[vpn-help] Shrew VPN with SSG114
Kevin VPN
kvpn at live.com
Thu Jul 28 21:27:52 CDT 2011
On 07/27/2011 05:54 AM, Christian Brandes wrote:
> Hi Chris,
>
>> Rejected an IKE packet on ethernet0/2 from 86.189.19.236:57958 to XXX.XXX.XXX.XXXX:500 with cookies 202fae23c1e61f6b and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway.
> This means, your Juniper appliance does not recognize the calling peer.
> It could be an issue with IKE Identity / IKE ID Type. Both must match at both ends (Juniper and VPN client).
> If you set IKE ID Type to "Auto" on the Juniper it changes to FQDN, IPADDR or U-FQDN on its own, depending on the IKE Identity inserted.
>
> If this does not solve your problem, please use "Shrew Soft VPN Trace" to gather more meaningfull information.
> Possibly you have to run it with administrator permissions to be able to see log entries.
>
I think that's the right advice, especially since the SSG Howto has an
error when it comes to the identities.
In the Howto, it says to first create on the SSG a user called
'vpnclient_ph1id' and give it an IKE Identity = 'client.shrew.net'.
Later, when configuring the Shrew client, the Howto says that the 'Local
Identity' should be set to 'client.domain.com'.
This is incorrect, because as you point out IKE Identity = Local
Identity, so both of them should be 'client.shrew.net' or both should be
'whatever.somedomain.com.'
More information about the vpn-help
mailing list