[vpn-help] Does ShrewSoft VPN client work with Juniper SSG20 Firmware v6.1?
Marcus Robinson
marcus at marcusrobinson.info
Sun Mar 27 09:17:07 CDT 2011
Hi Kevin,
Thanks for your response. I did indeed notice this discrepancy in the help
page, but I made sure to use my own "client.myvpn.com" in both Juniper
firewall and client phase 1 settings. Same as well for the phase 2 settings,
using "vpngw.myvpn.com", so I don't think that's the issue.
I've also checked the following - I can telnet to the public IP of the
Juniper VPN on port 80, but I can't telnet to the public IP of the Juniper
VPN on port 500. The firewall I sit behind definitely has port 500 open and
I've disabled my Win7 firewall. Is there something I need to do on the
Juniper to enable access on port 500? The Juniper is giving the *"**Phase 1
packet arrived from an unrecognized peer gateway."*, so I imagine the
request is making it through, so port 500 probably isn't the issue...
Really stumped on this one - can you see anything else in the help docs that
might be off?
I noticed another discrepancy in the Phase 1 Security settings in the help
page. It says in the instructions to use this:
Phase 1 Proposal
- pre-g2-3des-sha
- pre-g2-3des-md5
- pre-g2-aes128-sha
- pre-g2-aes128-md5
And yet the screenshot of the settings shows something different - it looks
like it's using:
- pre-g2-3des-sha
- pre-g2-3des-md5
- pre-g2-aes128-sha
- pre-g2-aes128-sha
Could this be the issue? Which security settings should I be using? (help
page is here: http://www.shrew.net/support/wiki/HowtoJuniperSsg )
Thanks in advance,
-Marcus
On Sun, Mar 27, 2011 at 2:17 PM, kevin vpn <kvpn at live.com> wrote:
> On Sat, 26 Mar 2011 23:58:54 +1100
> Marcus Macro <macro.marcus at gmail.com> wrote:
>
> > Hi ShrewSoft Team,
> >
> > I'm trying to get the ShrewSoft VPN client to work with my Juniper
> > SSG20 (Firmware v6.1), but am encountering errors when I try to
> > connect.
> >
> > I've exactly followed the directions here:
> > http://www.shrew.net/support/wiki/HowtoJuniperSsg
> >
> > When setting up the VPN client config, I used the example config file
> > and just tweaked the user/pass/presharedkey/ids/IP settings to match
> > my setup: http://www.shrew.net/static/howto/JuniperSsg/juniperssg.vpn
> >
> > But when trying to connect, the ShrewSoft VPN client says this:
> >
> > bringing up tunnel ...
> > negotiation timout occurred
> > tunnel disabled
> > detached from key daemon ...
> >
> > And the Juniper logs says this:
> > Rejected an IKE packet on ethernet0/0 from 99.99.99.99:500
> > to88.88.88.88:500 with cookies 7393deb8306c7e69 and 0000000000000000
> > because an initial Phase 1 packet arrived from an unrecognized peer
> > gateway.
> >
>
> Hi Marcus,
>
> The Phase 1 settings on the SSG are set in the VPN -> AutoKey Advanced
> -> Gateway settings. It is those settings that have to match what
> Shrew is providing from its own Phase 1 configuration.
>
> I just noticed that Howto is not clear in this regard. In the Howto,
> you first create on the SSG a user called 'vpnclient_ph1id' and give it
> an IKE Identity = 'client.shrew.net'. Later, when configuring the
> Shrew client, the Howto says that the 'Local Identity' should be set to
> 'client.domain.com'. This is incorrect, IKE Identity = Local Identity,
> so both of them should be 'client.shrew.net' or both should be
> 'whatever.somedomain.com.'
>
> The same problem exists on the gateway side, 'Local ID' on the SSG must
> match 'Remote Identity' on the Shrew side (for example both should be
> 'vpngw.shrew.net').
>
> Obviously the pre-shared key must be the same on both ends too.
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shrew.net/pipermail/vpn-help/attachments/20110328/a54d44af/attachment.html>
More information about the vpn-help
mailing list