[vpn-help] Does ShrewSoft VPN client work with Juniper SSG20 Firmware v6.1?

Marcus Robinson marcus at marcusrobinson.info
Sun Mar 27 17:38:33 CDT 2011


Really appreciate your help Kevin. I'll check all the points you list below
this evening and let you know how it goes.


On Mon, Mar 28, 2011 at 3:45 AM, kevin vpn <kvpn at live.com> wrote:

> On Mon, 28 Mar 2011 01:17:07 +1100
> Marcus Robinson <marcus at marcusrobinson.info> wrote:
>
> > Hi Kevin,
> >
> > Thanks for your response. I did indeed notice this discrepancy in the
> > help page, but I made sure to use my own "client.myvpn.com" in both
> > Juniper firewall and client phase 1 settings. Same as well for the
> > phase 2 settings, using "vpngw.myvpn.com", so I don't think that's
> > the issue.
> >
> > I've also checked the following - I can telnet to the public IP of the
> > Juniper VPN on port 80, but I can't telnet to the public IP of the
> > Juniper VPN on port 500. The firewall I sit behind definitely has
> > port 500 open and I've disabled my Win7 firewall. Is there something
> > I need to do on the Juniper to enable access on port 500? The Juniper
> > is giving the *"**Phase 1 packet arrived from an unrecognized peer
> > gateway."*, so I imagine the request is making it through, so port
> > 500 probably isn't the issue...
> >
> > Really stumped on this one - can you see anything else in the help
> > docs that might be off?
> >
> > I noticed another discrepancy in the Phase 1 Security settings in the
> > help page. It says in the instructions to use  this:
> >
> > Phase 1 Proposal
> >
> >    - pre-g2-3des-sha
> >    - pre-g2-3des-md5
> >    - pre-g2-aes128-sha
> >    - pre-g2-aes128-md5
> >
> >
> > And yet the screenshot of the settings shows something different - it
> > looks like it's using:
> >
> >
> >    - pre-g2-3des-sha
> >    - pre-g2-3des-md5
> >    - pre-g2-aes128-sha
> >    - pre-g2-aes128-sha
> >
> >
> > Could this be the issue? Which security settings should I be using?
> > (help page is here:
> > http://www.shrew.net/support/wiki/HowtoJuniperSsg )
> >
>
> Hi Marcus,
>
> The "unrecognized peer gateway" message tells us that the traffic is
> reaching the gateway on port 500, so that is not an issue.  It also
> tells us that the problem is with the identification step. This needs
> to be corrected on the VPN -> AutoKey Advanced -> Gateway definition or
> on the Shrew Authentication tab.
>
> (Just as an FYI, the screenshots in the Howto are for ScreenOS code 5.x
> I believe, since some of the Gateway options (like Local ID) have been
> moved to the Advanced options screen in ScreenOS 6.x.)
>
> Based on what you've said that you've double-checked the identity
> values, your problem could be one of the following:
>
> 1. You have Use As Seed selected. If so, unselect it.
>
> 2. Your Outgoing Interface is not set correctly. Typically it is set to
> an interface in the Untrust (or V1-Untrust) zone.  The Outgoing
> Interface is the one facing the Shrew client traffic.  If it is not
> correct, delete the Gateway definition (you'll need to delete the VPN
> definition first too) and create a new one, making sure that you set
> the Outgoing Interface correctly.
>
> 3. The pre-shared key does not match the Shrew config.  I would suggest
> deliberately re-entering it on both just to be sure. For instance, type
> it into Notepad, then copy-and-paste from Notepad to be sure it is the
> same on both.
>
>
> Regarding your question about the Phase 1 Proposal values, only one
> pair needs to match in order to establish a connection, and the Howto
> has three matching pairs, so that should not be your problem.  Thank
> you for pointing it out however.  Also, if you were getting to the
> negotiation stage, the error message on the gateway would be
> "negotiations have failed" rather than "unrecognized peer gateway."
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shrew.net/pipermail/vpn-help/attachments/20110328/47e706e5/attachment.html>


More information about the vpn-help mailing list