Thanks, that helped. So SA is the Security Association aka Policy? My policy was set up incorrectly, I changed the policies on the client and on the SSG5 to match, and I no longer get that error. Now the only remaining problem is that I can't seem to ping the trusted network from my computer. It looks like all is connected, there are no errors, but ping goes nowhere. Is there anything else I need to do? My goal is to get from 192.168.100.130 (client IP), to 192.168.100.100 (server IP).
This is the last event message that I see: Auth login was passed for gateway <vpnclient_gateway>, username <praetorian>, retry: 0, Client IP Addr<192.168.100.130>, IPPool name:<vpn>, Session-Timeout:<0s>, Idle-Timeout:<0s>. I am attaching the SSG and ShrewSoft configs: set clock timezone -5 set vrouter trust-vr sharable set vrouter "untrust-vr" exit set vrouter "trust-vr" unset auto-route-export exit set auth-server "Local" id 0 set auth-server "Local" server-name "Local" set auth default auth server "Local" set auth radius accounting port 1646 set zone "Trust" vrouter "trust-vr" set zone "Untrust" vrouter "trust-vr" set zone "DMZ" vrouter "trust-vr" set zone "VLAN" vrouter "trust-vr" set zone "Untrust-Tun" vrouter "trust-vr" set zone "Trust" tcp-rst set zone "Untrust" block unset zone "Untrust" tcp-rst set zone "DMZ" tcp-rst set zone "VLAN" block unset zone "VLAN" tcp-rst set zone "Untrust" screen tear-drop set zone "Untrust" screen syn-flood set zone "Untrust" screen ping-death set zone "Untrust" screen ip-filter-src set zone "Untrust" screen land set zone "V1-Untrust" screen tear-drop set zone "V1-Untrust" screen syn-flood set zone "V1-Untrust" screen ping-death set zone "V1-Untrust" screen ip-filter-src set zone "V1-Untrust" screen land set interface "ethernet0/0" zone "Untrust" set interface "ethernet0/1" zone "Null" set interface "bgroup0" zone "Trust" set interface "tunnel.1" zone "Untrust" set interface bgroup0 port ethernet0/1 set interface bgroup0 port ethernet0/2 set interface bgroup0 port ethernet0/3 set interface bgroup0 port ethernet0/4 set interface bgroup0 port ethernet0/5 set interface bgroup0 port ethernet0/6 unset interface vlan1 ip set interface ethernet0/0 ip *.*.*.17/24 set interface ethernet0/0 route set interface bgroup0 ip 192.168.100.1/24 set interface bgroup0 nat set interface tunnel.1 ip unnumbered interface ethernet0/0 unset interface vlan1 bypass-others-ipsec unset interface vlan1 bypass-non-ip set interface ethernet0/0 ip manageable set interface bgroup0 ip manageable set interface ethernet0/0 manage ping set interface ethernet0/0 manage ssh set interface ethernet0/0 manage ssl set interface bgroup0 dhcp server service set interface bgroup0 dhcp server enable set interface bgroup0 dhcp server option lease 1440 set interface bgroup0 dhcp server option gateway 192.168.100.1 set interface bgroup0 dhcp server option netmask 255.255.255.0 set interface bgroup0 dhcp server option dns1 71.252.0.12 set interface bgroup0 dhcp server option dns2 68.237.161.12 set interface bgroup0 dhcp server ip 192.168.100.101 to 192.168.100.150 unset interface bgroup0 dhcp server config next-server-ip set flow tcp-mss unset flow no-tcp-seq-check set flow tcp-syn-check set pki authority default scep mode "auto" set pki x509 default cert-path partial set address "Trust" "192.168.100.100/32" 192.168.100.100 255.255.255.255 set address "Trust" "Trusted Network" 255.255.255.0 255.255.255.128 set ippool "vpn" 192.168.100.130 