<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:arial,helvetica,sans-serif;font-size:12pt">Thanks, that helped. So SA is the Security Association aka Policy? My policy was set up incorrectly, I changed the policies on the client and on the SSG5 to match, and I no longer get that error. Now the only remaining problem is that I can't seem to ping the trusted network from my computer. It looks like all is connected, there are no errors, but ping goes nowhere. Is there anything else I need to do? My goal is to get from 192.168.100.130 (client IP), to 192.168.100.100 (server IP).<br><br>This is the last event message that I see:<br><br>Auth login was passed for gateway
<vpnclient_gateway>, username <praetorian>, retry: 0, Client
IP Addr<192.168.100.130>, IPPool name:<vpn>,
Session-Timeout:<0s>, Idle-Timeout:<0s>.<br>
<br>I am attaching the SSG and ShrewSoft configs:<br>
<br>set clock timezone -5<br>set vrouter trust-vr sharable<br>set vrouter "untrust-vr"<br>exit<br>set vrouter "trust-vr"<br>unset auto-route-export<br>exit<br>set auth-server "Local" id 0<br>set auth-server "Local" server-name "Local"<br>set auth default auth server "Local"<br>set auth radius accounting port 1646<br>set zone "Trust" vrouter "trust-vr"<br>set zone "Untrust" vrouter "trust-vr"<br>set zone "DMZ" vrouter "trust-vr"<br>set zone "VLAN" vrouter "trust-vr"<br>set zone "Untrust-Tun" vrouter "trust-vr"<br>set zone "Trust" tcp-rst <br>set zone "Untrust" block <br>unset zone "Untrust" tcp-rst <br>set zone "DMZ" tcp-rst <br>set zone "VLAN" block <br>unset zone "VLAN" tcp-rst <br>set zone "Untrust" screen tear-drop<br>set zone "Untrust" screen syn-flood<br>set zone "Untrust" screen ping-death<br>set zone "Untrust" screen ip-filter-src<br>set zone "Untrust" screen land<br>set zone "V1-Untrust" screen tear-drop<br>set zone "V1-Untrust" screen
syn-flood<br>set zone "V1-Untrust" screen ping-death<br>set zone "V1-Untrust" screen ip-filter-src<br>set zone "V1-Untrust" screen land<br>set interface "ethernet0/0" zone "Untrust"<br>set interface "ethernet0/1" zone "Null"<br>set interface "bgroup0" zone "Trust"<br>set interface "tunnel.1" zone "Untrust"<br>set interface bgroup0 port ethernet0/1<br>set interface bgroup0 port ethernet0/2<br>set interface bgroup0 port ethernet0/3<br>set interface bgroup0 port ethernet0/4<br>set interface bgroup0 port ethernet0/5<br>set interface bgroup0 port ethernet0/6<br>unset interface vlan1 ip<br>set interface ethernet0/0 ip *.*.*.17/24<br>set interface ethernet0/0 route<br>set interface bgroup0 ip 192.168.100.1/24<br>set interface bgroup0 nat<br>set interface tunnel.1 ip unnumbered interface ethernet0/0<br>unset interface vlan1 bypass-others-ipsec<br>unset interface vlan1 bypass-non-ip<br>set interface ethernet0/0 ip manageable<br>set interface bgroup0 ip
manageable<br>set interface ethernet0/0 manage ping<br>set interface ethernet0/0 manage ssh<br>set interface ethernet0/0 manage ssl<br>set interface bgroup0 dhcp server service<br>set interface bgroup0 dhcp server enable<br>set interface bgroup0 dhcp server option lease 1440 <br>set interface bgroup0 dhcp server option gateway 192.168.100.1 <br>set interface bgroup0 dhcp server option netmask 255.255.255.0 <br>set interface bgroup0 dhcp server option dns1 71.252.0.12 <br>set interface bgroup0 dhcp server option dns2 68.237.161.12 <br>set interface bgroup0 dhcp server ip 192.168.100.101 to 192.168.100.150 <br>unset interface bgroup0 dhcp server config next-server-ip<br>set flow tcp-mss<br>unset flow no-tcp-seq-check<br>set flow tcp-syn-check<br>set pki authority default scep mode "auto"<br>set pki x509 default cert-path partial<br>set address "Trust" "192.168.100.100/32" 192.168.100.100 255.255.255.255<br>set address "Trust" "Trusted Network"
