Hi Igor, I don't think that Proxy-ID is needed for a dial-up policy-based VPN, so you can try simply unchecking/disabling the Proxy-ID setting in the configuration. The addresses in the policy definition will be used instead to define the Security Association (SA). -----Original Message----- From: Igor Manassypov <[email protected]> Date: Wed, 27 Oct 2010 01:00:43 To: <[email protected]> Subject: [vpn-help] shrew to juniper dialup, specific ip/service only
Hi, I would appreciate some help with setting up the dial-up vpn with shrew to juniper netscreen. Vanilla example presented on the shrew support page works fine. However, if I attempt to narrow down the "dial-up vpn -> trust" policy to a specific list of ip addresses and only on specific ports, I start receiving " Rejected an IKE packet ... because the VPN does not have an application SA configured" It appears to me that this is a Proxy-ID issue, however I cant seem to figure out how to solve it. The trust specific ip addresses included on the dial-up policy match those in the shrew 'policy' tab. Your help is greatly appreciated, Thank you Igor M., M.Eng, P.Eng Network Architect _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
