<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:arial,helvetica,sans-serif;font-size:12pt">Thank you!<br><br>Here is the SSG5 config:<br><br><font face="Helvetica,Arial" size="2"><b>Version: 5.4.0r3a.0
(Firewall+VPN)
</b></font><br><br>set clock timezone -5<br>set vrouter trust-vr sharable<br>set vrouter "untrust-vr"<br>exit<br>set vrouter "trust-vr"<br>unset auto-route-export<br>exit<br>set auth-server "Local" id 0<br>set auth-server "Local" server-name "Local"<br>set auth default auth server "Local"<br>set auth radius accounting port 1646<br>set admin name "***"<br>set admin password "***"<br>set admin auth timeout 10<br>set admin auth server "Local"<br>set admin format dos<br>set zone "Trust" vrouter "trust-vr"<br>set zone "Untrust" vrouter "trust-vr"<br>set zone "DMZ" vrouter "trust-vr"<br>set zone "VLAN" vrouter "trust-vr"<br>set zone "Untrust-Tun" vrouter "trust-vr"<br>set zone "Trust" tcp-rst <br>set zone "Untrust" block <br>unset zone "Untrust" tcp-rst <br>set zone "DMZ" tcp-rst <br>set zone "VLAN" block <br>unset zone "VLAN" tcp-rst <br>set zone "Untrust" screen tear-drop<br>set zone "Untrust" screen syn-flood<br>set zone "Untrust" screen ping-death<br>set
zone "Untrust" screen ip-filter-src<br>set zone "Untrust" screen land<br>set zone "V1-Untrust" screen tear-drop<br>set zone "V1-Untrust" screen syn-flood<br>set zone "V1-Untrust" screen ping-death<br>set zone "V1-Untrust" screen ip-filter-src<br>set zone "V1-Untrust" screen land<br>set interface "ethernet0/0" zone "Untrust"<br>set interface "ethernet0/1" zone "Null"<br>set interface "bgroup0" zone "Trust"<br>set interface "tunnel.1" zone "Untrust"<br>set interface bgroup0 port ethernet0/1<br>set interface bgroup0 port ethernet0/2<br>set interface bgroup0 port ethernet0/3<br>set interface bgroup0 port ethernet0/4<br>set interface bgroup0 port ethernet0/5<br>set interface bgroup0 port ethernet0/6<br>unset interface vlan1 ip<br>set interface ethernet0/0 ip **.**.**.17/24<br>set interface ethernet0/0 route<br>set interface bgroup0 ip 192.168.100.1/24<br>set interface bgroup0 nat<br>set interface tunnel.1 ip unnumbered interface ethernet0/0<br>unset
interface vlan1 bypass-others-ipsec<br>unset interface vlan1 bypass-non-ip<br>set interface ethernet0/0 ip manageable<br>set interface bgroup0 ip manageable<br>set interface ethernet0/0 manage ping<br>set interface ethernet0/0 manage ssh<br>set interface ethernet0/0 manage ssl<br>set interface bgroup0 dhcp server service<br>set interface bgroup0 dhcp server enable<br>set interface bgroup0 dhcp server option lease 1440 <br>set interface bgroup0 dhcp server option gateway 192.168.100.1 <br>set interface bgroup0 dhcp server option netmask 255.255.255.0 <br>set interface bgroup0 dhcp server option dns1 **<br>set interface bgroup0 dhcp server option dns2 ** <br>set interface bgroup0 dhcp server ip 192.168.100.101 to 192.168.100.150 <br>unset interface bgroup0 dhcp server config next-server-ip<br>set interface "serial0/0" modem settings "USR" init "AT&F"<br>set interface "serial0/0" modem settings "USR" active<br>set interface "serial0/0" modem speed
115200<br>set interface "serial0/0" modem retry 3<br>set interface "serial0/0" modem interval 10<br>set interface "serial0/0" modem idle-time 10<br>set flow tcp-mss<br>unset flow no-tcp-seq-check<br>set flow tcp-syn-check<br>set pki authority default scep mode "auto"<br>set pki x509 default cert-path partial<br>set address "Trust" "192.168.100.100/32" 192.168.100.100 255.255.255.255<br>set user "test" uid 4<br>set user "test" ike-id fqdn "test.test.com" share-limit 1<br>set user "test" type ike<br>set user "test" "enable"<br>set user-group "test_group" id 1<br>set ike gateway "test-gw" dialup "test" Aggr local-id "testgw.test.com" outgoing-interface "ethernet0/0" preshare "N3Lm2MGKN+T7aesdudCgT2Nv7QnNQwmXPA==" sec-level compatible<br>set ike gateway "test-gw" cert peer-ca all<br>unset ike gateway "test-gw" nat-traversal udp-checksum<br>set ike gateway "test-gw" nat-traversal keepalive-frequency 0<br>set ike gateway "test-gw" dpd interval 30<br>set