192.168.100.140 set user "praetorian" uid 14 set user "praetorian" type xauth set user "praetorian" password "U2eCWDknN9NQK6shDeC5Ij3HVBna/ZpcFQ==" unset user "praetorian" type auth set user "praetorian" "enable" set user "vpnclient_P1" uid 12 set user "vpnclient_P1" ike-id fqdn "client.gatekeeper.com" share-limit 1 set user "vpnclient_P1" type ike set user "vpnclient_P1" "enable" set user-group "vpnclient_group" id 3 set user-group "vpnclient_group" user "vpnclient_P1" set ike gateway "vpnclient_gateway" dialup "vpnclient_group" Main local-id "gateway.gatekeeper.com" outgoing-interface "ethernet0/0" preshare "Al/ROO66NmvlIwsjUhCWqDd7/fn9NrlQnA==" proposal "pre-g2-3des-sha" "pre-g2-3des-md5" "pre-g2-aes128-sha" "pre-g2-aes128-md5" unset ike gateway "vpnclient_gateway" nat-traversal udp-checksum set ike gateway "vpnclient_gateway" nat-traversal keepalive-frequency 5 set ike gateway "vpnclient_gateway" xauth server "Local" unset ike gateway "vpnclient_gateway" xauth do-edipi-auth set ike gateway "vpnclient_gateway" dpd interval 30 set ike respond-bad-spi 1 unset ike ikeid-enumeration unset ike dos-protection unset ipsec access-session enable set ipsec access-session maximum 5000 set ipsec access-session upper-threshold 0 set ipsec access-session lower-threshold 0 set ipsec access-session dead-p2-sa-timeout 0 unset ipsec access-session log-error unset ipsec access-session info-exch-connected unset ipsec access-session use-error-log set xauth default ippool "vpn" set xauth default dns1 192.168.100.100 set xauth default dns2 192.168.100.100 set xauth default wins1 192.168.100.100 set xauth default wins2 192.168.100.100 set vpn "vpnclient_tunnel" gateway "vpnclient_gateway" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha" "nopfs-esp-3des-md5" "nopfs-esp-aes128-sha" "nopfs-esp-aes128-md5" set url protocol websense exit set policy id 14 from "Untrust" to "Trust" "Dial-Up VPN" "Trusted Network" "ANY" tunnel vpn "vpnclient_tunnel" id 21 pair-policy 13 set policy id 14 exit set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log set policy id 1 set log session-init exit set policy id 13 name "vpnclient_in" from "Trust" to "Untrust" "Trusted Network" "Dial-Up VPN" "ANY" tunnel vpn "vpnclient_tunnel" id 21 pair-policy 14 log set policy id 13 exit set nsmgmt report alarm traffic enable set nsmgmt report alarm attack enable set nsmgmt report alarm other enable set nsmgmt report alarm di enable set nsmgmt report log config enable set nsmgmt report log info enable set nsmgmt report log self enable set nsmgmt report log traffic enable set nsmgmt init id 1B9066808588C3EBFA20E948597B446D3AB147F800 set nsmgmt server primary 72.245.188.230 port 7800 set nsmgmt bulkcli reboot-timeout 60 set nsmgmt hb-interval 20 set nsmgmt hb-threshold 5 set nsmgmt enable set ssh version v2 set ssh enable set config lock timeout 5 set snmp port listen 161 set snmp port trap 162 set vrouter "untrust-vr" exit set vrouter "trust-vr" unset add-default-route set route 0.0.0.0/0 interface ethernet0/0 gateway *.*.*.1 preference 20 exit set vrouter "untrust-vr" exit set vrouter "trust-vr" exit ShrewSoft: n:version:2 n:network-ike-port:500 n:network-mtu-size:1380 n:client-addr-auto:1 n:network-natt-port:4500 n:network-natt-rate:15 n:network-frag-size:540 n:network-dpd-enable:1 n:client-banner-enable:1 n:network-notify-enable:1 n:client-wins-used:1 n:client-wins-auto:1 n:client-dns-used:1 n:client-dns-auto:1 n:client-splitdns-used:1 n:client-splitdns-auto:1 n:phase1-dhgroup:2 n:phase1-life-secs:86400 n:phase1-life-kbytes:0 n:vendor-chkpt-enable:0 n:phase2-life-secs:3600 n:phase2-life-kbytes:0 n:policy-nailed:0 n:policy-list-auto:0 s:network-host:**.