Question

Juniper VPN remote Users

Asked by: cyexx

I am trying to setup remote VPN users onto a Juniper SSG-140 unit.  I have netscreen-remote.  I have followed the standard setup for a remote user and I cannot establish a connection with either netscreen-remote and or window VPN client.  I am trying to make this as easy to use for the remote people.

The remote connections are to be setup as able to connect to the network at the main office that this unit is running at and able to communicate with the equipment on-site  I would like to be able to route as if I have to tunnel back from the office to manage the remote computers from the main office once they are tunneled in.

unset key protection enable
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "admin"
set admin port 8080
set admin http redirect
set admin auth web timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
unset zone "V1-Trust" tcp-rst 
unset zone "V1-Untrust" tcp-rst 
set zone "DMZ" tcp-rst 
unset zone "V1-DMZ" tcp-rst 
unset zone "VLAN" tcp-rst 
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood
set zone "Untrust" screen port-scan
set zone "Untrust" screen ip-sweep
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ip-spoofing
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "Untrust" screen syn-frag
set zone "Untrust" screen tcp-no-flag
set zone "Untrust" screen unknown-protocol
set zone "Untrust" screen ip-bad-option
set zone "Untrust" screen ip-record-route
set zone "Untrust" screen ip-timestamp-opt
set zone "Untrust" screen ip-security-opt
set zone "Untrust" screen ip-loose-src-route
set zone "Untrust" screen ip-strict-src-route
set zone "Untrust" screen ip-stream-opt
set zone "Untrust" screen icmp-fragment
set zone "Untrust" screen icmp-large
set zone "Untrust" screen syn-fin
set zone "Untrust" screen fin-no-ack
set zone "Untrust" screen limit-session source-ip-based
set zone "Untrust" screen syn-ack-ack-proxy
set zone "Untrust" screen block-frag
set zone "Untrust" screen limit-session destination-ip-based
set zone "Untrust" screen icmp-id
set zone "Untrust" screen tcp-sweep
set zone "Untrust" screen udp-sweep
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "Null"
set interface "ethernet0/2" zone "Untrust"
set interface "tunnel.1" zone "Trust"
set interface ethernet0/0 ip 10.10.1.1/24
set interface ethernet0/0 nat
unset interface vlan1 ip
set interface ethernet0/2 ip ***.***.***.118/26
set interface ethernet0/2 route
set interface tunnel.1 ip unnumbered interface ethernet0/0
set interface ethernet0/2 gateway ***.***.***.65
set interface tunnel.1 mtu 1460
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
unset interface ethernet0/2 ip manageable
unset interface ethernet0/0 manage web
set interface ethernet0/0 manage mtrace
set interface ethernet0/2 manage ping
set interface vlan1 manage mtrace
set interface ethernet0/2 vip interface-ip 80 "HTTP" 10.10.1.14
set interface ethernet0/2 vip interface-ip 443 "HTTPS" 10.10.1.14
set interface ethernet0/2 vip ***.***.***.119 80 "HTTP" 10.10.1.9
set interface ethernet0/2 vip ***.***.***.119 + 443 "HTTPS" 10.10.1.9
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set hostname FW2
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 208.67.222.222 src-interface ethernet0/2
set dns host dns2 208.67.220.220 src-interface ethernet0/2
set dns host dns3 0.0.0.0
set address "Trust" "10.10.1.14/32" 10.10.1.14 255.255.255.255
set address "Trust" "***.***.***.118/32" ***.***.***.118 255.255.255.255
set crypto-policy
exit
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set policy id 12 from "Untrust" to "Trust"  "Any" "VIP(ethernet0/2)" "HTTPS" permit log count 
set policy id 12
exit
set policy id 11 from "Untrust" to "Trust"  "Any" "VIP(ethernet0/2)" "HTTP" permit log count 
set policy id 11
exit
set policy id 10 from "Untrust" to "Trust"  "Any" "VIP(***.***.***.119)" "HTTPS" permit log count 
set policy id 10
exit
set policy id 9 from "Untrust" to "Trust"  "Any" "VIP(***.***.***.119)" "HTTP" permit log count 
set policy id 9
exit
set policy id 2 from "Trust" to "Untrust"  "Any" "Any" "ANY" nat src permit log count 
set policy id 2
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set scp enable
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set ssl port 4433
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

