[vpn-help] Juniper SSG5 VPN connect Issue

Luke LeBoeuf lleboeuf at gmail.com
Mon Mar 15 12:22:17 CDT 2010

     Thanks again. That worked! the tunnel is now established, but now I 
can not seem to get to any device on the VPN network. The tunnel shows 
up, the firewall logs show a good connection, but I can not navigate to 
any devices on the gateway side (i.e. rdp, netbios, ssh, etc.) Any 
ideas? Do I need to add additional policies that allow all traffic to 
certain devices? I thought the vpn policy would have taken care of that 
( Source = DialupVPN to Internal-net ( any service, none 
(all) application, action=tunnel, tunnel=vpnclient_tunnel). The VPN rule 
is at the top of the list for the inbound (untrust to trust) rules, is 
that acceptable?


On 3/14/2010 8:50 PM, Matthew Grooms wrote:
> On 3/10/2010 5:29 PM, Luke LeBoeuf wrote:
>> All,
>>       I have a Juniper SSG5 firewall that I am trying to set up to work
>> with the release shrew client (v2.1.5). I am using the SSG5 firmware
>> version 6.1.0r2.0. I have set up the gateway side and the client side to
>> the letter of the shrew documentation, but I keep failing to initiate
>> the tunnel and I am not sure why. Below is the reject event that I get
>> from the gateway. Does anyone have any ideas? The shrew client trace
>> tool simply says 'resend limit exceeded for phase1 exchange' and it
>> kills the attempts. Any help would be greatly appreciated as we are
>> trying to get this off the ground. In the example below I was using an
>> AT&T 3g card, but it also happened from a desktop using cox ISP.
>> Rejected an IKE packet on ethernet0/0 from
>> <>  to xx.xx.xx.xx:500 with cookies
>> 5dba7aba5e660ebc and 0000000000000000 because an initial Phase 1 packet
>> arrived from an unrecognized peer gateway.
> The Mode under Define Advanced Parameters of the Autokey Advanced
> Gateway definition needs to be set to Aggressive on some gateways. It
> says ( Initiator ) which I take to mean when the gateway is acting as
> the initiator, but a few people have reported this as a problem with
> certain firmware versions. I'll update the document.
> Hope this helps,
> -Matthew
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help

More information about the vpn-help mailing list