Really appreciate your help Kevin. I'll check all the points you list below this evening and let you know how it goes.
On Mon, Mar 28, 2011 at 3:45 AM, kevin vpn <[email protected]> wrote: > On Mon, 28 Mar 2011 01:17:07 +1100 > Marcus Robinson <[email protected]> wrote: > > > Hi Kevin, > > > > Thanks for your response. I did indeed notice this discrepancy in the > > help page, but I made sure to use my own "client.myvpn.com" in both > > Juniper firewall and client phase 1 settings. Same as well for the > > phase 2 settings, using "vpngw.myvpn.com", so I don't think that's > > the issue. > > > > I've also checked the following - I can telnet to the public IP of the > > Juniper VPN on port 80, but I can't telnet to the public IP of the > > Juniper VPN on port 500. The firewall I sit behind definitely has > > port 500 open and I've disabled my Win7 firewall. Is there something > > I need to do on the Juniper to enable access on port 500? The Juniper > > is giving the *"**Phase 1 packet arrived from an unrecognized peer > > gateway."*, so I imagine the request is making it through, so port > > 500 probably isn't the issue... > > > > Really stumped on this one - can you see anything else in the help > > docs that might be off? > > > > I noticed another discrepancy in the Phase 1 Security settings in the > > help page. It says in the instructions to use this: > > > > Phase 1 Proposal > > > > - pre-g2-3des-sha > > - pre-g2-3des-md5 > > - pre-g2-aes128-sha > > - pre-g2-aes128-md5 > > > > > > And yet the screenshot of the settings shows something different - it > > looks like it's using: > > > > > > - pre-g2-3des-sha > > - pre-g2-3des-md5 > > - pre-g2-aes128-sha > > - pre-g2-aes128-sha > > > > > > Could this be the issue? Which security settings should I be using? > > (help page is here: > > http://www.shrew.net/support/wiki/HowtoJuniperSsg ) > > > > Hi Marcus, > > The "unrecognized peer gateway" message tells us that the traffic is > reaching the gateway on port 500, so that is not an issue. It also > tells us that the problem is with the identification step. This needs > to be corrected on the VPN -> AutoKey Advanced -> Gateway definition or > on the Shrew Authentication tab. > > (Just as an FYI, the screenshots in the Howto are for ScreenOS code 5.x > I believe, since some of the Gateway options (like Local ID) have been > moved to the Advanced options screen in ScreenOS 6.x.) > > Based on what you've said that you've double-checked the identity > values, your problem could be one of the following: > > 1. You have Use As Seed selected. If so, unselect it. > > 2. Your Outgoing Interface is not set correctly. Typically it is set to > an interface in the Untrust (or V1-Untrust) zone. The Outgoing > Interface is the one facing the Shrew client traffic. If it is not > correct, delete the Gateway definition (you'll need to delete the VPN > definition first too) and create a new one, making sure that you set > the Outgoing Interface correctly. > > 3. The pre-shared key does not match the Shrew config. I would suggest > deliberately re-entering it on both just to be sure. For instance, type > it into Notepad, then copy-and-paste from Notepad to be sure it is the > same on both. > > > Regarding your question about the Phase 1 Proposal values, only one > pair needs to match in order to establish a connection, and the Howto > has three matching pairs, so that should not be your problem. Thank > you for pointing it out however. Also, if you were getting to the > negotiation stage, the error message on the gateway would be > "negotiations have failed" rather than "unrecognized peer gateway." > _______________________________________________ > vpn-help mailing list > [email protected] > http://lists.shrew.net/mailman/listinfo/vpn-help >
_______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