ike gateway "Gateway for Any" dialup "test" Aggr outgoing-interface "ethernet0/0" preshare "FGTEVOSvNnCEkIs0RECQQDRPgbnHRqffog==" sec-level standard<br>set ike gateway "Gateway for Any" nat-traversal udp-checksum<br>set ike gateway "Gateway for Any" nat-traversal keepalive-frequency 5<br>set ike respond-bad-spi 1<br>unset ike ikeid-enumeration<br>unset ike dos-protection<br>unset ipsec access-session enable<br>set ipsec access-session maximum 5000<br>set ipsec access-session upper-threshold 0<br>set ipsec access-session lower-threshold 0<br>set ipsec access-session dead-p2-sa-timeout 0<br>unset ipsec access-session log-error<br>unset ipsec access-session info-exch-connected<br>unset ipsec access-session use-error-log<br>set vpn "test-vpn" gateway "test-gw" no-replay tunnel idletime 0 sec-level compatible<br>set vpn "test-vpn" monitor<br>set url protocol websense<br>exit<br>set policy id 11 from "Untrust" to "Trust" "Any" "192.168.100.100/32"
"MGCP" permit log <br>set policy id 11<br>exit<br>set policy id 8 from "Untrust" to "Trust" "Any" "Any" "ANY" permit log count <br>set policy id 8<br>exit<br>set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log <br>set policy id 1<br>set log session-init<br>exit<br>set policy id 9 from "Untrust" to "Trust" "Dial-Up VPN" "192.168.100.100/32" "ANY" tunnel vpn "test-vpn" id 5 pair-policy 10 <br>set policy id 9<br>exit<br>set policy id 10 from "Trust" to "Untrust" "192.168.100.100/32" "Dial-Up VPN" "ANY" tunnel vpn "test-vpn" id 5 pair-policy 9 <br>set policy id 10<br>exit<br>set nsmgmt report alarm traffic enable<br>set nsmgmt report alarm attack enable<br>set nsmgmt report alarm other enable<br>set nsmgmt report alarm di enable<br>set nsmgmt report log config enable<br>set nsmgmt report log info enable<br>set nsmgmt report log self enable<br>set nsmgmt report log traffic enable<br>set nsmgmt init id ***<br>set
nsmgmt server primary **.**.**.230 port 7800<br>set nsmgmt bulkcli reboot-timeout 60<br>set nsmgmt hb-interval 20<br>set nsmgmt hb-threshold 5<br>set nsmgmt enable<br>set ssh version v2<br>set ssh enable<br>set config lock timeout 5<br>set snmp port listen 161<br>set snmp port trap 162<br>set vrouter "untrust-vr"<br>exit<br>set vrouter "trust-vr"<br>unset add-default-route<br>set route 0.0.0.0/0 interface ethernet0/0 gateway **.***.***.1 preference 20<br>exit<br>set vrouter "untrust-vr"<br>exit<br>set vrouter "trust-vr"<br>exit<br><br><div> This is the config for
Shrewsoft:<br><br>n:version:2<br>n:network-ike-port:500<br>n:network-mtu-size:1380<br>n:client-addr-auto:1<br>n:network-natt-port:4500<br>n:network-natt-rate:15<br>n:network-frag-size:540<br>n:network-dpd-enable:1<br>n:client-banner-enable:1<br>n:network-notify-enable:1<br>n:client-wins-used:1<br>n:client-wins-auto:1<br>n:client-dns-used:1<br>n:client-dns-auto:1<br>n:client-splitdns-used:1<br>n:client-splitdns-auto:1<br>n:phase1-dhgroup:2<br>n:phase1-life-secs:28800<br>n:phase1-life-kbytes:0<br>n:vendor-chkpt-enable:0<br>n:phase2-life-secs:3600<br>n:phase2-life-kbytes:0<br>n:policy-nailed:0<br>n:policy-list-auto:1<br>n:phase1-keylen:0<br>s:network-host:******<br>s:client-auto-mode:push<br>s:client-iface:virtual<br>s:network-natt-mode:enable<br>s:network-frag-mode:enable<br>s:auth-method:mutual-psk<br>s:ident-client-type:fqdn<br>s:ident-server-type:fqdn<br>s:ident-client-data:test.test.com<br>s:ident-server-data:testgw.test.com<br>b:auth-mutual-psk:Z2F0
ZWtlZXBlcg==<br>s:phase1-exchange:aggressive<br>s:phase1-cipher:des<br>s:phase1-hash:sha1<br>s:phase2-transform:esp-3des<br>s:phase2-hmac:md5<br>s:ipcomp-transform:disabled<br>n:phase2-pfsgroup:2<br><br>These are the messages I see on the client side:<br><br></div><div style="font-family: arial,helvetica,sans-serif; font-size: 12pt;">config loaded for site '*****'<br>configuring client settings ...<br>attached to key daemon ...<br>peer configured<br>iskamp proposal configured<br>esp proposal configured<br>client configured<br>local id configured<br>remote id configured<br>pre-shared key configured<br>bringing up tunnel ...<br><br>They never go beyond this point - even if I leave it here for hours.<br><br>On the server, I get:<br><br>2010-06-24 18:35:28 info IKE<71.191.197.230>: Received initial contact notification and removed Phase 1 SAs.<br>2010-06-24 18:35:28 info
