Hi Kevin, Thanks for your response. I did indeed notice this discrepancy in the help page, but I made sure to use my own "client.myvpn.com" in both Juniper firewall and client phase 1 settings. Same as well for the phase 2 settings, using "vpngw.myvpn.com", so I don't think that's the issue.
I've also checked the following - I can telnet to the public IP of the Juniper VPN on port 80, but I can't telnet to the public IP of the Juniper VPN on port 500. The firewall I sit behind definitely has port 500 open and I've disabled my Win7 firewall. Is there something I need to do on the Juniper to enable access on port 500? The Juniper is giving the *"**Phase 1 packet arrived from an unrecognized peer gateway."*, so I imagine the request is making it through, so port 500 probably isn't the issue... Really stumped on this one - can you see anything else in the help docs that might be off? I noticed another discrepancy in the Phase 1 Security settings in the help page. It says in the instructions to use this: Phase 1 Proposal - pre-g2-3des-sha - pre-g2-3des-md5 - pre-g2-aes128-sha - pre-g2-aes128-md5 And yet the screenshot of the settings shows something different - it looks like it's using: - pre-g2-3des-sha - pre-g2-3des-md5 - pre-g2-aes128-sha - pre-g2-aes128-sha Could this be the issue? Which security settings should I be using? (help page is here: http://www.shrew.net/support/wiki/HowtoJuniperSsg ) Thanks in advance, -Marcus On Sun, Mar 27, 2011 at 2:17 PM, kevin vpn <[email protected]> wrote: > On Sat, 26 Mar 2011 23:58:54 +1100 > Marcus Macro <[email protected]> wrote: > > > Hi ShrewSoft Team, > > > > I'm trying to get the ShrewSoft VPN client to work with my Juniper > > SSG20 (Firmware v6.1), but am encountering errors when I try to > > connect. > > > > I've exactly followed the directions here: > > http://www.shrew.net/support/wiki/HowtoJuniperSsg > > > > When setting up the VPN client config, I used the example config file > > and just tweaked the user/pass/presharedkey/ids/IP settings to match > > my setup: http://www.shrew.net/static/howto/JuniperSsg/juniperssg.vpn > > > > But when trying to connect, the ShrewSoft VPN client says this: > > > > bringing up tunnel ... > > negotiation timout occurred > > tunnel disabled > > detached from key daemon ... > > > > And the Juniper logs says this: > > Rejected an IKE packet on ethernet0/0 from 99.99.99.99:500 > > to88.88.88.88:500 with cookies 7393deb8306c7e69 and 0000000000000000 > > because an initial Phase 1 packet arrived from an unrecognized peer > > gateway. > > > > Hi Marcus, > > The Phase 1 settings on the SSG are set in the VPN -> AutoKey Advanced > -> Gateway settings. It is those settings that have to match what > Shrew is providing from its own Phase 1 configuration. > > I just noticed that Howto is not clear in this regard. In the Howto, > you first create on the SSG a user called 'vpnclient_ph1id' and give it > an IKE Identity = 'client.shrew.net'. Later, when configuring the > Shrew client, the Howto says that the 'Local Identity' should be set to > 'client.domain.com'. This is incorrect, IKE Identity = Local Identity, > so both of them should be 'client.shrew.net' or both should be > 'whatever.somedomain.com.' > > The same problem exists on the gateway side, 'Local ID' on the SSG must > match 'Remote Identity' on the Shrew side (for example both should be > 'vpngw.shrew.net'). > > Obviously the pre-shared key must be the same on both ends too. > _______________________________________________ > vpn-help mailing list > [email protected] > http://lists.shrew.net/mailman/listinfo/vpn-help >
_______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
