On 2/20/2010 5:55 AM, Felix Pablo Grande wrote: > Hi, > > i built a vpn tunnel with Shrew client and Juniper SSG-140 firewall, but > when try to do a ping with a host of the internal host of the network, i > don't receive a pong. >
Felix, You are trying to manually specify a client virtual IP address that exists in one of your remote networks ( 172.16.100/24 ). This won't work. You need to specify an IP address from a network doesn't exist behind your gateway and configure policies to allow traffic from the network you select to traverse your gateway to the private networks. Please see the Juniper howto guide for more details. -Matthew > In Security associations appear: > > Established - 0 > Expired - 0 > Errors - 0 > > Tunnel > > Status - Connected > Remote Host - Public IP of firewall > Transpor Used - NAT-T/ IKE | ESP > IKE fragmentation - Disabled > Dead Peer Detection - Enabled > > And the configuration is: > > n:version:2 > n:network-ike-port:500 > n:network-natt-port:4500 > n:network-natt-rate:15 > n:network-frag-size:540 > n:network-dpd-enable:1 > n:network-notify-enable:1 > n:client-banner-enable:0 > n:client-dns-used:1 > n:client-dns-auto:0 > b:auth-mutual-psk:MyPassword > n:phase1-dhgroup:2 > n:phase1-keylen:0 > n:phase1-life-secs:28800 > n:phase1-life-kbytes:0 > n:vendor-chkpt-enable:0 > n:phase2-keylen:0 > n:phase2-pfsgroup:2 > n:phase2-life-secs:3600 > n:phase2-life-kbytes:0 > n:policy-nailed:0 > n:policy-list-auto:0 > n:network-mtu-size:1380 > n:client-addr-auto:0 > s:network-host:Firewall Public IP > s:client-auto-mode:disabled > s:client-iface:virtual > s:client-ip-addr:172.16.100.169 > s:client-ip-mask:255.255.255.0 > s:network-natt-mode:enable > s:network-frag-mode:enable > s:client-dns-addr:172.16.100.2 > s:client-dns-suffix:mydomain.com <http://mydomain.com> > s:auth-method:mutual-psk > s:ident-client-type:ufqdn > s:ident-client-data:[email protected] > <mailto:s%3aident-client-data%[email protected]> > s:ident-server-type:address > s:ident-server-data:172.16.100.169 > s:phase1-exchange:aggressive > s:phase1-cipher:des > s:phase1-hash:md5 > s:phase2-transform:des > s:phase2-hmac:md5 > s:ipcomp-transform:disabled > s:policy-list-include:172.16.100.0 / 255.255.255.0,172.17.100.0 / > 255.255.255.0 > > Can you help me ? > > Best regards, > > -- > Félix Pablo Grande Ramos > > La cosa más difícil es conocernos a nosotros mismos; la más fácil es > hablar mal de los demás. > > Tales de Mileto > > > > _______________________________________________ > vpn-help mailing list > [email protected] > http://lists.shrew.net/mailman/listinfo/vpn-help _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
