[vpn-help] Problem connecting to a Juniper ISG1000 & Remote ID netmask error

marie-andree.poisson at ssss.gouv.qc.ca marie-andree.poisson at ssss.gouv.qc.ca
Tue Jun 28 07:09:15 CDT 2011 



Hi, sorry about my previous message... as Stefan pointed out: PGP problems
(c:

Here are the attachments.

Thank you

Marie

========================================================================


Hello,

I’ve installed Shrew soft 2.1.7 on a windows XP pro SP3 laptop. I’m trying
to connect to a Juniper NetScreen-ISG1000 running the 6.2.0r1.0
(firewall+VPN) Firmware.

I’ve followed the procedure on shrew.net to configure a tunnel using x509
certificate but I had to tweak it a bit because I’m trying to modify a VPN
setup that is currently in place.

I need to use the PROXY-ID settings in the Juniper (under VPNs, AutoKey
IKE/advanced) because the user will be assigned an internal address for
this solution. So I’ve configured the Shrew Soft client to use a specific
address and network mask under the General/Local Host section instead of
using the laptop’s current address.

My problem is the following: I’ve entered the IP address that the shrew
soft client should be using along with the correct netmask
(255.255.255.248), I’ve configured my Juniper ISG-1000 accordingly, my
policies on the Juniper ISG 1000 also have the same setup but when I
attempt to connect the VPN tunnel, the Juniper ISG-1000 receives the right
IP but the wrong netmask. It receives 255.255.255.255 so the phase 2 fails
stating that no policy exists for the proxy ID received.

I’ve been able to establish the tunnel by configuring the Shrew Soft client
and the Juniper ISG-1000 by using a /32 address (255.255.255.255), the
phase 2 completes and the tunnel is up, but unfortunately I can’t reach or
ping the remote network when the tunnel is UP. At first I thought that this
was two different problems, but I’m stating to think that all my problems
comes from this since the laptop is using its own IP as the default
gateway.

When I try to ping while connected using the /32 netmask, I can see the
ping go through the VPN tunnel, and reaching the remote server. I can track
the reply all the way to the Juniper ISG-1000 where I get an ICMP CLOSE AGE
OUT. I get the same results when trying to connect on TCP/80, TCP/3389 ....

Also, everytime I try to connect I get the following message in the shrew
soft logs: peer violates RFC, transform number mismatch ( 1 != 14 ). It
seems that this error might have something to do with the fact that I'm
unable to ping. Any idea on how to fix it?


If you have any suggestions please let me know… Below are my configs and
logs.



Here’s my shrew soft config – Using the /29 netmask

(See attached file: Shrew config 29.txt)

Shrew soft client logs – Using the /29 netmask
(See attached file: Shrew log 29.txt)

Here’s the logs on my juniper ISG1000 – Using the /29 netmask
(See attached file: ISG1000 log 29.txt)

Here’s my Shrew soft configuration – Using the /32 netmask
(See attached file: Shrew config 32.txt)

Shrew soft client logs – Using the /32 netmask
(See attached file: Shrew log 32.txt)

Here’s the logs on my juniper ISG1000 – Using the /32 netmask

(See attached file: ISG1000 log 32.txt)


Thank you




____________________________________
Marie-Andrée Poisson
Technicienne niveau 2 - Télécommunications
DOT


Sogique - Bureau de Québec
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110628/f2c83889/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Shrew config 29.txt
Type: application/octet-stream
Size: 4601 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110628/f2c83889/attachment-0012.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Shrew log 29.txt
Type: application/octet-stream
Size: 7148 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110628/f2c83889/attachment-0013.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ISG1000 log 29.txt
Type: application/octet-stream
Size: 4322 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110628/f2c83889/attachment-0014.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Shrew config 32.txt
Type: application/octet-stream
Size: 4603 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110628/f2c83889/attachment-0015.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Shrew log 32.txt
Type: application/octet-stream
Size: 6091 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110628/f2c83889/attachment-0016.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ISG1000 log 32.txt
Type: application/octet-stream
Size: 1030 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110628/f2c83889/attachment-0017.obj>

More information about the vpn-help mailing list