On Mon, 28 Mar 2011 01:17:07 +1100 Marcus Robinson <[email protected]> wrote:
> Hi Kevin, > > Thanks for your response. I did indeed notice this discrepancy in the > help page, but I made sure to use my own "client.myvpn.com" in both > Juniper firewall and client phase 1 settings. Same as well for the > phase 2 settings, using "vpngw.myvpn.com", so I don't think that's > the issue. > > I've also checked the following - I can telnet to the public IP of the > Juniper VPN on port 80, but I can't telnet to the public IP of the > Juniper VPN on port 500. The firewall I sit behind definitely has > port 500 open and I've disabled my Win7 firewall. Is there something > I need to do on the Juniper to enable access on port 500? The Juniper > is giving the *"**Phase 1 packet arrived from an unrecognized peer > gateway."*, so I imagine the request is making it through, so port > 500 probably isn't the issue... > > Really stumped on this one - can you see anything else in the help > docs that might be off? > > I noticed another discrepancy in the Phase 1 Security settings in the > help page. It says in the instructions to use this: > > Phase 1 Proposal > > - pre-g2-3des-sha > - pre-g2-3des-md5 > - pre-g2-aes128-sha > - pre-g2-aes128-md5 > > > And yet the screenshot of the settings shows something different - it > looks like it's using: > > > - pre-g2-3des-sha > - pre-g2-3des-md5 > - pre-g2-aes128-sha > - pre-g2-aes128-sha > > > Could this be the issue? Which security settings should I be using? > (help page is here: > http://www.shrew.net/support/wiki/HowtoJuniperSsg ) > Hi Marcus, The "unrecognized peer gateway" message tells us that the traffic is reaching the gateway on port 500, so that is not an issue. It also tells us that the problem is with the identification step. This needs to be corrected on the VPN -> AutoKey Advanced -> Gateway definition or on the Shrew Authentication tab. (Just as an FYI, the screenshots in the Howto are for ScreenOS code 5.x I believe, since some of the Gateway options (like Local ID) have been moved to the Advanced options screen in ScreenOS 6.x.) Based on what you've said that you've double-checked the identity values, your problem could be one of the following: 1. You have Use As Seed selected. If so, unselect it. 2. Your Outgoing Interface is not set correctly. Typically it is set to an interface in the Untrust (or V1-Untrust) zone. The Outgoing Interface is the one facing the Shrew client traffic. If it is not correct, delete the Gateway definition (you'll need to delete the VPN definition first too) and create a new one, making sure that you set the Outgoing Interface correctly. 3. The pre-shared key does not match the Shrew config. I would suggest deliberately re-entering it on both just to be sure. For instance, type it into Notepad, then copy-and-paste from Notepad to be sure it is the same on both. Regarding your question about the Phase 1 Proposal values, only one pair needs to match in order to establish a connection, and the Howto has three matching pairs, so that should not be your problem. Thank you for pointing it out however. Also, if you were getting to the negotiation stage, the error message on the gateway would be "negotiations have failed" rather than "unrecognized peer gateway." _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
