Screen OS

 View Only
last person joined: 6 months ago 

This is a legacy community with limited Juniper monitoring.
Expand all | Collapse all

Shrew not connecting to SSG 550m

  • 1.  Shrew not connecting to SSG 550m

    Posted 02-13-2013 13:59

    Hello,

    I am hoping someone can help me understand what I am doing wrong. I followed the following when setting up VPN access: http://kb.juniper.net/InfoCenter/index?page=content&id=KB14878

    and the following when setting up Shrew Soft VPN Access: http://kb.juniper.net/InfoCenter/index?page=content&id=KB22074

    But I keep getting the following messave when I try to connect.

    config loaded for site 'Work'
    configuring client settings ...
    attached to key daemon ...
    peer configured
    iskamp proposal configured
    esp proposal configured
    client configured
    local id configured
    pre-shared key configured
    bringing up tunnel ...
    negotiation timout occurred
    tunnel disabled
    detached from key daemon ...

     

    Firewall event log shows the following but it doesn't go any further.

     

    Date/Time 

    Level 

    Description

    2013-02-13 16:49:59

     information

    IKE 209.66.114.182 phase 1:The symmetric crypto key has been generated successfully.

    2013-02-13 16:49:59

     information

    IKE 209.66.114.182 Phase 1: Responder starts AGGRESSIVE mode negotiations.

     


    #vpn
    #SSG550
    #shrew
    #netscreen


  • 2.  RE: Shrew not connecting to SSG 550m

    Posted 02-14-2013 09:20

    Hi,

    You may have better luck following this steps instead if working with shrew soft client:

    http://www.shrew.net/support/Howto_Juniper_SSG

     

    Note: under "Gateway Configuration"  where it reads: "Number of Multiple logins with same ID" you change it to something else besides '1' (the default) otherwise you wont be able to have more than one user logged in at the time.. use the maximum your juniper unit allows.. (e.g. ssg5 is 25)...

     

     

     

     

     



  • 3.  RE: Shrew not connecting to SSG 550m

    Posted 02-14-2013 10:07

    I have tried the link provided by Shrew.  I was finally able to connect using the beta version 2.2.0-rc-2 of Shrew and get an IP (192.168.1.1) but I can't ping any of my internal PC or map a network drive.

     

    I used the connection from my phone to test since I am at work and able to connect.

    config loaded for site 'work'
    attached to key daemon ...
    peer configured
    iskamp proposal configured
    esp proposal configured
    client configured
    local id configured
    remote id configured
    pre-shared key configured
    bringing up tunnel ...
    network device configured
    tunnel enabled

    But when I try my home PC which has an IP of 192.168.1.3, I cannot connect and still get the same message as below

     

    config loaded for site 'work'
    attached to key daemon ...
    peer configured
    iskamp proposal configured
    esp proposal configured
    client configured
    local id configured
    remote id configured
    pre-shared key configured
    bringing up tunnel ...
    negotiation timout occurred
    tunnel disabled
    detached from key daemon

     

    I am using the same client and the same configuration.



  • 4.  RE: Shrew not connecting to SSG 550m

    Posted 02-14-2013 10:21
    Correction. I was able to connect from my home pc as well. Now I just need to figure out how I can map drives and be able to ping my internal network.

    Any and all help is greatly appreciated.


  • 5.  RE: Shrew not connecting to SSG 550m

    Posted 02-14-2013 10:53

    Try using a completelly different ip segment for the VPN pool not 192.168.1... (Users > IP Pools) use something like 10.10.1...... if you google this you will see it needs to be something diferent from your segment.. give it a try.. shrew docs does not mention it... I had the same problem until I used different segment.

     



  • 6.  RE: Shrew not connecting to SSG 550m

    Posted 02-14-2013 12:01

    I did that, but when I connecet using VPN, I am still getting the 192.168.IP.  I don't have option to remove the 192.168 IP pool.

     

    Name    Start IP                End IP                 In use           Configure

    IPPool 192.168.1.1        192.168.1.10          1                      - -
    Home 10.10.1.1              10.10.1.254            0             Edit      Remove

     

    There is nothing that I can find that is using the 192.168 IP, all connections have been disconnected.



  • 7.  RE: Shrew not connecting to SSG 550m

    Posted 02-14-2013 12:28

    Hi, I see on your post the "192.168.1" pool is "in use", it has 'one' lease... you need to disconnect (or reboot/restart your SSG) and dont connect via VPN to it, just  then the info "In use" will disappear and the option for "Remove" will re-apear (as you see it for the pool 10.10.1.1 you created) .. the lease has to be released first..

     

    or you can just wait, the lease will be released eventually (dont know how long though...), the fastes way to release it is just restart the SSG.

     

    Name    Start IP                End IP                 In use           Configure

    IPPool 192.168.1.1        192.168.1.10          1                  --



  • 8.  RE: Shrew not connecting to SSG 550m

    Posted 02-14-2013 13:03

    So here is the latest.  I am able to connect, but cannot ping any internal IPs or map any network drives.  I am getting the internal network's DNS.

     

    config loaded for site 'work'
    attached to key daemon ...
    peer configured
    iskamp proposal configured
    esp proposal configured
    client configured
    local id configured
    remote id configured
    pre-shared key configured
    bringing up tunnel ...
    network device configured
    tunnel enabled

     

     

    Ethernet adapter Local Area Connection* 12:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Shrew Soft Virtual Adapter
    Physical Address. . . . . . . . . : AA-AA-AA-AC-A4-00
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::e556:c101:7c0f:4acf%40(Preferred)
    IPv4 Address. . . . . . . . . . . : 10.10.1.1(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.255
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . : 10.50.100.12
    4.2.2.2
    NetBIOS over Tcpip. . . . . . . . : Disabled



  • 9.  RE: Shrew not connecting to SSG 550m

    Posted 02-14-2013 13:19
      |   view attached

    At his point you should be able to ping the SSG once the vpn is connected correct?

