[vpn-help] Does ShrewSoft VPN client work with Juniper SSG20 Firmware v6.1?
Marcus Robinson
marcus at marcusrobinson.info
Sun Mar 27 23:56:01 CDT 2011
Brilliant, thanks Kevin, it's working now!
You were right, it was the Outbound Interface - I hadn't properly set it to
be the public facing interface that Shrew connects to.
The online Shrew instructions are brilliant, but this is an important point
that the instructions seem to skip altogether. For n00b sys admins like
myself, I didn't think to update the Outbound Interface, I just left it on
the default interface, which was incorrect. Probably most Sys admins would
know to do this though...
Thanks for your invaluable help, couldn't have done it without your patience
and great instructions!
On Mon, Mar 28, 2011 at 3:45 AM, kevin vpn <kvpn at live.com> wrote:
> On Mon, 28 Mar 2011 01:17:07 +1100
> Marcus Robinson <marcus at marcusrobinson.info> wrote:
>
> > Hi Kevin,
> >
> > Thanks for your response. I did indeed notice this discrepancy in the
> > help page, but I made sure to use my own "client.myvpn.com" in both
> > Juniper firewall and client phase 1 settings. Same as well for the
> > phase 2 settings, using "vpngw.myvpn.com", so I don't think that's
> > the issue.
> >
> > I've also checked the following - I can telnet to the public IP of the
> > Juniper VPN on port 80, but I can't telnet to the public IP of the
> > Juniper VPN on port 500. The firewall I sit behind definitely has
> > port 500 open and I've disabled my Win7 firewall. Is there something
> > I need to do on the Juniper to enable access on port 500? The Juniper
> > is giving the *"**Phase 1 packet arrived from an unrecognized peer
> > gateway."*, so I imagine the request is making it through, so port
> > 500 probably isn't the issue...
> >
> > Really stumped on this one - can you see anything else in the help
> > docs that might be off?
> >
> > I noticed another discrepancy in the Phase 1 Security settings in the
> > help page. It says in the instructions to use this:
> >
> > Phase 1 Proposal
> >
> > - pre-g2-3des-sha
> > - pre-g2-3des-md5
> > - pre-g2-aes128-sha
> > - pre-g2-aes128-md5
> >
> >
> > And yet the screenshot of the settings shows something different - it
> > looks like it's using:
> >
> >
> > - pre-g2-3des-sha
> > - pre-g2-3des-md5
> > - pre-g2-aes128-sha
> > - pre-g2-aes128-sha
> >
> >
> > Could this be the issue? Which security settings should I be using?
> > (help page is here:
> > http://www.shrew.net/support/wiki/HowtoJuniperSsg )
> >
>
> Hi Marcus,
>
> The "unrecognized peer gateway" message tells us that the traffic is
> reaching the gateway on port 500, so that is not an issue. It also
> tells us that the problem is with the identification step. This needs
> to be corrected on the VPN -> AutoKey Advanced -> Gateway definition or
> on the Shrew Authentication tab.
>
> (Just as an FYI, the screenshots in the Howto are for ScreenOS code 5.x
> I believe, since some of the Gateway options (like Local ID) have been
> moved to the Advanced options screen in ScreenOS 6.x.)
>
> Based on what you've said that you've double-checked the identity
> values, your problem could be one of the following:
>
> 1. You have Use As Seed selected. If so, unselect it.
>
> 2. Your Outgoing Interface is not set correctly. Typically it is set to
> an interface in the Untrust (or V1-Untrust) zone. The Outgoing
> Interface is the one facing the Shrew client traffic. If it is not
> correct, delete the Gateway definition (you'll need to delete the VPN
> definition first too) and create a new one, making sure that you set
> the Outgoing Interface correctly.
>
> 3. The pre-shared key does not match the Shrew config. I would suggest
> deliberately re-entering it on both just to be sure. For instance, type
> it into Notepad, then copy-and-paste from Notepad to be sure it is the
> same on both.
>
>
> Regarding your question about the Phase 1 Proposal values, only one
> pair needs to match in order to establish a connection, and the Howto
> has three matching pairs, so that should not be your problem. Thank
> you for pointing it out however. Also, if you were getting to the
> negotiation stage, the error message on the gateway would be
> "negotiations have failed" rather than "unrecognized peer gateway."
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110328/62402d37/attachment-0001.html>
More information about the vpn-help
mailing list