Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
Hoping you guys can help..
I have a Juniper SSG-140 firewall. I have about 2 dozen clients connecting using the NetScreen-Remote client version 10.7.7
The remote gateway type for all is “Dialup user” using shared keys. Each user has their own policy.
I have a problem with 2 users who are dialling in from another company, (through an unknown firewall) When there was one users there was no problem connecting. Now that a second user is at that site he cannot get a connection he is getting the following error on his client:
7-25: 16:15:27.859 My Connections\Company - Initiating IKE Phase 1 (IP ADDR=220.127.116.11)
7-25: 16:15:28.078 My Connections\Company - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 6x)
7-25: 16:15:43.343 My Connections\Company - message not received! Retransmitting!
7-25: 16:15:43.343 My Connections\Company - SENDING>>>> ISAKMP OAK AG (Retransmission)
7-25: 16:15:58.343 My Connections\Company - message not received! Retransmitting!
7-25: 16:15:58.343 My Connections\Company - SENDING>>>> ISAKMP OAK AG (Retransmission)
7-25: 16:16:13.343 My Connections\Company - message not received! Retransmitting!
7-25: 16:16:13.343 My Connections\Company - SENDING>>>> ISAKMP OAK AG (Retransmission)
7-25: 16:16:28.343 My Connections\Company - Exceeded 3 IKE SA negotiation attempts
Could it be that both clients are originating from the same IP (the company’s external ip address) ? If so how do I get around this problem?
like most IPSec clients, you'll need to have the clients approach the termination point with a unique ip.
Reason is source and destination port of UDP 500.
I've seen this in the past with cisco clients also , where (on a ns firewall) a mip was needed per user traversing the firewall using a IPSec client.
Hope this helps
Hi CB, thanks for your prompt reply.
You will have to forgive my limited knowledge on firewalls and clients I’m a jack of all trades master of none!
Are you saying that’s its not possible in any client configuration to have 2 clients coming from the same IP address?
Try to enable NAT-T in PHASE 1. I had to do that with a Cisco 3000 and I'll assume this will work with Juniper. However I'm like you "jack of all trade master at none" and I'm new to Juniper as well.
u have to enable NAT traversing on SSG. Go to VPN->Autokey Advanced->Edit here check NAT traversal
Thanks for that it looks like enabling Nat in VPN > Autokey Advanced > Gateway > edit
Did the trick.
I have a question for you, how are you defining a different policy for each user?