[vpn-help] Shrew soft VPN client configuration for juniper SSG

Matthew Grooms mgrooms at shrew.net
Sun Oct 10 16:55:02 CDT 2010

On 10/8/2010 8:46 AM, Zigmunds Vītiņš wrote:
> Hello,
> I don't have address pool for this vpn.

Hi Zigmunds,

If you don't supply an address pool for the connection, the site config 
needs to be modified. In the general properties page, there is an option 
for selecting the Auto Configuration type. Setting it to 'ike config 
push' means that the client will expect to be sent configuration options 
such as virtual IP address/netmask ( when virtual adapter mode is used ) 
and other settings such as DNS server, WINS server settings. From your 
log output, your gateway appears to be sending an Xauth result without 
sending any configuration information. This is confusing the client 
because its configured to receive a configuration push request.

So, I would try the following ...

1) If the client is set to use "virtual adapter and assigned address", 
you need to change it to "existing adapter and current address". This 
should hopefully match the mode in which your Netscreen remote clients 
operate ( not getting a virtual IP so there is no virtual adapter ). For 
more information on this topic, please see ...


2) If the client is set to use "ike config push" as described in our 
Juniper SSG howto, you need to set this to "disabled" instead. Your 
gateway isn't sending a push request, so the client needs to know to 
skip the automatic configuration step.

Hope this helps,


More information about the vpn-help mailing list