                                  
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:

Select allOpen in new window

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-08-14 at 21:53:48ID24654824
Tags

Juniper

,

vpn

,

remote

Topics

Virtual Private Networking (VPN)

,

Enterprise Firewalls

,

Network Routers

Participating Experts
3
Points
500
Comments
40

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Vista Juniper Netscreen VPN setup
    We are using a Juniper Netscreen 5GT firewall and Netscreen Remote software for VPN access. Some has Vista Home and there is no update for Netscreen Remote yet.. Can the built in Vista VPN software be setup to access this VPN or is there some shareware/freeware I can use u...
  2. IPSec VPN Tunnel Between Juniper Netscreen and Linksys …
    Hello, Well so far I've worked only on IPSec VPN in ns5gt with the help of GreenBow as a VPN client.Now,i am having two Linksys RV042,which i want to connect with my existing netscreen.Else,atleast i need a solutio...
  3. juniper - Netscreen NS5GT-issue
    i am having Juniper Netscreen NS5GT router. which stop working on yesterday but am able to login to the console when i check the log it shows Notif: The physical state of the interface trust has changed to up Alert:SCCP ALG enabled on the device Alert:SCCP ALG registered lin...
  4. Configure VPN in  Juniper SSG5
    How can I configure VPN in Juniper SSG5. Your help is appreciated
  5. juniper netscreen Router
    i am having Juniper Netscreen NS5GT box in my office. i already set up trust untrust policy in that. but i was not able to block some websites like youtube.com, friendster.com rather than these site all other sites i was able to block without any issue. i even try to block...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: PriceDPosted on 2009-08-14 at 21:57:20ID: 25104259

ARe you using a shared key or what type of authentication are you using?

 

by: PriceDPosted on 2009-08-14 at 21:59:24ID: 25104260

This one area many people forget.  If they setup a shared key as part of the authentication process.  The shared key on the client is found by clicking on the "My Identity", and click onthe pre-shared key.

 

by: cyexxPosted on 2009-08-14 at 22:05:16ID: 25104265

I am willing to go with any setup on the unit I am more of a checkpoint and cisco person.  

All users are going to be separate entities no one is going to have the same password.  this way for easy rotations and also terminations of contractors.

 

by: PriceDPosted on 2009-08-14 at 22:10:17ID: 25104271

So at this time the VPN is not work at all?

 

by: PriceDPosted on 2009-08-14 at 22:15:27ID: 25104275

So this is what your users screen looks like?

 

by: cyexxPosted on 2009-08-14 at 22:25:32ID: 25104291

I have attached my user name screen

 

by: cyexxPosted on 2009-08-14 at 22:26:16ID: 25104292

Unit Info - Version: 6.2.0r3.0 (Firewall+VPN

 

by: PriceDPosted on 2009-08-14 at 22:33:00ID: 25104302

Do you have maintenance - support with juniper?

 

by: cyexxPosted on 2009-08-14 at 22:34:50ID: 25104305

yes just got the new OS build from juniper the other day since the unit was running old v5 when it came out of the box

 

by: PriceDPosted on 2009-08-14 at 22:50:48ID: 25104316

With that said the best option for you is contact their support and ask them to set you up with a VPN connect with a Pre-Shared Key using XAuth authentication.  The reason you can't connect is the the pre-shared key do not match.

 

by: cyexxPosted on 2009-08-14 at 23:06:53ID: 25104337

I would rather at this point if you can help me, since I will not be able to get support until monday and I would like to work on this project and get it testing this weekend.

 

by: cyexxPosted on 2009-08-14 at 23:18:48ID: 25104355

I was able to get the user screen to look the same as yours, did not have something checked.

