REMOVE ME John Downs, IT Systems and Desktop Support Technician TAPAD 60 Madison Avenue 3rd FL, New York, NY 10010 Office: 3478174458 | [email protected] Tapad Named One of Forbes' Most Promising American Companies #12 - 2014
On May 8, 2014, at 12:03 PM, <[email protected]> <[email protected]> wrote: > To be able to easily edit VPN info, I've created a "NULL VPN" gateway and IKE > definition, and replace that in whatever depends on the object I want to > change. It doesn't matter what data you use in those "pseudo" objects. > > > Here you would have to set AutoKey IKE to use the "NULL VPN" gateway created > that way, to enable to recreate the Gateway entry with the correct interface, > and then just need to re-set that gateway in IKE. Otherwise you have to > delete anything related, and start all over. > > -----Original Message----- > From: Ralph Walker [mailto:[email protected]] > Sent: Wednesday, May 07, 2014 5:46 PM > To: Q > Subject: Re: [vpn-help] "unrecognized peer gateway" > > clemens, > > Thank you for your help. I am now researching how to remove everything > so I can reenter the parameters. > > Ralph > > > On 05/04/2014 03:30 AM, [email protected] wrote: >> Hi Ralph, >> >> You can only set the interface when creating the VPN gateway info, so you >> will have to remove everything using that VPN gateway definition (VPN >> policy, VPN "AutoKey IKE", VPN "AutoKey ADvanced" » Gateway), and recreate. >> In "AUotKey Advanced" » Gateway » Advanced you should see "Outgoing >> Interface", and be able to select your Untrust IF. >> At least that is where it is in ScreenOS 6. >> >> Regards, >> Clemens Hoffmann >> >> >> -----Original Message----- >> From: vpn-help [mailto:[email protected]] On Behalf Of >> [email protected] >> Sent: Friday, May 02, 2014 5:17 PM >> To: [email protected] >> Subject: [vpn-help] "unrecognized peer gateway" >> >> I also am a noob to VPN with a SSG5. I am getting the same issue as >> described below and I am sure I probably have the Outgoing Interface set >> to default. I can not figure where that setting is as I do not see >> anything labeled Outgoing Interface specifically. >> >> Can someone tell me where this setting may be? >> >> Thanks Ralph >> >> >> Brilliant, thanks Kevin, it's working now! >> >> You were right, it was the Outbound Interface - I hadn't properly set it to >> be the public facing interface that Shrew connects to. >> >> The online Shrew instructions are brilliant, but this is an important point >> that the instructions seem to skip altogether. For n00b sys admins like >> myself, I didn't think to update the Outbound Interface, I just left it on >> the default interface, which was incorrect. Probably most Sys admins would >> know to do this though... >> >> Thanks for your invaluable help, couldn't have done it without your patience >> and great instructions! >> >> >> On Mon, Mar 28, 2011 at 3:45 AM, kevin vpn <kvpn at live.com> wrote: >> >>> On Mon, 28 Mar 2011 01:17:07 +1100 >>> Marcus Robinson <marcus at marcusrobinson.info> wrote: >>> >>>> Hi Kevin, >>>> >>>> Thanks for your response. I did indeed notice this discrepancy in the >>>> help page, but I made sure to use my own "client.myvpn.com" in both >>>> Juniper firewall and client phase 1 settings. Same as well for the >>>> phase 2 settings, using "vpngw.myvpn.com", so I don't think that's >>>> the issue. >>>> >>>> I've also checked the following - I can telnet to the public IP of the >>>> Juniper VPN on port 80, but I can't telnet to the public IP of the >>>> Juniper VPN on port 500. The firewall I sit behind definitely has >>>> port 500 open and I've disabled my Win7 firewall. Is there something >>>> I need to do on the Juniper to enable access on port 500? The Juniper >>>> is giving the *"**Phase 1 packet arrived from an unrecognized peer >>>> gateway."*, so I imagine the request is making it through, so port >>>> 500 probably isn't the issue... >>>> >>>> Really stumped on this one - can you see anything else in the help >>>> docs that might be off? >>>> >>>> I noticed another discrepancy in the Phase 1 Security settings in the >>>> help page. It says in the instructions to use this: >>>> >>>> Phase 1 Proposal >>>> >>>> - pre-g2-3des-sha >>>> - pre-g2-3des-md5 >>>> - pre-g2-aes128-sha >>>> - pre-g2-aes128-md5 >>>> >>>> >>>> And yet the screenshot of the settings shows something different - it >>>> looks like it's using: >>>> >>>> >>>> - pre-g2-3des-sha >>>> - pre-g2-3des-md5 >>>> - pre-g2-aes128-sha >>>> - pre-g2-aes128-sha >>>> >>>> >>>> Could this be the issue? Which security settings should I be using? >>>> (help page is here: >>>> http://www.shrew.net/support/wiki/HowtoJuniperSsg ) >>>> >>> Hi Marcus, >>> >>> The "unrecognized peer gateway" message tells us that the traffic is >>> reaching the gateway on port 500, so that is not an issue. It also >>> tells us that the problem is with the identification step. This needs >>> to be corrected on the VPN -> AutoKey Advanced -> Gateway definition or >>> on the Shrew Authentication tab. >>> >>> (Just as an FYI, the screenshots in the Howto are for ScreenOS code 5.x >>> I believe, since some of the Gateway options (like Local ID) have been >>> moved to the Advanced options screen in ScreenOS 6.x.) >>> >>> Based on what you've said that you've double-checked the identity >>> values, your problem could be one of the following: >>> >>> 1. You have Use As Seed selected. If so, unselect it. >>> >>> 2. Your Outgoing Interface is not set correctly. Typically it is set to >>> an interface in the Untrust (or V1-Untrust) zone. The Outgoing >>> Interface is the one facing the Shrew client traffic. If it is not >>> correct, delete the Gateway definition (you'll need to delete the VPN >>> definition first too) and create a new one, making sure that you set >>> the Outgoing Interface correctly. >>> >>> 3. The pre-shared key does not match the Shrew config. I would suggest >>> deliberately re-entering it on both just to be sure. For instance, type >>> it into Notepad, then copy-and-paste from Notepad to be sure it is the >>> same on both. >>> >>> >>> Regarding your question about the Phase 1 Proposal values, only one >>> pair needs to match in order to establish a connection, and the Howto >>> has three matching pairs, so that should not be your problem. Thank >>> you for pointing it out however. Also, if you were getting to the >>> negotiation stage, the error message on the gateway would be >>> "negotiations have failed" rather than "unrecognized peer gateway." >> _______________________________________________ >> vpn-help mailing list >> [email protected] >> https://lists.shrew.net/mailman/listinfo/vpn-help >> >> > > > > _______________________________________________ > vpn-help mailing list > [email protected] > https://lists.shrew.net/mailman/listinfo/vpn-help
_______________________________________________ vpn-help mailing list [email protected] https://lists.shrew.net/mailman/listinfo/vpn-help