**.**.17 s:client-auto-mode:push s:client-iface:virtual s:network-natt-mode:enable s:network-frag-mode:enable s:auth-method:mutual-psk-xauth s:ident-client-type:fqdn s:ident-server-type:fqdn s:ident-client-data:client.shrew.com s:ident-server-data:gateway.shrew.com b:auth-mutual-psk:Z2F0ZWtlZXBlcg== s:phase1-exchange:aggressive s:phase1-cipher:auto s:phase1-hash:auto s:phase2-transform:auto s:phase2-hmac:auto s:ipcomp-transform:disabled n:phase2-pfsgroup:-1 s:policy-list-include:192.168.100.130 / 255.255.255.255 Thanks! Igor ________________________________ From: kevin shrew-vpn <[email protected]> To: [email protected] Sent: Sat, June 26, 2010 1:28:27 PM Subject: Re: [vpn-help] Almost connected shrewsoft to Juniper SSG5? On Fri, 25 Jun 2010 19:32:10 -0700 (PDT) Igor Birman <[email protected]> wrote: > I have been trying to set up a VPN connection to an SSG5 by following > the instructions at: > > http://www.shrew.net/support/wiki/HowtoJuniperSsg > > I am able to establish a connection on the client and get an IP > address, but then I get some more error messages on the SSG5. Can > someone point me to what they mean? It says no policy esists for the > proxy ID, and then that the VPN does not have an application SA. I > don't understand either message. Here they are: > > > 2010-06-25 > 22:36:57 info Rejected an IKE packet on ethernet0/0 from > 71.191.197.230:4500 to xx.xx.xx.17:4500 with cookies 0e6193f393015ecd > and e153abc6ac9a3cb5 because the VPN does not have an application SA > configured. > 2010-06-25 22:36:57 info IKE<71.191.197.230> Phase 2: No policy > exists for the proxy ID received: local ID > (<192.168.100.0>/<255.255.255.0>, <0>, <0>) remote ID > (<192.168.100.130>/<255.255.255.255>, <0>, <0>). > 2010-06-25 22:36:57 info IKE<71.191.197.230> Phase 2 msg ID > <8d82f56c>: Responded to the peer's first message. 2010-06-25 > 22:36:46 info IKE<71.191.197.230>: XAuth login was passed for gateway > <vpnclient_gateway>, username <igor>, retry: 0, Client IP > Addr<192.168.100.130>, IPPool name:<vpn>, Session-Timeout:<0s>, > Idle-Timeout:<0s>. Thanks! Igor > Hi Igor, I would first check the AutoKey IKE Proxy-ID settings. (VPNs->AutoKey IKE->Edit->Advanced). If you enable the Proxy-ID, I think those have to match the policy you've defined in the Shrew profile. For example, if you have defined in the Shrew profile (on the policy tab) that all traffic be tunneled, I think the Local IP/Netmask on the SSG should be 0.0.0.0/0. If you've specified a subnet in Shrew (eg. 10.1.0.0/255.255.0.0) then the Local IP/Mask on the SSG should be 10.1.0.0/16. You really don't need to enable the Proxy-ID, however. If those are correct (or you don't have the Proxy-ID enabled), then make sure you have a firewall policy defined that matches the Shrew VPN profile. Going by my second example above, the policy should be defined as: >From zone Untrust To zone Trust Source address Dial-Up VPN Destination address 10.1.0.0/16 (for example). The Destination Address is what needs to match the entry in the Shrew profile Policy tab. For my first example (tunnel all), the destination address would be Any. _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
_______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
