Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
Hello,I am hoping someone can help me understand what I am doing wrong. I followed the following when setting up VPN access: http://kb.juniper.net/InfoCenter/index?page=content&id=KB14878and the following when setting up Shrew Soft VPN Access: http://kb.juniper.net/InfoCenter/index?page=content&id=KB22074But I keep getting the following messave when I try to connect.config loaded for site 'Work'configuring client settings ...attached to key daemon ...peer configurediskamp proposal configuredesp proposal configuredclient configuredlocal id configuredpre-shared key configuredbringing up tunnel ...negotiation timout occurredtunnel disableddetached from key daemon ...
Firewall event log shows the following but it doesn't go any further.
IKE 188.8.131.52 phase 1:The symmetric crypto key has been generated successfully.
IKE 184.108.40.206 Phase 1: Responder starts AGGRESSIVE mode negotiations.
You may have better luck following this steps instead if working with shrew soft client:
Note: under "Gateway Configuration" where it reads: "Number of Multiple logins with same ID" you change it to something else besides '1' (the default) otherwise you wont be able to have more than one user logged in at the time.. use the maximum your juniper unit allows.. (e.g. ssg5 is 25)...
I have tried the link provided by Shrew. I was finally able to connect using the beta version 2.2.0-rc-2 of Shrew and get an IP (192.168.1.1) but I can't ping any of my internal PC or map a network drive.
I used the connection from my phone to test since I am at work and able to connect.
config loaded for site 'work'attached to key daemon ...peer configurediskamp proposal configuredesp proposal configuredclient configuredlocal id configuredremote id configuredpre-shared key configuredbringing up tunnel ...network device configuredtunnel enabled
But when I try my home PC which has an IP of 192.168.1.3, I cannot connect and still get the same message as below
config loaded for site 'work'attached to key daemon ...peer configurediskamp proposal configuredesp proposal configuredclient configuredlocal id configuredremote id configuredpre-shared key configuredbringing up tunnel ...negotiation timout occurredtunnel disableddetached from key daemon
I am using the same client and the same configuration.
Try using a completelly different ip segment for the VPN pool not 192.168.1... (Users > IP Pools) use something like 10.10.1...... if you google this you will see it needs to be something diferent from your segment.. give it a try.. shrew docs does not mention it... I had the same problem until I used different segment.
I did that, but when I connecet using VPN, I am still getting the 192.168.IP. I don't have option to remove the 192.168 IP pool.
Name Start IP End IP In use Configure
IPPool 192.168.1.1 192.168.1.10 1 - -Home 10.10.1.1 10.10.1.254 0 Edit Remove
There is nothing that I can find that is using the 192.168 IP, all connections have been disconnected.
Hi, I see on your post the "192.168.1" pool is "in use", it has 'one' lease... you need to disconnect (or reboot/restart your SSG) and dont connect via VPN to it, just then the info "In use" will disappear and the option for "Remove" will re-apear (as you see it for the pool 10.10.1.1 you created) .. the lease has to be released first..
or you can just wait, the lease will be released eventually (dont know how long though...), the fastes way to release it is just restart the SSG.
IPPool 192.168.1.1 192.168.1.10 1 --
So here is the latest. I am able to connect, but cannot ping any internal IPs or map any network drives. I am getting the internal network's DNS.
Ethernet adapter Local Area Connection* 12:
Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Shrew Soft Virtual Adapter Physical Address. . . . . . . . . : AA-AA-AA-AC-A4-00 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::e556:c101:7c0f:4acf%40(Preferred) IPv4 Address. . . . . . . . . . . : 10.10.1.1(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : 10.50.100.12 220.127.116.11 NetBIOS over Tcpip. . . . . . . . : Disabled
At his point you should be able to ping the SSG once the vpn is connected correct?
Question on how you setup is... do you have a route to the internet from your SSG? something like eg.
