I have been trying to set up a VPN connection to an SSG5 by following the instructions at:
http://www.shrew.net/support/wiki/HowtoJuniperSsg I am able to establish a connection on the client and get an IP address, but then I get some more error messages on the SSG5. Can someone point me to what they mean? It says no policy esists for the proxy ID, and then that the VPN does not have an application SA. I don't understand either message. Here they are: 2010-06-25 22:36:57 info Rejected an IKE packet on ethernet0/0 from 71.191.197.230:4500 to xx.xx.xx.17:4500 with cookies 0e6193f393015ecd and e153abc6ac9a3cb5 because the VPN does not have an application SA configured. 2010-06-25 22:36:57 info IKE<71.191.197.230> Phase 2: No policy exists for the proxy ID received: local ID (<192.168.100.0>/<255.255.255.0>, <0>, <0>) remote ID (<192.168.100.130>/<255.255.255.255>, <0>, <0>). 2010-06-25 22:36:57 info IKE<71.191.197.230> Phase 2 msg ID <8d82f56c>: Responded to the peer's first message. 2010-06-25 22:36:46 info IKE<71.191.197.230>: XAuth login was passed for gateway <vpnclient_gateway>, username <igor>, retry: 0, Client IP Addr<192.168.100.130>, IPPool name:<vpn>, Session-Timeout:<0s>, Idle-Timeout:<0s>. Thanks! Igor ________________________________ From: Rui Cordeiro <[email protected]> To: Igor Birman <[email protected]> Cc: [email protected] Sent: Thu, June 24, 2010 11:03:12 AM Subject: Re: [vpn-help] Can't connect Shrewsoft to SSG5 Hi, I have just finished configuring a VPN connection against a Juniper with version 5.4 and the data on the link is accurate and everything worked fine. If you can send some print screens of the configs, Juniper and Shrew Client I can try to help you (just delete sensitive info). Regards, Rui Cordeiro Igor Birman wrote: > >I >am trying to connect to an SSG5. I followed the guide: > > >http://www.shrew.net/support/wiki/HowtoJuniperSsg > >>but the client stops at "bringing up tunnel" and then hangs there >forever. On the server, I have the following messages: > >>2010-06-24 07:47:03 info IKE<71.191.197.230>: Received >initial contact notification and removed Phase 1 SAs. >>2010-06-24 07:47:03 info IKE<71.191.197.230>: Received >initial contact notification and removed Phase 2 SAs. >>2010-06-24 07:47:03 info IKE<71.191.197.230>: Received a >notification message for DOI <1> <24578> ><INITIAL-CONTACT>. >>2010-06-24 07:47:03 info IKE<71.191.197.230> Phase 1: >Completed Aggressive mode negotiations with a <28800>-second >lifetime. >>2010-06-24 07:47:03 info IKE<71.191.197.230> Phase 1: >Completed for user <Test>. >>2010-06-24 07:47:03 info IKE<71.191.197.230> Phase 1: IKE >responder has detected NAT in front of the remote device. >>2010-06-24 07:47:03 info IKE<71.191.197.230> Phase 1: IKE >responder has detected NAT in front of the local device. >>2010-06-24 07:47:03 info IKE<71.191.197.230> Phase 1: >Responder starts AGGRESSIVE mode negotiations. > >>What am I missing? > > >Thanks, >>Igor > ________________________________ >_______________________________________________ >vpn-help mailing list >[email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
_______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
