[vpn-help] shrew to juniper dialup, specific ip/service only
kevin vpn
klmlk at hotmail.com
Wed Oct 27 06:38:56 CDT 2010
Hi Igor,
I don't think that Proxy-ID is needed for a dial-up policy-based VPN, so you can try simply unchecking/disabling the Proxy-ID setting in the configuration. The addresses in the policy definition will be used instead to define the Security Association (SA).
-----Original Message-----
From: Igor Manassypov <imanassypov at rogers.com>
Date: Wed, 27 Oct 2010 01:00:43
To: <vpn-help at lists.shrew.net>
Subject: [vpn-help] shrew to juniper dialup, specific ip/service only
Hi,
I would appreciate some help with setting up the dial-up vpn with shrew to juniper netscreen.
Vanilla example presented on the shrew support page works fine.
However, if I attempt to narrow down the "dial-up vpn -> trust" policy to a specific list of ip addresses and only on specific ports, I start receiving "
Rejected an IKE packet ... because the VPN does not have an application SA
configured"
It appears to me that this is a Proxy-ID issue, however I cant
seem to figure out how to solve it.
The trust specific ip addresses included on the dial-up policy match
those in the shrew 'policy' tab.
Your help is greatly appreciated,
Thank you
Igor M., M.Eng, P.Eng Network Architect
More information about the vpn-help
mailing list