[vpn-help] "unrecognized peer gateway"

C.Hoffmann at ProSeS.de C.Hoffmann at ProSeS.de
Sun May 4 04:30:56 CDT 2014 

Hi Ralph,

You can only set the interface when creating the VPN gateway info, so you will have to remove everything using that VPN gateway definition (VPN policy, VPN "AutoKey IKE", VPN "AutoKey ADvanced" » Gateway), and recreate.
In "AUotKey Advanced" » Gateway » Advanced you should see "Outgoing Interface", and be able to select your Untrust IF.
At least that is where it is in ScreenOS 6.

Regards,
Clemens Hoffmann


-----Original Message-----
From: vpn-help [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of ecn at rwalk.com
Sent: Friday, May 02, 2014 5:17 PM
To: vpn-help at lists.shrew.net
Subject: [vpn-help] "unrecognized peer gateway"

I also am a noob to VPN with a SSG5.  I am getting the same issue as
described below and I am sure I probably have the Outgoing Interface set
to default.  I can not figure where that setting is as I do not see
anything labeled Outgoing Interface specifically.

Can someone tell me where this setting may be?

Thanks Ralph


Brilliant, thanks Kevin, it's working now!

You were right, it was the Outbound Interface - I hadn't properly set it to
be the public facing interface that Shrew connects to.

The online Shrew instructions are brilliant, but this is an important point
that the instructions seem to skip altogether. For n00b sys admins like
myself, I didn't think to update the Outbound Interface, I just left it on
the default interface, which was incorrect. Probably most Sys admins would
know to do this though...

Thanks for your invaluable help, couldn't have done it without your patience
and great instructions!


On Mon, Mar 28, 2011 at 3:45 AM, kevin vpn <kvpn at live.com> wrote:

> On Mon, 28 Mar 2011 01:17:07 +1100
> Marcus Robinson <marcus at marcusrobinson.info> wrote:
>
> > Hi Kevin,
> >
> > Thanks for your response. I did indeed notice this discrepancy in the
> > help page, but I made sure to use my own "client.myvpn.com" in both
> > Juniper firewall and client phase 1 settings. Same as well for the
> > phase 2 settings, using "vpngw.myvpn.com", so I don't think that's
> > the issue.
> >
> > I've also checked the following - I can telnet to the public IP of the
> > Juniper VPN on port 80, but I can't telnet to the public IP of the
> > Juniper VPN on port 500. The firewall I sit behind definitely has
> > port 500 open and I've disabled my Win7 firewall. Is there something
> > I need to do on the Juniper to enable access on port 500? The Juniper
> > is giving the *"**Phase 1 packet arrived from an unrecognized peer
> > gateway."*, so I imagine the request is making it through, so port
> > 500 probably isn't the issue...
> >
> > Really stumped on this one - can you see anything else in the help
> > docs that might be off?
> >
> > I noticed another discrepancy in the Phase 1 Security settings in the
> > help page. It says in the instructions to use  this:
> >
> > Phase 1 Proposal
> >
> >    - pre-g2-3des-sha
> >    - pre-g2-3des-md5
> >    - pre-g2-aes128-sha
> >    - pre-g2-aes128-md5
> >
> >
> > And yet the screenshot of the settings shows something different - it
> > looks like it's using:
> >
> >
> >    - pre-g2-3des-sha
> >    - pre-g2-3des-md5
> >    - pre-g2-aes128-sha
> >    - pre-g2-aes128-sha
> >
> >
> > Could this be the issue? Which security settings should I be using?
> > (help page is here:
> > http://www.shrew.net/support/wiki/HowtoJuniperSsg )
> >
>
> Hi Marcus,
>
> The "unrecognized peer gateway" message tells us that the traffic is
> reaching the gateway on port 500, so that is not an issue.  It also
> tells us that the problem is with the identification step. This needs
> to be corrected on the VPN -> AutoKey Advanced -> Gateway definition or
> on the Shrew Authentication tab.
>
> (Just as an FYI, the screenshots in the Howto are for ScreenOS code 5.x
> I believe, since some of the Gateway options (like Local ID) have been
> moved to the Advanced options screen in ScreenOS 6.x.)
>
> Based on what you've said that you've double-checked the identity
> values, your problem could be one of the following:
>
> 1. You have Use As Seed selected. If so, unselect it.
>
> 2. Your Outgoing Interface is not set correctly. Typically it is set to
> an interface in the Untrust (or V1-Untrust) zone.  The Outgoing
> Interface is the one facing the Shrew client traffic.  If it is not
> correct, delete the Gateway definition (you'll need to delete the VPN
> definition first too) and create a new one, making sure that you set
> the Outgoing Interface correctly.
>
> 3. The pre-shared key does not match the Shrew config.  I would suggest
> deliberately re-entering it on both just to be sure. For instance, type
> it into Notepad, then copy-and-paste from Notepad to be sure it is the
> same on both.
>
>
> Regarding your question about the Phase 1 Proposal values, only one
> pair needs to match in order to establish a connection, and the Howto
> has three matching pairs, so that should not be your problem.  Thank
> you for pointing it out however.  Also, if you were getting to the
> negotiation stage, the error message on the gateway would be
> "negotiations have failed" rather than "unrecognized peer gateway."

_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net
https://lists.shrew.net/mailman/listinfo/vpn-help

More information about the vpn-help mailing list