[vpn-help] "unrecognized peer gateway"

John Downs john.downs at tapad.com
Thu May 8 11:09:50 CDT 2014 

REMOVE ME 
John Downs, IT Systems and Desktop Support Technician
TAPAD  60 Madison Avenue 3rd FL, New York, NY 10010
Office: 3478174458 | John.Downs at tapad.com
Tapad Named One of Forbes' Most Promising American Companies #12 - 2014

On May 8, 2014, at 12:03 PM, <C.Hoffmann at ProSeS.de> <C.Hoffmann at ProSeS.de> wrote:

> To be able to easily edit VPN info, I've created a "NULL VPN" gateway and IKE definition, and replace that in whatever depends on the object I want to change. It doesn't matter what data you use in those "pseudo" objects.
> 
> 
> Here you would have to set AutoKey IKE to use the "NULL VPN" gateway created that way, to enable to recreate the Gateway entry with the correct interface, and then just need to re-set that gateway in IKE. Otherwise you have to delete anything related, and start all over.
> 
> -----Original Message-----
> From: Ralph Walker [mailto:ecn at rwalk.com] 
> Sent: Wednesday, May 07, 2014 5:46 PM
> To: Q
> Subject: Re: [vpn-help] "unrecognized peer gateway"
> 
> clemens,
> 
> Thank you for your help.  I am now researching how to remove everything 
> so I can reenter the parameters.
> 
> Ralph
> 
> 
> On 05/04/2014 03:30 AM, C.Hoffmann at ProSeS.de wrote:
>> Hi Ralph,
>> 
>> You can only set the interface when creating the VPN gateway info, so you will have to remove everything using that VPN gateway definition (VPN policy, VPN "AutoKey IKE", VPN "AutoKey ADvanced" » Gateway), and recreate.
>> In "AUotKey Advanced" » Gateway » Advanced you should see "Outgoing Interface", and be able to select your Untrust IF.
>> At least that is where it is in ScreenOS 6.
>> 
>> Regards,
>> Clemens Hoffmann
>> 
>> 
>> -----Original Message-----
>> From: vpn-help [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of ecn at rwalk.com
>> Sent: Friday, May 02, 2014 5:17 PM
>> To: vpn-help at lists.shrew.net
>> Subject: [vpn-help] "unrecognized peer gateway"
>> 
>> I also am a noob to VPN with a SSG5.  I am getting the same issue as
>> described below and I am sure I probably have the Outgoing Interface set
>> to default.  I can not figure where that setting is as I do not see
>> anything labeled Outgoing Interface specifically.
>> 
>> Can someone tell me where this setting may be?
>> 
>> Thanks Ralph
>> 
>> 
>> Brilliant, thanks Kevin, it's working now!
>> 
>> You were right, it was the Outbound Interface - I hadn't properly set it to
>> be the public facing interface that Shrew connects to.
>> 
>> The online Shrew instructions are brilliant, but this is an important point
>> that the instructions seem to skip altogether. For n00b sys admins like
>> myself, I didn't think to update the Outbound Interface, I just left it on
>> the default interface, which was incorrect. Probably most Sys admins would
>> know to do this though...
>> 
>> Thanks for your invaluable help, couldn't have done it without your patience
>> and great instructions!
>> 
>> 
>> On Mon, Mar 28, 2011 at 3:45 AM, kevin vpn <kvpn at live.com> wrote:
>> 
>>> On Mon, 28 Mar 2011 01:17:07 +1100
>>> Marcus Robinson <marcus at marcusrobinson.info> wrote:
>>> 
>>>> Hi Kevin,
>>>> 
>>>> Thanks for your response. I did indeed notice this discrepancy in the
>>>> help page, but I made sure to use my own "client.myvpn.com" in both
>>>> Juniper firewall and client phase 1 settings. Same as well for the
>>>> phase 2 settings, using "vpngw.myvpn.com", so I don't think that's
>>>> the issue.
>>>> 
>>>> I've also checked the following - I can telnet to the public IP of the