(here eth0/2 is the Untrust port, 192.168.1.1 is the gateway router (not the SSG):
set route 0.0.0.0/0 interface ethernet0/2 gateway 192.168.1.1
Is your SSG directly connected to the internet or you have a firewall router in between?
is this SSG at home or at your work place? if its at home and trying to connect form work, and your company has (or may have) the IPSec ports needed are blocked.. a lot of companies have it this way for security reason, if this is the case you wont be able to connect from work this way unless you admin lets you and open the ports needed....
Attached is my working SSG5 config and Shrew client config, maybe you can tell by looking at both what is missing..
Are using Untrust- to-trust or just Trust-ti-Trust ?
I am not able to ping from home to work, what is what I need to do. I do have a route to the internet as shown in the attached firewll config and the attached shrew config. I was not able to see much difference between the your files and mines. Perhaps I am missing something and you can guide me to the correct resolution.
I am assuming that I am not able to ping anyting internally because I am not getting a gateway? This is what I get when I do an ipconfig for the shrew adapter.
Appreciate the assistance.
HI, its time for bed 🙂
I will look at the files tomorrow.. but..
No showing a gateway under shrew client is normal so that is ok.
The problem I think is that when you connect the VPN, it does not know how to come back to the client once connected, it can be a policy or route problem..
One thing I can see is the order of the policies could be wrong, I believe the VPN Dialup supposed to be on top (use GUI to move them if needed).. on a command line connected to your Juniper, run the following and if there is a problem you can correct it, order of policies are important.. give it a quick test using the following as example:
e.g. (I run these in my ssg5 and see the responses I get):
ssg5-serial-> exec policy verify globalNo firewall rules foundssg5-serial-> exec policy verify from trustRulebase verified successfullyssg5-serial-> exec policy verify from untrustRulebase verified successfullyssg5-serial-> exec policy verify from untrust to trustRulebase verified successfullyssg5-serial-> exec policy verify from trust to untrustRulebase verified successfully
Once you change the policy order if you needed it, log off you pc before trying to connect again....
Hopefully someone else with a lot more experience jumps in too.. you are almost there, just a simple thing is missing...
Before Changes were made.
Firewall-2-> exec policy verify globalNo firewall rules foundFirewall-2-> exec policy verify from trustRulebase verified successfullyFirewall-2-> exec policy verify from untrustRule 4 is shadowed by rule 2Rulebase verification done: shadowed rules were foundFirewall-2-> exec policy verify from untrust to trustRule 4 is shadowed by rule 2Rulebase verification done: shadowed rules were foundFirewall-2-> exec policy verify from trust to untrustRulebase verified successfullyFirewall-2->
After Policy changes
Firewall-2-> exec policy verify globalNo firewall rules foundFirewall-2-> exec policy verify from trustRulebase verified successfullyFirewall-2-> exec policy verify gNo firewall rules foundFirewall-2-> exec policy verify from untrustRulebase verified successfullyFirewall-2-> exec policy verify from untrust to trustRulebase verified successfullyFirewall-2-> exec policy verify from trust to untrustRulebase verified successfullyFirewall-2->
I also had to make some Phase 2 changes in the Shrew Client
Transform Algorith: Auto
HMAC Algorithm: Auto
PFS Exchange: Disabled
Compress Algorithm: Disabled
Key Life time limit: 3600
I am now able to ping and map network drives......WOOOO HOOOO
Thanks for all your help. I will post my Shrew settings so others can benefit as well.
One question, Can I have users logon using their AD credentials or do I need to create a VPN acct for all the users under Objects, local users?
I was able to setup the VPN access. Now what I woudl like to do is be able to use AD for all users who connect using VPN. At the moment only the users with an account on the firewall can connect and map shares. I don't want to create accounts for all the users, i would like use AD authentication.
I did setup NSP on windows 2008 and a Radius server on the firewall, but I am not able to connect using any AD credentials.