.22      >   len(ike) 1872,len(udp) 1880, ike packet, len(ip) 1900, action 1
## 18:03:19 : IKE<0.0.0.0        >   coach. sock 258
## 18:03:19 : IKE<10.1.0.22      > ****** Recv packet if <ethernet0/0> of vsys <Root> ******
## 18:03:19 : IKE<10.1.0.22      >   Catcher: get 1872 bytes. src port 500
## 18:03:19 : IKE<10.1.0.22      >   New Phase 1 SA
## 18:03:19 : IKE<10.1.0.22      >   ISAKMP msg: len 1872, nxp 1[SA], exch 4[AG], flag 00
## 18:03:19 : IKE<10.1.0.22      > Recv : [SA] [KE] [NONCE] [ID] [CERT-REQ] [CERT-REQ] [CERT-REQ]
## 18:03:19 : [CERT-REQ] [CERT-REQ] [CERT-REQ] [CERT-REQ] [CERT-REQ] [CERT-REQ] [CERT-REQ] [CERT-REQ]
## 18:03:19 : [CERT-REQ] [CERT-REQ] [VID] [VID] [VID] [VID] [VID] [VID]
## 18:03:19 : IKE<10.1.0.22      >     Validate (1844): SA/68 KE/132 NONCE/24 ID/14 CERT-REQ0¸%/25 CERT-REQ0¸%/119 CERT-REQ0¸%/102
## 18:03:19 : IKE<10.1.0.22      >   CERT-REQ0¸%/102 CERT-REQ0¸%/98 CERT-REQ0¸%/102 CERT-REQ0¸%/60 CERT-REQ0¸%/70 CERT-REQ0¸%/177
