Hi Gerd,
I disagree with your statement because I think you're not making two key
differentiations that result in an unfair blanket judgment.
First, there was a post a while ago stating that there is a known
problem using XAUTH with Juniper SRX-based devices, because Juniper has
changed how their XAUTH implementation works between the older SSG
devices and their newer SRX devices.
On the other hand, the SSG devices seem to work very well with the Shrew
Soft VPN Client - there are lots of people successfully using SSGs and
Shrew on this list.
The second differentiation is relevant to the issue below, which is the
difference between using passwords vs certificates. Certificates are
hard; people struggle with them all the time in all kinds of
applications (try getting an embedded Java implementation to trust
self-signed certificates for instance) and signing chains are frequently
an issue. That people trying to use certificates are having problems is
not necessarily a problem with Shrew or Juniper - it could just be the
certificates themselves.
I am sure that there are people on this list who use certificates with
Juniper SSGs and Shrew who can help. We merely have to be patient in
the hope that one of them will help out.
On 04/22/2013 07:58 AM, Gerd Röthig wrote:
Hello all,
I read this mailing list for some time now. Again and again, there are
problems with Shrew Soft VPN client and several Juniper equipment. It seems
that Shrew Soft VPN Client simply does not work with the Juniper devices.
Perhaps, this is by design (if Juniper offers their own client software).
Or, it is like many ultra-professional "Web Applications" which only work
with Internet Explorer. Although it seems like a suboptimal idea at a first
glance, you should perhaps be thinking about using the Juniper certified
client software (if there is any) or reverting to Cisco Systems VPN client.
Kind regards,
Gerd
2013/4/22 eric xu <[email protected]>
Hi All,
While testing Client 2.17 on Ubuntu 12.04 LTS following
Howto_Juniper_SSG_Using_Certs) with SSG20 I come across following problem:
13/04/22 15:34:16 -> : send NAT-T:IKE packet 192.168.1.108:4500 ->
120.72.49.xxx:4500 ( 2036 bytes )
13/04/22 15:34:16 ii : *unable to get local issuer certificate(20) at
depth:0*
13/04/22 15:34:16 ii : subject :/C=CN/ST=Beijing/L=Beijing/O= Ltd.
/O=Chenhongli Beijing Co./OU=IT/CN=0164022011000224/CN=rsa-key/CN=
vpn.chenhongli-bj.net/CN=Ms. Helen Wang
13/04/22 15:34:16 !! : unable to verify remote peer certificate
Since it is a self-signed certificate and per howto I did place the ca.crt
into ~/.ike/certs but still has above problem.
Any help will be appreciated.
_______________________________________________
vpn-help mailing list
[email protected]
https://lists.shrew.net/mailman/listinfo/vpn-help