 

by: marmata75Posted on 2009-08-15 at 01:34:28ID: 25104575

I think this KB is very well written:

http://kb.juniper.net/KB4772

it will allow you to do exactly what you want to do: multiple users with different xauth password and same IKE ID, to eas administration burden. This way you can give all of your users the same config for the netscreen remote, and just hand them a different user and password! I use this extensively without any problem!

Cheers,
]\/[arco

 

by: deimarkPosted on 2009-08-15 at 05:53:52ID: 25105229

Also have a look at this bud

http://kb.juniper.net/KB8535

I am also from a Check Point background and I found the screenos implementation a little different but it still works really well with just preshared keys.

I see there have been a few comments here and a few sufggestions, can you tell me what you have done to date and what exactly is not working now?

remember there are also logs on the NS remote client that may also assist here.

 

by: PriceDPosted on 2009-08-15 at 08:26:45ID: 25105745

I may be able to help you shortly....just to let you know that Juniper is open 24x7 and they are open right now.  Either way.

On the router, do you have a Gateway set for "Peer type" of Dailup.  You go to VPNs, gateway and check in there.

 

by: cyexxPosted on 2009-08-15 at 13:30:02ID: 25106801

I am going over the kb but it applied for the general pages to build 4.0 and 6.0 has many of the sub options not even on the same pages and has to be built different.  I would call up juniper but the person at my company that has the password information since he setup the account is out of the office.

 

by: deimarkPosted on 2009-08-15 at 13:33:58ID: 25106814

You should be able to call them up with the serial number bud.  The number is on their site.

HTH

 

by: PriceDPosted on 2009-08-15 at 13:44:46ID: 25106852

To setup the VPN client you need admin access to the router.

 

by: cyexxPosted on 2009-08-15 at 13:48:09ID: 25106864

I have peiced together what i can from the knoledgebase to work withing the settings of the version 6 setup.

I have attached config and log from unit.  Unable to start connection to even traverse into the unit.

