[vpn-help] Almost connected shrewsoft to Juniper SSG5?

kevin shrew-vpn klmlk at hotmail.com
Sat Jun 26 12:28:27 CDT 2010


On Fri, 25 Jun 2010 19:32:10 -0700 (PDT)
Igor Birman <igor_birman at yahoo.com> wrote:

> I have been trying to set up a VPN connection to an SSG5 by following
> the instructions at:
> 
> http://www.shrew.net/support/wiki/HowtoJuniperSsg
> 
> I am able to establish a connection on the client and get an IP
> address, but then I get some more error messages on the SSG5.  Can
> someone point me to what they mean?  It says no policy esists for the
> proxy ID, and then that the VPN does not have an application SA.  I
> don't understand either message.  Here they are:
> 
> 
> 2010-06-25 
> 22:36:57 info Rejected an IKE packet on ethernet0/0 from 
> 71.191.197.230:4500 to xx.xx.xx.17:4500 with cookies 0e6193f393015ecd 
> and e153abc6ac9a3cb5 because the VPN does not have an application SA 
> configured. 
> 2010-06-25 22:36:57 info IKE<71.191.197.230> Phase 2: No policy
> exists for the proxy ID received: local ID
> (<192.168.100.0>/<255.255.255.0>, <0>, <0>) remote ID
> (<192.168.100.130>/<255.255.255.255>, <0>, <0>). 
> 2010-06-25 22:36:57 info IKE<71.191.197.230> Phase 2 msg ID
> <8d82f56c>: Responded to the peer's first message. 2010-06-25
> 22:36:46 info IKE<71.191.197.230>: XAuth login was passed for gateway
> <vpnclient_gateway>, username <igor>, retry: 0, Client IP
> Addr<192.168.100.130>, IPPool name:<vpn>, Session-Timeout:<0s>,
> Idle-Timeout:<0s>. Thanks! Igor
> 

Hi Igor,

I would first check the AutoKey IKE Proxy-ID settings.  (VPNs->AutoKey
IKE->Edit->Advanced).  If you enable the Proxy-ID, I think those have
to match the policy you've defined in the Shrew profile.  For example,
if you have defined in the Shrew profile (on the policy tab) that all
traffic be tunneled, I think the Local IP/Netmask on the SSG should be
0.0.0.0/0.  If you've specified a subnet in Shrew (eg.
10.1.0.0/255.255.0.0) then the Local IP/Mask on the SSG should be
10.1.0.0/16.  You really don't need to enable the Proxy-ID, however.

If those are correct (or you don't have the Proxy-ID enabled), then make
sure you have a firewall policy defined that matches the Shrew VPN
profile.  Going by my second example above, the policy should be
defined as:

From zone Untrust
To zone Trust
Source address Dial-Up VPN
Destination address 10.1.0.0/16  (for example).

The Destination Address is what needs to match the entry in the Shrew
profile Policy tab.  For my first example (tunnel all), the destination
address would be Any.



More information about the vpn-help mailing list