<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:arial,helvetica,sans-serif;font-size:12pt">I have been trying to set up a VPN connection to an SSG5 by following the instructions at:<br><br><span><a target="_blank" href="http://www.shrew.net/support/wiki/HowtoJuniperSsg">http://www.shrew.net/support/wiki/HowtoJuniperSsg</a></span><br><br>I am able to establish a connection on the client and get an IP address, but then I get some more error messages on the SSG5. Can someone point me to what they mean? It says no policy esists for the proxy ID, and then that the VPN does not have an application SA. I don't understand either message. Here they are:<br><br><table class="center" border="1" cellpadding="4" cellspacing="0" width="100%"><tbody><tr><td align="center" bgcolor="#eeeeee" nowrap="nowrap">2010-06-25
22:36:57</td><td align="center" bgcolor="#eeeeee">info</td><td bgcolor="#eeeeee">Rejected an IKE packet on ethernet0/0 from
71.191.197.230:4500 to xx.xx.xx.17:4500 with cookies 0e6193f393015ecd
and e153abc6ac9a3cb5 because the VPN does not have an application SA
configured.</td></tr><tr><td align="center" bgcolor="#eeeeee" nowrap="nowrap">2010-06-25 22:36:57</td><td align="center" bgcolor="#eeeeee">info</td><td bgcolor="#eeeeee">IKE<71.191.197.230>
Phase 2: No policy exists for the proxy ID received: local ID
(<192.168.100.0>/<255.255.255.0>, <0>, <0>)
remote ID (<192.168.100.130>/<255.255.255.255>, <0>,
<0>).</td></tr><tr><td align="center" bgcolor="#eeeeee" nowrap="nowrap">2010-06-25 22:36:57</td><td align="center" bgcolor="#eeeeee">info</td><td bgcolor="#eeeeee">IKE<71.191.197.230>
Phase 2 msg ID <8d82f56c>: Responded to the peer's first message.</td></tr><tr><td align="center" bgcolor="#eeeeee" nowrap="nowrap">2010-06-25 22:36:46</td><td align="center" bgcolor="#eeeeee">info</td><td bgcolor="#eeeeee">IKE<71.191.197.230>:
XAuth login was passed for gateway <vpnclient_gateway>, username
<igor>, retry: 0, Client IP Addr<192.168.100.130>, IPPool
name:<vpn>, Session-Timeout:<0s>, Idle-Timeout:<0s>.</td></tr></tbody></table><br>Thanks!<br>Igor<br><br><br><div style="font-family: arial,helvetica,sans-serif; font-size: 12pt;"><br><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><font face="Tahoma" size="2"><hr size="1"><b><span style="font-weight: bold;">From:</span></b> Rui Cordeiro <rmacordeiro@gmail.com><br><b><span style="font-weight: bold;">To:</span></b> Igor Birman <igor_birman@yahoo.com><br><b><span style="font-weight: bold;">Cc:</span></b> vpn-help@lists.shrew.net<br><b><span style="font-weight: bold;">Sent:</span></b> Thu, June 24, 2010 11:03:12 AM<br><b><span style="font-weight: bold;">Subject:</span></b> Re: [vpn-help] Can't connect Shrewsoft to SSG5<br></font><br>
Hi, <br>
<br>
I have just finished configuring a VPN connection against a Juniper
with version 5.4 and the data on the link is accurate and everything
worked fine.<br>
If you can send some print screens of the configs, Juniper and Shrew
Client I can try to help you (just delete sensitive info).<br>
<br>
Regards,<br>
<br>
Rui Cordeiro<br>
<br>
Igor Birman wrote:
<blockquote type="cite">
<div style="font-family: arial,helvetica,sans-serif; font-size: 12pt;">I
am trying to connect to an SSG5. I followed the guide:<br>
<div style="font-family: arial,helvetica,sans-serif; font-size: 12pt;">
<div style="font-family: times new roman,new york,times,serif; font-size: 12pt;">
<div style="font-family: arial,helvetica,sans-serif; font-size: 12pt;"><br>
<span><span><span><a target="_blank" href="http://www.shrew.net/support/wiki/HowtoJuniperSsg">http://www.shrew.net/support/wiki/HowtoJuniperSsg</a></span></span></span><br>
<br>
but the client stops at "bringing up tunnel" and then hangs there
forever. On the server, I have the following messages:<br>
<br>
2010-06-24 07:47:03 info IKE<71.191.197.230>: Received
initial contact notification and removed Phase 1 SAs.<br>
2010-06-24 07:47:03 info IKE<71.191.197.230>: Received
initial contact notification and removed Phase 2 SAs.<br>
2010-06-24 07:47:03 info IKE<71.191.197.230>: Received a
notification message for DOI <1> <24578>
<INITIAL-CONTACT>.<br>
2010-06-24 07:47:03 info IKE<71.191.197.230> Phase 1:
Completed Aggressive mode negotiations with a <28800>-second
lifetime.<br>
2010-06-24 07:47:03 info IKE<71.191.197.230> Phase 1:
Completed for user <Test>.<br>
2010-06-24 07:47:03 info IKE<71.191.197.230> Phase 1: IKE
responder has detected NAT in front of the remote device.<br>
2010-06-24 07:47:03 info IKE<71.191.197.230> Phase 1: IKE
responder has detected NAT in front of the local device.<br>
2010-06-24 07:47:03 info IKE<71.191.197.230> Phase 1:
Responder starts AGGRESSIVE mode negotiations.<br>
<br>
What am I missing?<br>
<br>
<div>Thanks,<br>
Igor</div>
</div>
</div>
</div>
</div>
<pre><hr width="90%" size="4">
_______________________________________________
vpn-help mailing list
<a rel="nofollow" class="moz-txt-link-abbreviated" ymailto="mailto:vpn-help@lists.shrew.net" target="_blank" href="mailto:vpn-help@lists.shrew.net">vpn-help@lists.shrew.net</a><span>
<a target="_blank" href="http://lists.shrew.net/mailman/listinfo/vpn-help">http://lists.shrew.net/mailman/listinfo/vpn-help</a>
</span></pre>
</blockquote>
</div></div>
</div></body></html>