IKE<71.191.197.230>: Received initial contact notification and removed Phase 2 SAs.<br>2010-06-24 18:35:28 info IKE<71.191.197.230>: Received a notification message for DOI <1> <24578> <INITIAL-CONTACT>.<br>2010-06-24 18:35:28 info IKE<71.191.197.230> Phase 1: Completed Aggressive mode negotiations with a <28800>-second lifetime.<br>2010-06-24 18:35:28 info IKE<71.191.197.230> Phase 1: Completed for user <test>.<br>2010-06-24 18:35:28 info IKE<71.191.197.230> Phase 1: IKE responder has detected NAT in front of the remote device.<br>2010-06-24 18:35:28 info IKE<71.191.197.230> Phase 1: IKE responder has detected NAT in front of the local device.<br>2010-06-24 18:35:28 info
IKE<71.191.197.230> Phase 1: Responder starts AGGRESSIVE mode negotiations.<br><br>From what I have seen, the next message I should see is Phase 1 Completed, right?<br><br>Any ideas? What is the next step - is there any way to get any more detailed messages?<br><br>Thanks,<br>Igor<br><br><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><font face="Tahoma" size="2"><hr size="1"><b><span style="font-weight: bold;">From:</span></b> Rui Cordeiro <rmacordeiro@gmail.com><br><b><span style="font-weight: bold;">To:</span></b> Igor Birman <igor_birman@yahoo.com><br><b><span style="font-weight: bold;">Cc:</span></b> vpn-help@lists.shrew.net<br><b><span style="font-weight: bold;">Sent:</span></b> Thu, June 24, 2010 11:03:12 AM<br><b><span style="font-weight: bold;">Subject:</span></b> Re: [vpn-help] Can't connect Shrewsoft to SSG5<br></font><br>
Hi, <br>
<br>
I have just finished configuring a VPN connection against a Juniper
with version 5.4 and the data on the link is accurate and everything
worked fine.<br>
If you can send some print screens of the configs, Juniper and Shrew
Client I can try to help you (just delete sensitive info).<br>
<br>
Regards,<br>
<br>
Rui Cordeiro<br>
<br>
Igor Birman wrote:
<blockquote type="cite">
<div style="font-family: arial,helvetica,sans-serif; font-size: 12pt;">I
am trying to connect to an SSG5. I followed the guide:<br>
<div style="font-family: arial,helvetica,sans-serif; font-size: 12pt;">
<div style="font-family: times new roman,new york,times,serif; font-size: 12pt;">
<div style="font-family: arial,helvetica,sans-serif; font-size: 12pt;"><br>
<span><span><span><a target="_blank" href="http://www.shrew.net/support/wiki/HowtoJuniperSsg">http://www.shrew.net/support/wiki/HowtoJuniperSsg</a></span></span></span><br>
<br>
but the client stops at "bringing up tunnel" and then hangs there
forever. On the server, I have the following messages:<br>
<br>
2010-06-24 07:47:03 info IKE<71.191.197.230>: Received
initial contact notification and removed Phase 1 SAs.<br>
2010-06-24 07:47:03 info IKE<71.191.197.230>: Received
initial contact notification and removed Phase 2 SAs.<br>
2010-06-24 07:47:03 info IKE<71.191.197.230>: Received a
notification message for DOI <1> <24578>
<INITIAL-CONTACT>.<br>
2010-06-24 07:47:03 info IKE<71.191.197.230> Phase 1:
Completed Aggressive mode negotiations with a <28800>-second
lifetime.<br>
2010-06-24 07:47:03 info IKE<71.191.197.230> Phase 1:
Completed for user <Test>.<br>
2010-06-24 07:47:03 info IKE<71.191.197.230> Phase 1: IKE
responder has detected NAT in front of the remote device.<br>
2010-06-24 07:47:03 info IKE<71.191.197.230> Phase 1: IKE
responder has detected NAT in front of the local device.<br>
2010-06-24 07:47:03 info IKE<71.191.197.230> Phase 1:
Responder starts AGGRESSIVE mode negotiations.<br>
<br>
What am I missing?<br>
<br>
<div>Thanks,<br>
Igor</div>
</div>
</div>
</div>
</div>
<pre><hr width="90%" size="4"><br>_______________________________________________<br>vpn-help mailing list<br><a rel="nofollow" class="moz-txt-link-abbreviated" ymailto="mailto:vpn-help@lists.shrew.net" target="_blank" href="mailto:vpn-help@lists.shrew.net">vpn-help@lists.shrew.net</a><br><span><a target="_blank" href="http://lists.shrew.net/mailman/listinfo/vpn-help">http://lists.shrew.net/mailman/listinfo/vpn-help</a></span><br> </pre>
</blockquote>
</div></div>
</div></body></html>