[vpn-help] Problem connecting to a Juniper ISG1000 & Remote ID netmask error

Wed Jun 29 21:11:11 CDT 2011

On Tue, 28 Jun 2011 08:09:15 -0400
marie-andree.poisson at ssss.gouv.qc.ca wrote:

> 
> 
> 
> Hi, sorry about my previous message... as Stefan pointed out: PGP
> problems (c:
> 
> Here are the attachments.
> 
> Thank you
> 
> Marie
> 
> ========================================================================
> 
> 
> Hello,
> 
> I’ve installed Shrew soft 2.1.7 on a windows XP pro SP3 laptop. I’m
> trying to connect to a Juniper NetScreen-ISG1000 running the 6.2.0r1.0
> (firewall+VPN) Firmware.
> 
> I’ve followed the procedure on shrew.net to configure a tunnel using
> x509 certificate but I had to tweak it a bit because I’m trying to
> modify a VPN setup that is currently in place.
> 
> I need to use the PROXY-ID settings in the Juniper (under VPNs,
> AutoKey IKE/advanced) because the user will be assigned an internal
> address for this solution. So I’ve configured the Shrew Soft client
> to use a specific address and network mask under the General/Local
> Host section instead of using the laptop’s current address.
> 
> My problem is the following: I’ve entered the IP address that the
> shrew soft client should be using along with the correct netmask
> (255.255.255.248), I’ve configured my Juniper ISG-1000 accordingly, my
> policies on the Juniper ISG 1000 also have the same setup but when I
> attempt to connect the VPN tunnel, the Juniper ISG-1000 receives the
> right IP but the wrong netmask. It receives 255.255.255.255 so the
> phase 2 fails stating that no policy exists for the proxy ID received.
> 
> I’ve been able to establish the tunnel by configuring the Shrew Soft
> client and the Juniper ISG-1000 by using a /32 address
> (255.255.255.255), the phase 2 completes and the tunnel is up, but
> unfortunately I can’t reach or ping the remote network when the
> tunnel is UP. At first I thought that this was two different
> problems, but I’m stating to think that all my problems comes from
> this since the laptop is using its own IP as the default gateway.
> 
> When I try to ping while connected using the /32 netmask, I can see
> the ping go through the VPN tunnel, and reaching the remote server. I
> can track the reply all the way to the Juniper ISG-1000 where I get
> an ICMP CLOSE AGE OUT. I get the same results when trying to connect
> on TCP/80, TCP/3389 ....
> 
> Also, everytime I try to connect I get the following message in the
> shrew soft logs: peer violates RFC, transform number mismatch ( 1 !=
> 14 ). It seems that this error might have something to do with the
> fact that I'm unable to ping. Any idea on how to fix it?
> 

Hi Marie,

I think I recall with Juniper that if you're using fixed client
addresses, the ProxyID needs to be 255.255.255.255.  Think of the VPN
tunnel as a single point network between the client and VPN, you won't
be able to talk to any other hosts on that little network anyway. 

It is the policies and the routing table on the gateway that determine
who your client can talk to, not the netmask in the proxyid.  So you
have to make sure you've got the appropriate policies defined that
allow the fixed IP assigned to your Shrew client to reach the
destination.  As well, if you're using a route-based VPN, there has to
be a return route defined to your Shrew client IP pointing to the
tunnel you've defined.