[vpn-help] Does ShrewSoft VPN client work with Juniper SSG20 Firmware v6.1?

[kevin vpn]

On Mon, 28 Mar 2011 01:17:07 +1100
Marcus Robinson <marcus at marcusrobinson.info> wrote:

> Hi Kevin,
> 
> Thanks for your response. I did indeed notice this discrepancy in the
> help page, but I made sure to use my own "client.myvpn.com" in both
> Juniper firewall and client phase 1 settings. Same as well for the
> phase 2 settings, using "vpngw.myvpn.com", so I don't think that's
> the issue.
> 
> I've also checked the following - I can telnet to the public IP of the
> Juniper VPN on port 80, but I can't telnet to the public IP of the
> Juniper VPN on port 500. The firewall I sit behind definitely has
> port 500 open and I've disabled my Win7 firewall. Is there something
> I need to do on the Juniper to enable access on port 500? The Juniper
> is giving the *"**Phase 1 packet arrived from an unrecognized peer
> gateway."*, so I imagine the request is making it through, so port
> 500 probably isn't the issue...
> 
> Really stumped on this one - can you see anything else in the help
> docs that might be off?
> 
> I noticed another discrepancy in the Phase 1 Security settings in the
> help page. It says in the instructions to use  this:
> 
> Phase 1 Proposal
> 
>    - pre-g2-3des-sha
>    - pre-g2-3des-md5
>    - pre-g2-aes128-sha
>    - pre-g2-aes128-md5
> 
> 
> And yet the screenshot of the settings shows something different - it
> looks like it's using:
> 
> 
>    - pre-g2-3des-sha
>    - pre-g2-3des-md5
>    - pre-g2-aes128-sha
>    - pre-g2-aes128-sha
> 
> 
> Could this be the issue? Which security settings should I be using?
> (help page is here:
> http://www.shrew.net/support/wiki/HowtoJuniperSsg )
> 

Hi Marcus,

The "unrecognized peer gateway" message tells us that the traffic is
reaching the gateway on port 500, so that is not an issue.  It also
tells us that the problem is with the identification step. This needs
to be corrected on the VPN -> AutoKey Advanced -> Gateway definition or
on the Shrew Authentication tab.

(Just as an FYI, the screenshots in the Howto are for ScreenOS code 5.x
I believe, since some of the Gateway options (like Local ID) have been
moved to the Advanced options screen in ScreenOS 6.x.)

Based on what you've said that you've double-checked the identity
values, your problem could be one of the following:

1. You have Use As Seed selected. If so, unselect it.

2. Your Outgoing Interface is not set correctly. Typically it is set to
an interface in the Untrust (or V1-Untrust) zone.  The Outgoing
Interface is the one facing the Shrew client traffic.  If it is not
correct, delete the Gateway definition (you'll need to delete the VPN
definition first too) and create a new one, making sure that you set
the Outgoing Interface correctly.  

3. The pre-shared key does not match the Shrew config.  I would suggest
deliberately re-entering it on both just to be sure. For instance, type
it into Notepad, then copy-and-paste from Notepad to be sure it is the
same on both.


Regarding your question about the Phase 1 Proposal values, only one
pair needs to match in order to establish a connection, and the Howto
has three matching pairs, so that should not be your problem.  Thank
you for pointing it out however.  Also, if you were getting to the
negotiation stage, the error message on the gateway would be
"negotiations have failed" rather than "unrecognized peer gateway."