netscreen VPN无法登陆故障分析及解决

safenet softremote软件是一种比较常见的VPN客户端程序,被应用在许多防火墙的VPN客户端上.

比如netscreen 公司的防火墙就采用了它.正好我使用的正是这款,就以它为例netscreen-remote.与大家分享心得.

许多用户反应安装好客户端后,进行登陆时提示:

unable to connect to my connectionsxjmc, please check log for further details.


根据提示分析了日志:

10-13: 22:50:21.421 My Connectionsxjmc - Initiating IKE Phase 1 (IP ADDR=xxx.xxx.xxx.xxx)
10-13: 22:50:21.765 My Connectionsxjmc - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 6x)
10-13: 22:50:36.843 My Connectionsxjmc - message not received! Retransmitting!
10-13: 22:50:36.843 My Connectionsxjmc - SENDING>>>> ISAKMP OAK AG (Retransmission)
10-13: 22:50:52.015 My Connectionsxjmc - message not received! Retransmitting!
10-13: 22:50:52.015 My Connectionsxjmc - SENDING>>>> ISAKMP OAK AG (Retransmission)
10-13: 22:51:07.187 My Connectionsxjmc - message not received! Retransmitting!
10-13: 22:51:07.187 My Connectionsxjmc - SENDING>>>> ISAKMP OAK AG (Retransmission)
10-13: 22:51:22.234 My Connectionsxjmc - Exceeded 3 IKE SA negotiation attempts

防火墙的日志如下

2006-10-13 23:03:25 info IKE Phase 1: Retransmission limit has been reached.
2006-10-13 23:02:36 info IKE
根据提示说明客户端成功发送了请求到防火墙上..但没有通过,或是没有成功连接..

我又是分析了一个成功接入的VPN的日志

10-13: 22:58:35.500 My Connectionsxjmc - Initiating IKE Phase 1 (IP ADDR=xxx.xxx.xxx.xxx)
10-13: 22:58:35.906 My Connectionsxjmc - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 6x)
10-13: 22:58:35.937 My Connectionsxjmc - RECEIVED<<< ISAKMP OAK AG (SA, VID 3x, KE, NON, ID, HASH, VID, NAT-D 2x)
10-13: 22:58:35.937 My Connectionsxjmc - Peer is NAT-T draft-01 capable
10-13: 22:58:35.937 My Connectionsxjmc - NAT is detected for Client
10-13: 22:58:36.156 My Connectionsxjmc - SENDING>>>> ISAKMP OAK AG *(HASH, NAT-D 2x, NOTIFY:STATUS_REPLAY_STATUS, NOTIFY:STATUS_INITIAL_CONTACT)
10-13: 22:58:36.156 My Connectionsxjmc - Established IKE SA
10-13: 22:58:36.156 My Connectionsxjmc - MY COOKIE bf b 31 85 69 55 9f db
10-13: 22:58:36.156 My Connectionsxjmc - HIS COOKIE a4 98 c3 b 41 f e1 81
10-13: 22:58:36.171 My Connectionsxjmc - RECEIVED<<< ISAKMP OAK TRANS *(HASH, ATTR)
10-13: 22:58:42.250 My Connectionsxjmc - RECEIVED<<< ISAKMP OAK TRANS *(Retransmission)
10-13: 22:58:48.250 My Connectionsxjmc - RECEIVED<<< ISAKMP OAK TRANS *(Retransmission)

从提示上,这个过程,是请求然后得到了一个回复..经过协商后,最后成功登陆..

再看防火墙上的日志:

2006-10-13 23:10:50 info IKE: Received initial contact notification and removed Phase 2 SAs.
2006-10-13 23:10:50 info IKE: Received a notification message for DOI <1> <24578> .
2006-10-13 23:10:50 info IKE: Received a notification message for DOI <1> <24577> .
2006-10-13 23:10:50 info IKE Phase 1: IKE responder has detected NAT in front of the remote device.
2006-10-13 23:10:50 info IKE Phase 1: Responder starts AGGRESSIVE mode negotiations.

说明双方进行了成功的连接...

原因是什么呢?根据现有两台客户机的实际情况寻找原因.

都是通过单位ADSL宽带路由器上网,区别就在,

成功的客户机只是通过宽带路由器共享上网,

而失败的客户机却多做一个,端口映射.为了在局域网里实现HTTP和FTP功能,就在宽带路由器上将80和21端口映射到了该机的局域网IP上..为了分析是否是这个原因..将该IP更改后,成功登陆..

看来问题就出现在这上面.怎么解决呢.....经查实,原来当客户机提出认证请求时,服务器将通过UDP500端口进行回复认证..而针映射时,未做该端口映射反而导致了无法远过认证..将UDP500端口也映射到该局域网IP时,问题解决,成功登陆..

总结;

现在许多客户端的上网方式都会造成这方面的影响,还有系统自带的防火墙如果做了这方面端口限制也会造成这个问题..必须保证UDP500端口能达到该机.

使用宽带路由器时,要注意一个问题:端口映射时会造致其他功能受限...有时使用NAT转换时,有些设备没有开放UDP500端口.

 

本地连接禁用在启用就OK！