Hi Kevin,<div><br></div><div>Thanks for your response. I did indeed notice this discrepancy in the help page, but I made sure to use my own "<a href="http://client.myvpn.com" target="_blank">client.myvpn.com</a>" in both Juniper firewall and client phase 1 settings. Same as well for the phase 2 settings, using "<a href="http://vpngw.myvpn.com" target="_blank">vpngw.myvpn.com</a>", so I don't think that's the issue.</div>
<div><br></div><div>I've also checked the following - I can telnet to the public IP of the Juniper VPN on port 80, but I can't telnet to the public IP of the Juniper VPN on port 500. The firewall I sit behind definitely has port 500 open and I've disabled my Win7 firewall. Is there something I need to do on the Juniper to enable access on port 500? The Juniper is giving the <i>"</i><span class="Apple-style-span" style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; "><i>Phase 1 packet arrived from an unrecognized peer gateway."</i>, so I imagine the request is making it through, so port 500 probably isn't the issue...</span></div>
<div><br></div><div>Really stumped on this one - can you see anything else in the help docs that might be off? </div><div><br></div><div>I noticed another discrepancy in the Phase 1 Security settings in the help page. It says in the instructions to use this:</div>
<div><br></div><div><span class="Apple-style-span" style="border-collapse: collapse; font-family: arial, verdana, helvetica, sans-serif; font-size: 13px; ">Phase 1 Proposal<ul style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 3em; ">
<li style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; ">pre-g2-3des-sha</li><li style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; ">
pre-g2-3des-md5</li><li style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; ">pre-g2-aes128-sha</li><li style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; ">
pre-g2-aes128-md5</li></ul><div><br></div><div>And yet the screenshot of the settings shows something different - it looks like it's using:</div><div><br></div><div><ul style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 3em; ">
<li style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; ">pre-g2-3des-sha</li><li style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; ">
pre-g2-3des-md5</li><li style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; ">pre-g2-aes128-sha</li><li style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; ">
pre-g2-aes128-sha</li></ul><div style="color: rgb(64, 64, 64); "><br></div></div><div style="color: rgb(64, 64, 64); ">Could this be the issue? Which security settings should I be using? (help page is here: <a href="http://www.shrew.net/support/wiki/HowtoJuniperSsg">http://www.shrew.net/support/wiki/HowtoJuniperSsg</a> )</div>
<div style="color: rgb(64, 64, 64); "><br></div><div style="color: rgb(64, 64, 64); ">Thanks in advance,</div><div style="color: rgb(64, 64, 64); ">-Marcus</div></span></div>
<div><br></div><div><br></div><div><br></div><div><br></div><div><br><br><div class="gmail_quote">On Sun, Mar 27, 2011 at 2:17 PM, kevin vpn <span dir="ltr"><<a href="mailto:kvpn@live.com" target="_blank">kvpn@live.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>On Sat, 26 Mar 2011 23:58:54 +1100<br>
Marcus Macro <<a href="mailto:macro.marcus@gmail.com" target="_blank">macro.marcus@gmail.com</a>> wrote:<br>
<br>
> Hi ShrewSoft Team,<br>
><br>
> I'm trying to get the ShrewSoft VPN client to work with my Juniper<br>
> SSG20 (Firmware v6.1), but am encountering errors when I try to<br>
> connect.<br>
><br>
> I've exactly followed the directions here:<br>
> <a href="http://www.shrew.net/support/wiki/HowtoJuniperSsg" target="_blank">http://www.shrew.net/support/wiki/HowtoJuniperSsg</a><br>
><br>
> When setting up the VPN client config, I used the example config file<br>
> and just tweaked the user/pass/presharedkey/ids/IP settings to match<br>
> my setup: <a href="http://www.shrew.net/static/howto/JuniperSsg/juniperssg.vpn" target="_blank">http://www.shrew.net/static/howto/JuniperSsg/juniperssg.vpn</a><br>
><br>
> But when trying to connect, the ShrewSoft VPN client says this:<br>
><br>
> bringing up tunnel ...<br>
> negotiation timout occurred<br>
> tunnel disabled<br>
> detached from key daemon ...<br>
><br>
> And the Juniper logs says this:<br>
> Rejected an IKE packet on ethernet0/0 from <a href="http://99.99.99.99:500" target="_blank">99.99.99.99:500</a><br>
> to88.88.88.88:500 with cookies 7393deb8306c7e69 and 0000000000000000<br>
> because an initial Phase 1 packet arrived from an unrecognized peer<br>
> gateway.<br>
><br>
<br>
</div>Hi Marcus,<br>
<br>
The Phase 1 settings on the SSG are set in the VPN -> AutoKey Advanced<br>
-> Gateway settings. It is those settings that have to match what<br>
Shrew is providing from its own Phase 1 configuration.<br>
<br>
I just noticed that Howto is not clear in this regard. In the Howto,<br>
you first create on the SSG a user called 'vpnclient_ph1id' and give it<br>
an IKE Identity = '<a href="http://client.shrew.net" target="_blank">client.shrew.net</a>'. Later, when configuring the<br>
Shrew client, the Howto says that the 'Local Identity' should be set to<br>
'<a href="http://client.domain.com" target="_blank">client.domain.com</a>'. This is incorrect, IKE Identity = Local Identity,<br>
so both of them should be '<a href="http://client.shrew.net" target="_blank">client.shrew.net</a>' or both should be<br>
'<a href="http://whatever.somedomain.com" target="_blank">whatever.somedomain.com</a>.'<br>
<br>
The same problem exists on the gateway side, 'Local ID' on the SSG must<br>
match 'Remote Identity' on the Shrew side (for example both should be<br>
'<a href="http://vpngw.shrew.net" target="_blank">vpngw.shrew.net</a>').<br>
<br>
Obviously the pre-shared key must be the same on both ends too.<br>
_______________________________________________<br>
vpn-help mailing list<br>
<a href="mailto:vpn-help@lists.shrew.net" target="_blank">vpn-help@lists.shrew.net</a><br>
<a href="http://lists.shrew.net/mailman/listinfo/vpn-help" target="_blank">http://lists.shrew.net/mailman/listinfo/vpn-help</a><br>
</blockquote></div><br></div>