## 18:03:19 : IKE<10.1.0.22      >   CERT-REQ0¸%/193 CERT-REQ0¸%/80 CERT-REQ0¸%/195 CERT-REQ0¸%/151 VID/48 VID/12 VID/20
## 18:03:19 : IKE<10.1.0.22      >   Find gateway by peer IP and local ifp.
## 18:03:19 : IKE<10.1.0.22      > id payload
## 18:03:19 : 07 00 00 0e 03 11 01 f4  76 70 6e 40 62 62
## 18:03:19 : IKE<10.1.0.22      >   Receive Id in AG mode, id-type=3, id=vpn@bb
## 18:03:19 : IKE<10.1.0.22      >   Getting peer_ent by peer ID <vpn@bb>/3 and local IP
## 18:03:19 : IKE<10.1.0.22      >   Find dialup gateway by peer IP, peer ID and local ifp.
## 18:03:19 : IKE<10.1.0.22      >   Find dialup or dynamic peer for full ID match.
## 18:03:19 : IKE<0.0.0.0        >     locate peer entry for (3/vpn@bb), by identity.
## 18:03:19 : IKE<0.0.0.0        >   found single user entry(3/vpn@bb).
## 18:03:19 : IKE<10.1.0.22      >   Found peer entry (teste) from 10.1.0.22.
## 18:03:19 : p1_responder sets local_sock.sin_port to 500.
## 18:03:19 : IKE<0.0.0.0        >   init p1sa by peer, pidt = 0x0
## 18:03:19 : IKE<0.0.0.0        >   peer change peer identity for p1 sa, pidt = 0x0
## 18:03:19 : IKE<0.0.0.0        >   create peer identity 087bdda40
## 18:03:19 : IKE<0.0.0.0        >   peer identity 7bdda40 created.
## 18:03:19 : IKE<10.1.0.22      >   getProfileFromP1Proposal->
## 18:03:19 : IKE<10.1.0.22      >   xauthstatus is 1
## 18:03:19 : IKE<10.1.0.22      >   find profile[0]=<00000001 00000002 00000003 00000002> for p1 proosal (id 9)
## 18:03:19 : IKE<10.1.0.22      >   responder create sa: 10.1.0.22->10.1.0.1
## 18:03:19 : IKE<10.1.0.22      >   Phase 1: Responder starts AGGRESSIVE mode negotiations.
## 18:03:19 : IKE<10.1.0.22      >   AG in state OAK_AG_NOSTATE.
## 18:03:19 : IKE<10.1.0.22      > Process [VID]:
## 18:03:19 : IKE<10.1.0.22      >   Vendor ID:
## 18:03:19 : 47 bb e7 c9 93 f1 fc 13  b4 e6 d0 db 56 5c 68 e5
## 18:03:19 : 01 02 01 01 02 01 01 03  10 31 30 2e 35 2e 31 20
## 18:03:19 : 28 42 75 69 6c 64 20 38  29 00 00 00
## 18:03:19 : IKE<10.1.0.22      >   receive unknown vendor ID payload
## 18:03:19 : IKE<10.1.0.22      > Process [VID]:
## 18:03:19 : IKE<10.1.0.22      >   Vendor ID:
## 18:03:19 : da 8e 93 78 80 01 00 00
## 18:03:19 : IKE<10.1.0.22      >   receive unknown vendor ID payload
## 18:03:19 : IKE<10.1.0.22      > Process [VID]:
## 18:03:19 : IKE<10.1.0.22      >   Vendor ID:
## 18:03:19 : af ca d7 13 68 a1 f1 c9  6b 86 96 fc 77 57 01 00
## 18:03:19 : IKE<10.1.0.22      > rcv non-NAT-Traversal VID payload.
## 18:03:19 : IKE<10.1.0.22      > Process [VID]:
## 18:03:19 : IKE<10.1.0.22      >   Vendor ID:
## 18:03:19 : 09 00 26 89 df d6 b7 12
## 18:03:19 : IKE<10.1.0.22      >   rcv XAUTH v6.0 vid
## 18:03:19 : IKE<10.1.0.22      > Process [VID]:
## 18:03:19 : IKE<10.1.0.22      >   Vendor ID:
## 18:03:19 : 44 85 15 2d 18 b6 bb cd  0b e8 a8 46 95 79 dd cc
## 18:03:19 : IKE<10.1.0.22      >   rcv NAT-Traversal VID payload (draft-ietf-ipsec-nat-t-ike-00).
## 18:03:19 : IKE<10.1.0.22      > Process [VID]:
## 18:03:19 : IKE<10.1.0.22      >   Vendor ID:
## 18:03:19 : 90 cb 80 91 3e bb 69 6e  08 63 81 b5 ec 42 7b 1f
## 18:03:19 : IKE<10.1.0.22      >   rcv NAT-Traversal VID payload (draft-ietf-ipsec-nat-t-ike-02).
## 18:03:19 : IKE<10.1.0.22      > Process [SA]:
## 18:03:19 : IKE<10.1.0.22      >   Proposal received:
## 18:03:19 : IKE<10.1.0.22      >   auth(3)<RSA>, encr(1)<DES>, hash(2)<SHA>, group(2)
## 18:03:19 : IKE<10.1.0.22      >   xauth: disabled
## 18:03:19 : IKE<10.1.0.22      >   
## 18:03:19 : IKE<10.1.0.22      >   xauth flag: 0, 3
## 18:03:19 : IKE<10.1.0.22      >   auth value: 3, 3
## 18:03:19 : IKE<10.1.0.22      >   enc  value: 1, 1
## 18:03:19 : IKE<10.1.0.22      >   [0] expect:
## 18:03:19 : IKE<10.1.0.22      >   auth(3)<RSA>, encr(1)<DES>, hash(2)<SHA>, group(2)
## 18:03:19 : IKE<10.1.0.22      >   xauth: responder
## 18:03:19 : IKE<10.1.0.22      >   Proposal received:
## 18:03:19 : IKE<10.1.0.22      >   auth(3)<RSA>, encr(1)<DES>, hash(2)<SHA>, group(2)
## 18:03:19 : IKE<10.1.0.22      >   xauth: disabled
## 18:03:19 : IKE<10.1.0.22      >   
## 18:03:19 : IKE<10.1.0.22      >   xauth flag: 0, 3
## 18:03:19 : IKE<10.1.0.22      >   auth value: 3, 3
## 18:03:19 : IKE<10.1.0.22      >   enc  value: 1, 1
## 18:03:19 : IKE<10.1.0.22      >   [0] expect:
## 18:03:19 : IKE<10.1.0.22      >   auth(3)<RSA>, encr(1)<DES>, hash(2)<SHA>, group(2)
## 18:03:19 : IKE<10.1.0.22      >   xauth: responder
## 18:03:19 : IKE<10.1.0.22      > Phase 1: Rejected proposals from peer. Negotiations failed.
## 18:03:19 : IKE<10.1.0.22      > Construct ISAKMP header.
## 18:03:19 : IKE<10.1.0.22      >   Msg header built (next payload #11)
## 18:03:19 : IKE<10.1.0.22      > Construct [NOTIF]:(NO-PROPOSAL-CHOSEN)
## 18:03:19 : IKE<10.1.0.22      > P1 message header:
## 18:03:19 : IKE<10.1.0.22      >   ISAKMP msg: len 64, nxp 11[NOTIF], exch 5[INFO], flag 00
## 18:03:19 : IKE<10.1.0.22      > Xmit : [NOTIF]
## 18:03:19 : IKE<10.1.0.22      > send phase 1 packet:
## 18:03:19 : 25 8f 53 77 24 ed 53 24  12 0d 77 f6 1d c1 4e 64
## 18:03:19 : 0b 10 05 00 00 00 00 00  00 00 00 40 00 00 00 24
## 18:03:19 : 00 00 00 01 01 10 00 0e  25 8f 53 77 24 ed 53 24
## 18:03:19 : 12 0d 77 f6 1d c1 4e 64  00 08 00 04 00 00 00 00
## 18:03:19 : IKE<10.1.0.22      >   bad sa, can't send request
## 18:03:19 : IKE<10.1.0.22      > Error send packet
## 18:03:19 : IKE<10.1.0.22      >   xauth_cleanup()
## 18:03:19 : IKE<10.1.0.22      >   Done cleaning up IKE Phase 1 SA
## 18:03:19 : IKE<0.0.0.0        >   delete peer identity 0x7bdda40
## 18:03:19 : IKE<10.1.0.22      >     delete sa(10.1.0.22 - 10.1.0.1), state (10800/0)
## 18:03:19 : IKE<10.1.0.22      >   IKE msg done: ike state null
Solution:
In the output of the debug ike details above you can see that the remote end was not sending XAuth in the phase 1 proposal it sent, where as the firewall was expecting to have XAuth set for the responder. This is the reason the phase 1 failed.

To resolve the issue, change the NetScreen-remote phase 1 to use "RSA; with Extended authentication" under the phase 1 proposal.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search