[vpn-help] Shrew VPN with Juniper SSG-140

Matthew Grooms mgrooms at shrew.net
Thu Feb 25 16:33:17 CST 2010 

On 2/20/2010 5:55 AM, Felix Pablo Grande wrote:
> Hi,
>
> i built a vpn tunnel with Shrew client and Juniper SSG-140 firewall, but
> when try to do a ping with a host of the internal host of the network, i
> don't receive a pong.
>

Felix,

You are trying to manually specify a client virtual IP address that 
exists in one of your remote networks ( 172.16.100/24 ). This won't 
work. You need to specify an IP address from a network doesn't exist 
behind your gateway and configure policies to allow traffic from the 
network you select to traverse your gateway to the private networks. 
Please see the Juniper howto guide for more details.

-Matthew

> In Security associations appear:
>
> Established  - 0
> Expired - 0
> Errors - 0
>
> Tunnel
>
> Status - Connected
> Remote Host - Public IP of firewall
> Transpor Used - NAT-T/ IKE | ESP
> IKE fragmentation - Disabled
> Dead Peer Detection - Enabled
>
> And the configuration is:
>
> n:version:2
> n:network-ike-port:500
> n:network-natt-port:4500
> n:network-natt-rate:15
> n:network-frag-size:540
> n:network-dpd-enable:1
> n:network-notify-enable:1
> n:client-banner-enable:0
> n:client-dns-used:1
> n:client-dns-auto:0
> b:auth-mutual-psk:MyPassword
> n:phase1-dhgroup:2
> n:phase1-keylen:0
> n:phase1-life-secs:28800
> n:phase1-life-kbytes:0
> n:vendor-chkpt-enable:0
> n:phase2-keylen:0
> n:phase2-pfsgroup:2
> n:phase2-life-secs:3600
> n:phase2-life-kbytes:0
> n:policy-nailed:0
> n:policy-list-auto:0
> n:network-mtu-size:1380
> n:client-addr-auto:0
> s:network-host:Firewall Public IP
> s:client-auto-mode:disabled
> s:client-iface:virtual
> s:client-ip-addr:172.16.100.169
> s:client-ip-mask:255.255.255.0
> s:network-natt-mode:enable
> s:network-frag-mode:enable
> s:client-dns-addr:172.16.100.2
> s:client-dns-suffix:mydomain.com <http://mydomain.com>
> s:auth-method:mutual-psk
> s:ident-client-type:ufqdn
> s:ident-client-data:fpgrande at mydomain.com
> <mailto:s%3Aident-client-data%3Afpgrande at mydomain.com>
> s:ident-server-type:address
> s:ident-server-data:172.16.100.169
> s:phase1-exchange:aggressive
> s:phase1-cipher:des
> s:phase1-hash:md5
> s:phase2-transform:des
> s:phase2-hmac:md5
> s:ipcomp-transform:disabled
> s:policy-list-include:172.16.100.0 / 255.255.255.0,172.17.100.0 /
> 255.255.255.0
>
> Can you help me ?
>
> Best regards,
>
> --
> Félix Pablo Grande Ramos
>
> La cosa más difícil es conocernos a nosotros mismos; la más fácil es
> hablar mal de los demás.
>
> Tales de Mileto
>
>
>
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help

More information about the vpn-help mailing list