255.255.255.0 255.255.255.128<br>set ippool "vpn" 192.168.100.130 192.168.100.140<br>set user "praetorian" uid 14<br>set user "praetorian" type xauth<br>set user "praetorian" password "U2eCWDknN9NQK6shDeC5Ij3HVBna/ZpcFQ=="<br>unset user "praetorian" type auth<br>set user "praetorian" "enable"<br>set user "vpnclient_P1" uid 12<br>set user "vpnclient_P1" ike-id fqdn "client.gatekeeper.com" share-limit 1<br>set user "vpnclient_P1" type ike<br>set user "vpnclient_P1" "enable"<br>set user-group "vpnclient_group" id 3<br>set user-group "vpnclient_group" user "vpnclient_P1"<br>set ike gateway "vpnclient_gateway" dialup "vpnclient_group" Main local-id "gateway.gatekeeper.com" outgoing-interface "ethernet0/0" preshare "Al/ROO66NmvlIwsjUhCWqDd7/fn9NrlQnA==" proposal "pre-g2-3des-sha" "pre-g2-3des-md5" "pre-g2-aes128-sha" "pre-g2-aes128-md5"<br>unset ike gateway "vpnclient_gateway" nat-traversal udp-checksum<br>set ike gateway "vpnclient_gateway"
nat-traversal keepalive-frequency 5<br>set ike gateway "vpnclient_gateway" xauth server "Local"<br>unset ike gateway "vpnclient_gateway" xauth do-edipi-auth<br>set ike gateway "vpnclient_gateway" dpd interval 30<br>set ike respond-bad-spi 1<br>unset ike ikeid-enumeration<br>unset ike dos-protection<br>unset ipsec access-session enable<br>set ipsec access-session maximum 5000<br>set ipsec access-session upper-threshold 0<br>set ipsec access-session lower-threshold 0<br>set ipsec access-session dead-p2-sa-timeout 0<br>unset ipsec access-session log-error<br>unset ipsec access-session info-exch-connected<br>unset ipsec access-session use-error-log<br>set xauth default ippool "vpn"<br>set xauth default dns1 192.168.100.100<br>set xauth default dns2 192.168.100.100<br>set xauth default wins1 192.168.100.100<br>set xauth default wins2 192.168.100.100<br>set vpn "vpnclient_tunnel" gateway "vpnclient_gateway" no-replay tunnel idletime 0 proposal
"nopfs-esp-3des-sha" "nopfs-esp-3des-md5" "nopfs-esp-aes128-sha" "nopfs-esp-aes128-md5" <br>set url protocol websense<br>exit<br>set policy id 14 from "Untrust" to "Trust" "Dial-Up VPN" "Trusted Network" "ANY" tunnel vpn "vpnclient_tunnel" id 21 pair-policy 13 <br>set policy id 14<br>exit<br>set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log <br>set policy id 1<br>set log session-init<br>exit<br>set policy id 13 name "vpnclient_in" from "Trust" to "Untrust" "Trusted Network" "Dial-Up VPN" "ANY" tunnel vpn "vpnclient_tunnel" id 21 pair-policy 14 log <br>set policy id 13<br>exit<br>set nsmgmt report alarm traffic enable<br>set nsmgmt report alarm attack enable<br>set nsmgmt report alarm other enable<br>set nsmgmt report alarm di enable<br>set nsmgmt report log config enable<br>set nsmgmt report log info enable<br>set nsmgmt report log self enable<br>set nsmgmt report log traffic enable<br>set nsmgmt
init id 1B9066808588C3EBFA20E948597B446D3AB147F800<br>set nsmgmt server primary 72.245.188.230 port 7800<br>set nsmgmt bulkcli reboot-timeout 60<br>set nsmgmt hb-interval 20<br>set nsmgmt hb-threshold 5<br>set nsmgmt enable<br>set ssh version v2<br>set ssh enable<br>set config lock timeout 5<br>set snmp port listen 161<br>set snmp port trap 162<br>set vrouter "untrust-vr"<br>exit<br>set vrouter "trust-vr"<br>unset add-default-route<br>set route 0.0.0.0/0 interface ethernet0/0 gateway *.*.*.1 preference 20<br>exit<br>set vrouter "untrust-vr"<br>exit<br>set vrouter
"trust-vr"<br>exit<br><br>ShrewSoft:<br><br>n:version:2<br>n:network-ike-port:500<br>n:network-mtu-size:1380<br>n:client-addr-auto:1<br>n:network-natt-port:4500<br>n:network-natt-rate:15<br>n:network-frag-size:540<br>n:network-dpd-enable:1<br>n:client-banner-enable:1<br>n:network-notify-enable:1<br>n:client-wins-used:1<br>n:client-wins-auto:1<br>n:client-dns-used:1<br>n:client-dns-auto:1<br>n:client-splitdns-used:1<br>n:client-splitdns-auto:1<br>n:phase1-dhgroup:2<br>n:phase1-life-secs:86400<br>n:phase1-life-kbytes:0<br>n:vendor-chkpt-enable:0<br>n:phase2-life-secs:3600<br>n:phase2-life-kbytes:0<br>n:policy-nailed:0<br>n:policy-list-auto:0<br>s:network-host:**.**.**.17<br>s:client-auto-mode:push<br>s:client-iface:virtual<br>s:network-natt-mode:enable<br>s:network-frag-mode:enable<br>s:auth-method:mutual-psk-xauth<br>s:ident-client-type:fqdn<br>s:ident-server-type:fqdn<br>s:ident-client-data:client.shrew.com<br>s:ident-server-data:gateway.shrew.com<br>b
