[vpn-help] Problem connecting to a Juniper ISG1000 & Remote ID netmask error

marie-andree.poisson at ssss.gouv.qc.ca marie-andree.poisson at ssss.gouv.qc.ca
Mon Jun 27 14:51:53 CDT 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Hello,

I’ve installed Shrew soft 2.1.7 on a windows XP pro SP3 laptop. I’m trying
to connect to a Juniper NetScreen-ISG1000 running the 6.2.0r1.0
(firewall+VPN) Firmware.

I’ve followed the procedure on shrew.net to configure a tunnel using x509
certificate but I had to tweak it a bit because I’m trying to modify a VPN
setup that is currently in place.

I need to use the PROXY-ID settings in the Juniper (under VPNs, AutoKey
IKE/advanced) because the user will be assigned an internal address for
this solution. So I’ve configured the Shrew Soft client to use a specific
address and network mask under the General/Local Host section instead of
using the laptop’s current address.

My problem is the following: I’ve entered the IP address that the shrew
soft client should be using along with the correct netmask
(255.255.255.248), I’ve configured my Juniper ISG-1000 accordingly, my
policies on the Juniper ISG 1000 also have the same setup but when I
attempt to connect the VPN tunnel, the Juniper ISG-1000 receives the right
IP but the wrong netmask. It receives 255.255.255.255 so the phase 2 fails
stating that no policy exists for the proxy ID received.

I’ve been able to establish the tunnel by configuring the Shrew Soft client
and the Juniper ISG-1000 by using a /32 address (255.255.255.255), the
phase 2 completes and the tunnel is up, but unfortunately I can’t reach or
ping the remote network when the tunnel is UP. At first I thought that this
was two different problems, but I’m stating to think that all my problems
comes from this since the laptop is using its own IP as the default
gateway.

When I try to ping while connected using the /32 netmask, I can see the
ping go through the VPN tunnel, and reaching the remote server. I can track
the reply all the way to the Juniper ISG-1000 where I get an ICMP CLOSE AGE
OUT. I get the same results when trying to connect on TCP/80, TCP/3389 ....

Also, everytime I try to connect I get the following message in the shrew
soft logs: peer violates RFC, transform number mismatch ( 1 != 14 ). It
seems that this error might have something to do with the fact that I'm
unable to ping. Any idea on how to fix it?


If you have any suggestions please let me know… Below are my configs and
logs.



Here’s my shrew soft config – Using the /29 netmask



Shrew soft client logs – Using the /29 netmask


Here’s the logs on my juniper ISG1000 – Using the /29 netmask


Here’s my Shrew soft configuration – Using the /32 netmask


Shrew soft client logs – Using the /32 netmask


Here’s the logs on my juniper ISG1000 – Using the /32 netmask




Thank you

____________________________________
Marie-Andrée Poisson
Technicienne niveau 2 - Télécommunications
DOT

Sog
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.9.1 (Build 287)
Charset: utf-8

wsBVAwUBTgjfWJT/RxO0CakXAQhO+wf+LEzuTnRM0mCCNyGlED8NNnS5M9B6fdZs
fOyxl7amsLDMfsuB0GJmfYmaMg0ZL/b8MYxca6YIH18e3XpwsOImFLy4gf4lfUsF
X/srO8w5Ukpc7600hdr2kIADQ5LDCfcNyIx0ktVab1YyupRfMEugfFQLQ8ml+2K/
LPXZGfSou1KRMvivx3j4/I+PXkC3vEk13dS35sCItIEtBTBosU/aWC1PbqYtV15j
qpA2EhYHNLLPxur7uNopQIPtRI5LJU351TznxSz5Hw+ZAH6YcjgjrBjVVqYfNWSm
kMwg5mCTkCx1Cji6VH0E0Bau2LGp8mFWyAPlq5u1EcFt9aakgCDtZw==
=B2qW
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110627/c52daa52/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pgp.rtf.asc
Type: application/octet-stream
Size: 8693 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110627/c52daa52/attachment-0007.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ISG1000 log 32.txt.asc
Type: application/octet-stream
Size: 751 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110627/c52daa52/attachment-0008.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ISG1000 log 29.txt.asc
Type: application/octet-stream
Size: 1034 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110627/c52daa52/attachment-0009.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Shrew log 32.txt.asc
Type: application/octet-stream
Size: 1879 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110627/c52daa52/attachment-0010.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Shrew log 29.txt.asc
Type: application/octet-stream
Size: 1979 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110627/c52daa52/attachment-0011.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Shrew config 32.txt.asc
Type: application/octet-stream
Size: 3302 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110627/c52daa52/attachment-0012.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Shrew config 29.txt.asc
Type: application/octet-stream
Size: 3309 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110627/c52daa52/attachment-0013.obj>

More information about the vpn-help mailing list