[vpn-help] Almost connected shrewsoft to Juniper SSG5?

Igor Birman igor_birman at yahoo.com
Fri Jun 25 21:32:10 CDT 2010 

I have been trying to set up a VPN connection to an SSG5 by following the instructions at:

http://www.shrew.net/support/wiki/HowtoJuniperSsg

I am able to establish a connection on the client and get an IP address, but then I get some more error messages on the SSG5.  Can someone point me to what they mean?  It says no policy esists for the proxy ID, and then that the VPN does not have an application SA.  I don't understand either message.  Here they are:


2010-06-25 
22:36:57 info Rejected an IKE packet on ethernet0/0 from 
71.191.197.230:4500 to xx.xx.xx.17:4500 with cookies 0e6193f393015ecd 
and e153abc6ac9a3cb5 because the VPN does not have an application SA 
configured. 
2010-06-25 22:36:57 info IKE<71.191.197.230> Phase 2: No policy exists for the proxy ID received: local ID 
(<192.168.100.0>/<255.255.255.0>, <0>, <0>) 
remote ID (<192.168.100.130>/<255.255.255.255>, <0>, 
<0>). 
2010-06-25 22:36:57 info IKE<71.191.197.230> Phase 2 msg ID <8d82f56c>: Responded to the peer's first message. 
2010-06-25 22:36:46 info IKE<71.191.197.230>: XAuth login was passed for gateway <vpnclient_gateway>, username 
<igor>, retry: 0, Client IP Addr<192.168.100.130>, IPPool 
name:<vpn>, Session-Timeout:<0s>, Idle-Timeout:<0s>. 
Thanks!
Igor






________________________________
From: Rui Cordeiro <rmacordeiro at gmail.com>
To: Igor Birman <igor_birman at yahoo.com>
Cc: vpn-help at lists.shrew.net
Sent: Thu, June 24, 2010 11:03:12 AM
Subject: Re: [vpn-help] Can't connect Shrewsoft to SSG5

Hi, 

I have just finished configuring a VPN connection against a Juniper
with version 5.4 and the data on the link is accurate and everything
worked fine.
If you can send some print screens of the configs, Juniper and Shrew
Client I can try to help you (just delete sensitive info).

Regards,

Rui Cordeiro

Igor Birman wrote: 
> 
>I
>am trying to connect to an SSG5.  I followed the guide:
>
>
>http://www.shrew.net/support/wiki/HowtoJuniperSsg
>
>>but the client stops at "bringing up tunnel" and then hangs there
>forever.  On the server, I have the following messages:
>
>>2010-06-24 07:47:03    info    IKE<71.191.197.230>: Received
>initial contact notification and removed Phase 1 SAs.
>>2010-06-24 07:47:03    info    IKE<71.191.197.230>: Received
>initial contact notification and removed Phase 2 SAs.
>>2010-06-24 07:47:03    info    IKE<71.191.197.230>: Received a
>notification message for DOI <1> <24578>
><INITIAL-CONTACT>.
>>2010-06-24 07:47:03    info    IKE<71.191.197.230> Phase 1:
>Completed Aggressive mode negotiations with a <28800>-second
>lifetime.
>>2010-06-24 07:47:03    info    IKE<71.191.197.230> Phase 1:
>Completed for user <Test>.
>>2010-06-24 07:47:03    info    IKE<71.191.197.230> Phase 1: IKE
>responder has detected NAT in front of the remote device.
>>2010-06-24 07:47:03    info    IKE<71.191.197.230> Phase 1: IKE
>responder has detected NAT in front of the local device.
>>2010-06-24 07:47:03    info    IKE<71.191.197.230> Phase 1:
>Responder starts AGGRESSIVE mode negotiations.
>
>>What am I missing?
>
>
>Thanks,
>>Igor
>
________________________________

>_______________________________________________
>vpn-help mailing list
>vpn-help at lists.shrew.net http://lists.shrew.net/mailman/listinfo/vpn-help 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20100625/ddddbf5f/attachment-0002.html>

More information about the vpn-help mailing list