[vpn-help] Almost connected shrewsoft to Juniper SSG5?

kevin shrew-vpn klmlk at hotmail.com
Sun Jun 27 19:13:35 CDT 2010


On Sun, 27 Jun 2010 12:42:58 -0700 (PDT)
Igor Birman <igor_birman at yahoo.com> wrote:

> Thanks, that helped.  So SA is the Security Association aka Policy?
> My policy was set up incorrectly, I changed the policies on the
> client and on the SSG5 to match, and I no longer get that error.  Now
> the only remaining problem is that I can't seem to ping the trusted
> network from my computer.  It looks like all is connected, there are
> no errors, but ping goes nowhere.  Is there anything else I need to
> do?  My goal is to get from 192.168.100.130 (client IP), to
> 192.168.100.100 (server IP).
>  
> I am attaching the SSG and ShrewSoft configs:
> 
> set interface bgroup0 ip 192.168.100.1/24
<snip>
> set interface bgroup0 dhcp server ip 192.168.100.101 to
> 192.168.100.150
<snip>
> set address "Trust" "192.168.100.100/32" 192.168.100.100
> 255.255.255.255 set address "Trust" "Trusted Network" 255.255.255.0
> 255.255.255.128 set ippool "vpn" 192.168.100.130 192.168.100.140
<snip>

Hi Igor,

I think your problem is that you have overlapping subnets between your
Trust network and the IPs that are being handed out to VPN clients.
They cannot be part of the same subnet. If you change your IPPool to
something like 192.168.200.130 to 192.168.200.140 that should sort the
problem.

Yes, the Security Association in this case is the Policy.  More
generally, it's the source IP-destination IP pairs that are
compared during negotiation.  If the source IP matches what the gateway
expects (as defined either in the Policy or the AutoKey IKE Proxy-ID)
and the source requests a network mask that matches the destination
defined also in the Policy or Proxy-ID, then the SA matches and
negotiation can proceed.  I think that's what it is, although I'm not
an expert in VPNs, so I could be wrong or incomplete.  That might only
be valid for ScreenOS as well.




More information about the vpn-help mailing list