[vpn-help] Does ShrewSoft VPN client work with Juniper SSG20 Firmware v6.1?

[kevin vpn]

On Sat, 26 Mar 2011 23:58:54 +1100
Marcus Macro <macro.marcus at gmail.com> wrote:

> Hi ShrewSoft Team,
> 
> I'm trying to get the ShrewSoft VPN client to work with my Juniper
> SSG20 (Firmware v6.1), but am encountering errors when I try to
> connect.
> 
> I've exactly followed the directions here:
> http://www.shrew.net/support/wiki/HowtoJuniperSsg
> 
> When setting up the VPN client config, I used the example config file
> and just tweaked the user/pass/presharedkey/ids/IP settings to match
> my setup: http://www.shrew.net/static/howto/JuniperSsg/juniperssg.vpn
> 
> But when trying to connect, the ShrewSoft VPN client says this:
> 
> bringing up tunnel ...
> negotiation timout occurred
> tunnel disabled
> detached from key daemon ...
> 
> And the Juniper logs says this:
> Rejected an IKE packet on ethernet0/0 from 99.99.99.99:500
> to88.88.88.88:500 with cookies 7393deb8306c7e69 and 0000000000000000
> because an initial Phase 1 packet arrived from an unrecognized peer
> gateway.
> 

Hi Marcus,

The Phase 1 settings on the SSG are set in the VPN -> AutoKey Advanced
-> Gateway settings.  It is those settings that have to match what
Shrew is providing from its own Phase 1 configuration.

I just noticed that Howto is not clear in this regard. In the Howto,
you first create on the SSG a user called 'vpnclient_ph1id' and give it
an IKE Identity = 'client.shrew.net'.  Later, when configuring the
Shrew client, the Howto says that the 'Local Identity' should be set to
'client.domain.com'.  This is incorrect, IKE Identity = Local Identity,
so both of them should be 'client.shrew.net' or both should be
'whatever.somedomain.com.'

The same problem exists on the gateway side, 'Local ID' on the SSG must
match 'Remote Identity' on the Shrew side (for example both should be
'vpngw.shrew.net').

Obviously the pre-shared key must be the same on both ends too.