     

    Question on how you setup is... do you have a route to the internet from your SSG? something like eg.

    (here eth0/2 is the Untrust port, 192.168.1.1 is the gateway router (not the SSG):

     

    set route 0.0.0.0/0 interface ethernet0/2 gateway 192.168.1.1

     

    Is your SSG directly connected to the internet or you have a firewall router in between?

     

    is this SSG at home or at your work place? if its at home and trying to connect form work, and your company has (or may have) the IPSec ports needed are blocked.. a lot of companies have it this way for security reason, if this is the case you wont be able to connect from work this way unless you admin lets you and open the ports needed....

     

    Attached is my working SSG5 config and Shrew client config, maybe you can tell by looking at both what is missing..

     

    Are using Untrust- to-trust or just Trust-ti-Trust ?

     

    Attachment(s)



  • 10.  RE: Shrew not connecting to SSG 550m

    Posted 02-14-2013 13:48

    I am not able to ping from home to work, what is what I need to do. I do have a route to the internet as shown in the attached firewll config and the attached shrew config.  I was not able to see much difference between the your files and mines.  Perhaps I am missing something and you can guide me to the correct resolution.

     

    I am assuming that I am not able to ping anyting internally because I am not getting a gateway?  This is what I get when I do an ipconfig for the shrew adapter.

     

    Ethernet adapter Local Area Connection* 12:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Shrew Soft Virtual Adapter
    Physical Address. . . . . . . . . : AA-AA-AA-AC-A4-00
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::e556:c101:7c0f:4acf%40(Preferred)
    IPv4 Address. . . . . . . . . . . : 10.10.1.1(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.255
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . : 10.50.100.12
    4.2.2.2
    NetBIOS over Tcpip. . . . . . . . : Disabled

     

    Appreciate the assistance.

    Attachment(s)

    txt
    ssg-550.txt   8 KB 1 version
    txt
    shrew.txt   1 KB 1 version


  • 11.  RE: Shrew not connecting to SSG 550m
    Best Answer

    Posted 02-14-2013 18:37

    HI, its time for bed 🙂

     

    I will look at the files tomorrow.. but..

    No showing a gateway under shrew client is normal so that is ok.

     

    The problem I think is that when you connect the VPN, it does not know how to come back to the client once connected, it can be a policy or route problem..

    One thing I can see is the order of the policies could be wrong, I believe the VPN Dialup supposed to be on top (use GUI to move them if needed).. on a command line connected to your Juniper, run the following and if there is a problem you can correct it, order of policies are important.. give it a quick test using the following as example:

     

    e.g.  (I run these in my ssg5 and see the responses I get):

     

    ssg5-serial-> exec policy verify global
    No firewall rules found
    ssg5-serial-> exec policy verify from trust
    Rulebase verified successfully
    ssg5-serial-> exec policy verify from untrust
    Rulebase verified successfully
    ssg5-serial-> exec policy verify from untrust to trust
    Rulebase verified successfully
    ssg5-serial-> exec policy verify from trust to untrust
    Rulebase verified successfully

     

    Once you change the policy order if you needed it, log off you pc before trying to connect again....

     

    Hopefully someone else with a lot more experience jumps in too.. you are almost there, just a simple thing is missing...



  • 12.  RE: Shrew not connecting to SSG 550m

    Posted 02-19-2013 08:08

    Before Changes were made.


    Firewall-2-> exec policy verify global
    No firewall rules found
    Firewall-2-> exec policy verify from trust
    Rulebase verified successfully
    Firewall-2-> exec policy verify from untrust
    Rule 4 is shadowed by rule 2
    Rulebase verification done: shadowed rules were found
    Firewall-2-> exec policy verify from untrust to trust
    Rule 4 is shadowed by rule 2
    Rulebase verification done: shadowed rules were found
    Firewall-2-> exec policy verify from trust to untrust
    Rulebase verified successfully
    Firewall-2->


    After Policy changes

    Firewall-2-> exec policy verify global
    No firewall rules found
    Firewall-2-> exec policy verify from trust
    Rulebase verified successfully
    Firewall-2-> exec policy verify g
    No firewall rules found
    Firewall-2-> exec policy verify from untrust
    Rulebase verified successfully
    Firewall-2-> exec policy verify from untrust to trust
    Rulebase verified successfully
    Firewall-2-> exec policy verify from trust to untrust
    Rulebase verified successfully
    Firewall-2->

     

    I also had to make some Phase 2 changes in the Shrew Client

    Phase 2: 

    Transform Algorith: Auto

    HMAC Algorithm: Auto

    PFS Exchange: Disabled

    Compress Algorithm: Disabled

    Key Life time limit: 3600

     

    I am now able to ping and map network drives......WOOOO   HOOOO

     

    Thanks for all your help. I will post my Shrew settings so others can benefit as well.

     

    One question, Can I have users logon using their AD credentials or do I need to create a VPN acct for all the users under Objects, local users?



  • 13.  RE: Shrew not connecting to SSG 550m

    Posted 02-22-2013 13:33

    I was able to setup the VPN access.  Now what I woudl like to do is be able to use AD for all users who connect using VPN.  At the moment only the users with an account on the firewall can connect and map shares.  I don't want to create accounts for all the users, i would like use AD authentication.

     

    I did setup NSP on windows 2008 and a Radius server on the firewall, but I am not able to connect using any AD credentials.

     

    AN IDEAS....