unset key protection enable
set clock timezone -5
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "admin"
set admin port 8080
set admin http redirect
set admin auth web timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
unset zone "V1-Trust" tcp-rst 
unset zone "V1-Untrust" tcp-rst 
set zone "DMZ" tcp-rst 
unset zone "V1-DMZ" tcp-rst 
unset zone "VLAN" tcp-rst 
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood
set zone "Untrust" screen port-scan
set zone "Untrust" screen ip-sweep
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ip-spoofing
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "Untrust" screen syn-frag
set zone "Untrust" screen tcp-no-flag
set zone "Untrust" screen unknown-protocol
set zone "Untrust" screen ip-bad-option
set zone "Untrust" screen ip-record-route
set zone "Untrust" screen ip-timestamp-opt
set zone "Untrust" screen ip-security-opt
set zone "Untrust" screen ip-loose-src-route
set zone "Untrust" screen ip-strict-src-route
set zone "Untrust" screen ip-stream-opt
set zone "Untrust" screen icmp-fragment
set zone "Untrust" screen icmp-large
set zone "Untrust" screen syn-fin
set zone "Untrust" screen fin-no-ack
set zone "Untrust" screen limit-session source-ip-based
set zone "Untrust" screen syn-ack-ack-proxy
set zone "Untrust" screen block-frag
set zone "Untrust" screen limit-session destination-ip-based
set zone "Untrust" screen icmp-id
set zone "Untrust" screen tcp-sweep
set zone "Untrust" screen udp-sweep
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "Null"
set interface "ethernet0/2" zone "Untrust"
set interface "tunnel.1" zone "Trust"
set interface ethernet0/0 ip 10.10.1.1/24
set interface ethernet0/0 nat
unset interface vlan1 ip
set interface ethernet0/2 ip ***.***.***.118/26
set interface ethernet0/2 route
set interface tunnel.1 ip unnumbered interface ethernet0/0
set interface ethernet0/2 gateway ***.***.***.65
set interface tunnel.1 mtu 1460
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
unset interface ethernet0/2 ip manageable
unset interface ethernet0/0 manage web
set interface ethernet0/0 manage mtrace
set interface ethernet0/2 manage ping
set interface vlan1 manage mtrace
set interface ethernet0/2 vip interface-ip 80 "HTTP" 10.10.1.14
set interface ethernet0/2 vip interface-ip 443 "HTTPS" 10.10.1.14
set interface ethernet0/2 vip ***.***.***.119 80 "HTTP" 10.10.1.9
set interface ethernet0/2 vip ***.***.***.119 + 443 "HTTPS" 10.10.1.9
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set hostname FW2
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 208.67.222.222 src-interface ethernet0/2
set dns host dns2 208.67.220.220 src-interface ethernet0/2
set dns host dns3 0.0.0.0
set address "Trust" "10.10.1.1/24" 10.10.1.1 255.255.255.0
set address "Trust" "10.10.1.14/32" 10.10.1.14 255.255.255.255
set address "Trust" "***.***.***.118/32" ***.***.***.118 255.255.255.255
set ippool "Remote_Users" 192.168.253.1 192.168.253.100
set user "Jonathan" uid 2
set user "Jonathan" type xauth
set user "Jonathan" password "**********************************************"
unset user "Jonathan" type auth
set user "Jonathan" "enable"
set user "Remote_staff" uid 1
set user "Remote_staff" ike-id u-fqdn "staff@domain.com" share-limit 250
set user "Remote_staff" type ike
set user "Remote_staff" "enable"
set user "Terry" uid 3
set user "Terry" type xauth
set user "Terry" password "*****************************"
unset user "Terry" type auth
set user "Terry" "enable"
set user-group "Staff_Group" id 1
set user-group "Staff_Group" user "Remote_staff"
set crypto-policy
exit
set ike gateway "Staff" dialup "Staff_Group" Aggr outgoing-interface "ethernet0/2" preshare "9uhR6u00NzSSZeszQfC3suVFIanjaQXYslJ9oUWKRhNj1k39ErEJ2f8=" sec-level standard
set ike gateway "Staff" nat-traversal udp-checksum
set ike gateway "Staff" nat-traversal keepalive-frequency 5
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set xauth default ippool "Remote_Users"
set xauth default dns1 10.10.1.11
set xauth default dns2 208.67.222.222
set xauth default wins1 10.10.1.11
set vpn "Staff_net" gateway "Staff" no-replay tunnel idletime 0 proposal "nopfs-esp-des-md5" 
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set policy id 12 from "Untrust" to "Trust"  "Any" "VIP(ethernet0/2)" "HTTPS" permit log count 
set policy id 12
exit
set policy id 11 from "Untrust" to "Trust"  "Any" "VIP(ethernet0/2)" "HTTP" permit log count 
set policy id 11
exit
set policy id 10 from "Untrust" to "Trust"  "Any" "VIP(***.***.***.119)" "HTTPS" permit log count 
set policy id 10
exit
set policy id 9 from "Untrust" to "Trust"  "Any" "VIP(***.***.***.119)" "HTTP" permit log count 
set policy id 9
exit
set policy id 2 from "Trust" to "Untrust"  "Any" "Any" "ANY" nat src permit log count 
set policy id 2
exit
set policy id 13 from "Untrust" to "Trust"  "Dial-Up VPN" "10.10.1.1/24" "ANY" tunnel vpn "Staff_net" id 0x1 log count 
set policy id 13
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set scp enable
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set ssl port 4433
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:

Select allOpen in new window

 

by: cyexxPosted on 2009-08-15 at 14:28:38ID: 25106978

I have full admin access to the router, for some reason juniper has not linked my email address to the support contract and the person who can auth it is un-aviliable until monday - yay for me.

