On Fri, 25 Jun 2010 19:32:10 -0700 (PDT) Igor Birman <[email protected]> wrote:
> I have been trying to set up a VPN connection to an SSG5 by following > the instructions at: > > http://www.shrew.net/support/wiki/HowtoJuniperSsg > > I am able to establish a connection on the client and get an IP > address, but then I get some more error messages on the SSG5. Can > someone point me to what they mean? It says no policy esists for the > proxy ID, and then that the VPN does not have an application SA. I > don't understand either message. Here they are: > > > 2010-06-25 > 22:36:57 info Rejected an IKE packet on ethernet0/0 from > 71.191.197.230:4500 to xx.xx.xx.17:4500 with cookies 0e6193f393015ecd > and e153abc6ac9a3cb5 because the VPN does not have an application SA > configured. > 2010-06-25 22:36:57 info IKE<71.191.197.230> Phase 2: No policy > exists for the proxy ID received: local ID > (<192.168.100.0>/<255.255.255.0>, <0>, <0>) remote ID > (<192.168.100.130>/<255.255.255.255>, <0>, <0>). > 2010-06-25 22:36:57 info IKE<71.191.197.230> Phase 2 msg ID > <8d82f56c>: Responded to the peer's first message. 2010-06-25 > 22:36:46 info IKE<71.191.197.230>: XAuth login was passed for gateway > <vpnclient_gateway>, username <igor>, retry: 0, Client IP > Addr<192.168.100.130>, IPPool name:<vpn>, Session-Timeout:<0s>, > Idle-Timeout:<0s>. Thanks! Igor > Hi Igor, I would first check the AutoKey IKE Proxy-ID settings. (VPNs->AutoKey IKE->Edit->Advanced). If you enable the Proxy-ID, I think those have to match the policy you've defined in the Shrew profile. For example, if you have defined in the Shrew profile (on the policy tab) that all traffic be tunneled, I think the Local IP/Netmask on the SSG should be 0.0.0.0/0. If you've specified a subnet in Shrew (eg. 10.1.0.0/255.255.0.0) then the Local IP/Mask on the SSG should be 10.1.0.0/16. You really don't need to enable the Proxy-ID, however. If those are correct (or you don't have the Proxy-ID enabled), then make sure you have a firewall policy defined that matches the Shrew VPN profile. Going by my second example above, the policy should be defined as: >From zone Untrust To zone Trust Source address Dial-Up VPN Destination address 10.1.0.0/16 (for example). The Destination Address is what needs to match the entry in the Shrew profile Policy tab. For my first example (tunnel all), the destination address would be Any. _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