>>>> Juniper VPN on port 80, but I can't telnet to the public IP of the
>>>> Juniper VPN on port 500. The firewall I sit behind definitely has
>>>> port 500 open and I've disabled my Win7 firewall. Is there something
>>>> I need to do on the Juniper to enable access on port 500? The Juniper
>>>> is giving the *"**Phase 1 packet arrived from an unrecognized peer
>>>> gateway."*, so I imagine the request is making it through, so port
>>>> 500 probably isn't the issue...
>>>> 
>>>> Really stumped on this one - can you see anything else in the help
>>>> docs that might be off?
>>>> 
>>>> I noticed another discrepancy in the Phase 1 Security settings in the
>>>> help page. It says in the instructions to use  this:
>>>> 
>>>> Phase 1 Proposal
>>>> 
>>>>    - pre-g2-3des-sha
>>>>    - pre-g2-3des-md5
>>>>    - pre-g2-aes128-sha
>>>>    - pre-g2-aes128-md5
>>>> 
>>>> 
>>>> And yet the screenshot of the settings shows something different - it
>>>> looks like it's using:
>>>> 
>>>> 
>>>>    - pre-g2-3des-sha
>>>>    - pre-g2-3des-md5
>>>>    - pre-g2-aes128-sha
>>>>    - pre-g2-aes128-sha
>>>> 
>>>> 
>>>> Could this be the issue? Which security settings should I be using?
>>>> (help page is here:
>>>> http://www.shrew.net/support/wiki/HowtoJuniperSsg )
>>>> 
>>> Hi Marcus,
>>> 
>>> The "unrecognized peer gateway" message tells us that the traffic is
>>> reaching the gateway on port 500, so that is not an issue.  It also
>>> tells us that the problem is with the identification step. This needs
>>> to be corrected on the VPN -> AutoKey Advanced -> Gateway definition or
>>> on the Shrew Authentication tab.
>>> 
>>> (Just as an FYI, the screenshots in the Howto are for ScreenOS code 5.x
>>> I believe, since some of the Gateway options (like Local ID) have been
>>> moved to the Advanced options screen in ScreenOS 6.x.)
>>> 
>>> Based on what you've said that you've double-checked the identity
>>> values, your problem could be one of the following:
>>> 
>>> 1. You have Use As Seed selected. If so, unselect it.
>>> 
>>> 2. Your Outgoing Interface is not set correctly. Typically it is set to
>>> an interface in the Untrust (or V1-Untrust) zone.  The Outgoing
>>> Interface is the one facing the Shrew client traffic.  If it is not
>>> correct, delete the Gateway definition (you'll need to delete the VPN
>>> definition first too) and create a new one, making sure that you set
>>> the Outgoing Interface correctly.
>>> 
>>> 3. The pre-shared key does not match the Shrew config.  I would suggest
>>> deliberately re-entering it on both just to be sure. For instance, type
>>> it into Notepad, then copy-and-paste from Notepad to be sure it is the
>>> same on both.
>>> 
>>> 
>>> Regarding your question about the Phase 1 Proposal values, only one
>>> pair needs to match in order to establish a connection, and the Howto
>>> has three matching pairs, so that should not be your problem.  Thank
>>> you for pointing it out however.  Also, if you were getting to the
>>> negotiation stage, the error message on the gateway would be
>>> "negotiations have failed" rather than "unrecognized peer gateway."
>> _______________________________________________
>> vpn-help mailing list
>> vpn-help at lists.shrew.net
>> https://lists.shrew.net/mailman/listinfo/vpn-help
>> 
>> 
> 
> 
> 
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> https://lists.shrew.net/mailman/listinfo/vpn-help

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20140508/54dcf4b3/attachment-0001.html>

More information about the vpn-help mailing list