[vpn-help] Connection problems to a Juniper SSG5 firewall

kevin shrew-vpn klmlk at hotmail.com
Tue Jul 6 12:43:07 CDT 2010


On Mon, 5 Jul 2010 17:42:02 +0200
"Jan-Tore Pedersen" <jan-tore at lan-xo.no> wrote:

> Hello Kevin
> 
> This is the juniper config, and the vpn client config. If u could
> figure it out it would be great :) I did not setup the firewall. And
> i can't just delete the vpn config and make a new as there are a lot
> of users still on XP using the old NS client.
> 

Hi Jan-Tore,

I did find two things that are not correct.

First, there is no ippool defined in the SSG config.  That is why the
client is not getting an IP, and is probably why Phase 2 is not
proceeding because I believe Phase 2 occurs using the IP provided
during the XAuth/configuration push step.

Second, you have mis-matched networks defined. In the Shrew profile, you
specify a network of xx.xx.xxx.0/24, yet on the SSG the policy you've
defined is for ANY, which maps 0.0.0.0/0.

Shrew:
s:policy-list-include:xx.xx.xxx.0 / 255.255.255.0

SSG:
set policy id 10 from "Untrust" to "Trust"  "Dial-Up VPN" 
"ANY" nat src tunnel vpn "VPN-IKE" id 0x3 log 

You will need to fix them so they are the same, otherwise the SSG will
complain about being unable to find a matching Phase 2 SA entry.





More information about the vpn-help mailing list