:auth-mutual-psk:Z2F0ZWtlZXBlcg==<br>s:phase1-exchange:aggressive<br>s:phase1-cipher:auto<br>s:phase1-hash:auto<br>s:phase2-transform:auto<br>s:phase2-hmac:auto<br>s:ipcomp-transform:disabled<br>n:phase2-pfsgroup:-1<br>s:policy-list-include:192.168.100.130 / 255.255.255.255<br><br>Thanks!<br>Igor<br><br><div style="font-family: arial,helvetica,sans-serif; font-size: 12pt;"><br><div style="font-family: arial,helvetica,sans-serif; font-size: 13px;"><font face="Tahoma" size="2"><hr size="1"><b><span style="font-weight: bold;">From:</span></b> kevin shrew-vpn <klmlk@hotmail.com><br><b><span style="font-weight: bold;">To:</span></b> vpn-help@lists.shrew.net<br><b><span style="font-weight: bold;">Sent:</span></b> Sat, June 26, 2010 1:28:27 PM<br><b><span style="font-weight: bold;">Subject:</span></b> Re: [vpn-help] Almost connected shrewsoft to Juniper SSG5?<br></font><br>
On Fri, 25 Jun 2010 19:32:10 -0700 (PDT)<br>Igor Birman <<a ymailto="mailto:igor_birman@yahoo.com" href="mailto:igor_birman@yahoo.com">igor_birman@yahoo.com</a>> wrote:<br><br>> I have been trying to set up a VPN connection to an SSG5 by following<br>> the instructions at:<br>> <br><span>> <a target="_blank" href="http://www.shrew.net/support/wiki/HowtoJuniperSsg">http://www.shrew.net/support/wiki/HowtoJuniperSsg</a></span><br>> <br>> I am able to establish a connection on the client and get an IP<br>> address, but then I get some more error messages on the SSG5. Can<br>> someone point me to what they mean? It says no policy esists for the<br>> proxy ID, and then that the VPN does not have an application SA. I<br>> don't understand either message. Here they are:<br>> <br>> <br>> 2010-06-25 <br>> 22:36:57 info Rejected an IKE packet on ethernet0/0 from <br>> 71.191.197.230:4500 to
xx.xx.xx.17:4500 with cookies 0e6193f393015ecd <br>> and e153abc6ac9a3cb5 because the VPN does not have an application SA <br>> configured. <br>> 2010-06-25 22:36:57 info IKE<71.191.197.230> Phase 2: No policy<br>> exists for the proxy ID received: local ID<br>> (<192.168.100.0>/<255.255.255.0>, <0>, <0>) remote ID<br>> (<192.168.100.130>/<255.255.255.255>, <0>, <0>). <br>> 2010-06-25 22:36:57 info IKE<71.191.197.230> Phase 2 msg ID<br>> <8d82f56c>: Responded to the peer's first message. 2010-06-25<br>> 22:36:46 info IKE<71.191.197.230>: XAuth login was passed for gateway<br>> <vpnclient_gateway>, username <igor>, retry: 0, Client IP<br>> Addr<192.168.100.130>, IPPool name:<vpn>, Session-Timeout:<0s>,<br>> Idle-Timeout:<0s>. Thanks! Igor<br>> <br><br>Hi Igor,<br><br>I would first check the AutoKey IKE
Proxy-ID settings. (VPNs->AutoKey<br>IKE->Edit->Advanced). If you enable the Proxy-ID, I think those have<br>to match the policy you've defined in the Shrew profile. For example,<br>if you have defined in the Shrew profile (on the policy tab) that all<br>traffic be tunneled, I think the Local IP/Netmask on the SSG should be<br>0.0.0.0/0. If you've specified a subnet in Shrew (eg.<br>10.1.0.0/255.255.0.0) then the Local IP/Mask on the SSG should be<br>10.1.0.0/16. You really don't need to enable the Proxy-ID, however.<br><br>If those are correct (or you don't have the Proxy-ID enabled), then make<br>sure you have a firewall policy defined that matches the Shrew VPN<br>profile. Going by my second example above, the policy should be<br>defined as:<br><br>>From zone Untrust<br>To zone Trust<br>Source address Dial-Up VPN<br>Destination address 10.1.0.0/16 (for example).<br><br>The Destination Address is
what needs to match the entry in the Shrew<br>profile Policy tab. For my first example (tunnel all), the destination<br>address would be Any.<br>_______________________________________________<br>vpn-help mailing list<br><a ymailto="mailto:vpn-help@lists.shrew.net" href="mailto:vpn-help@lists.shrew.net">vpn-help@lists.shrew.net</a><br><span><a target="_blank" href="http://lists.shrew.net/mailman/listinfo/vpn-help">http://lists.shrew.net/mailman/listinfo/vpn-help</a></span><br></div></div>
</div></body></html>