I have pulled the logs from the juniper and it looks like the request is hitting the unit and just not passing auth threw phase 1

Rejected an IKE packet on ethernet0/2 from 24.***.***.153:500 to 209.***.***.118:500 with cookies 0f22cbc98b76eeb7 and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway.

 

by: marmata75Posted on 2009-08-15 at 14:29:13ID: 25106980

Ok so looks like your netscreen remote does not get any response to the attemps it makes to setup the vpn. It can be because of two things:

- The configurations of the netscreen remote and the juniper firewall do not match. In that case you'd see a similar log in the firewall. a 'get event' in the cli, or just browse the event log in the web interface, and you should see messages telling why the tunnel cannot be established.

- The packets sent by netscreen remote are not even arriving to the firewall. That could be because of a firewall at the netscreen remote location, router not passing ipsec traffic (can happen on some residential broadband connections), or a router blocking the traffic at the firewall location.

Let's see which two options are you in now so we can help further!

Cheers,
]\/[arco

 

by: deimarkPosted on 2009-08-15 at 14:32:09ID: 25106991


Rejected an IKE packet on ethernet0/2 from 24.***.***.153:500 to 209.***.***.118:500 with cookies 0f22cbc98b76eeb7 and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway.

Means that the firewall got a phase 1 packet from an unknown source.

Double check the settings on both the NSR and the firewall.

Basically, there is something different.  Either the user settings are wrong on the NS remote, or the settings on the firewall are wrong.

For VPN specific info, run "get event type 536"

 

by: marmata75Posted on 2009-08-15 at 14:43:03ID: 25107012

Oh sorry I wrote the message while you were posting the firewall log. Well usually a phase 1 error like this happens when the preshared key do not match, or when you don't have the same sets of phase 1 encription options. You've specified no perfect forward secrecy, esp, des, md5 on your juniper, make sure you've done the same on your netscreen remote (and redouble check the preshared key, AND the identity that should be staff@domain.com)

Cheers,
]\/[arco

 

by: cyexxPosted on 2009-08-15 at 14:43:33ID: 25107013

Dump from putty is attached

login as: admin
admin@10.10.1.1's password:
Remote Management Console
FW2-> get event type 536
Date       Time     Module Level  Type Description
2009-08-15 16:43:11 system info  00536 Rejected an IKE packet on ethernet0/2
                                       from 24.***.***.153:500 to
                                       209.***.***.118:500 with cookies
                                       0f22cbc98b76eeb7 and 0000000000000000
                                       because an initial Phase 1 packet
                                       arrived from an unrecognized peer
                                       gateway.
2009-08-15 16:42:56 system info  00536 Rejected an IKE packet on ethernet0/2
                                       from 24.***.***.153:500 to
                                       209.***.***.118:500 with cookies
                                       0f22cbc98b76eeb7 and 0000000000000000
                                       because an initial Phase 1 packet
                                       arrived from an unrecognized peer
                                       gateway.
2009-08-15 16:42:41 system info  00536 Rejected an IKE packet on ethernet0/2
                                       from 24.***.***.153:500 to
                                       209.***.***.118:500 with cookies
                                       0f22cbc98b76eeb7 and 0000000000000000
                                       because an initial Phase 1 packet
                                       arrived from an unrecognized peer
                                       gateway.
2009-08-15 16:42:26 system info  00536 Rejected an IKE packet on ethernet0/2
                                       from 24.***.***.153:500 to
                                       209.***.***.118:500 with cookies
                                       0f22cbc98b76eeb7 and 0000000000000000
                                       because an initial Phase 1 packet
                                       arrived from an unrecognized peer
                                       gateway.
2009-08-15 16:40:48 system info  00536 Rejected an IKE packet on ethernet0/2
                                       from 24.***.***.153:500 to
                                       209.***.***.118:500 with cookies
                                       9f5cda49b9b1c59c and 0000000000000000
                                       because an initial Phase 1 packet
                                       arrived from an unrecognized peer
                                       gateway.
2009-08-15 16:40:33 system info  00536 Rejected an IKE packet on ethernet0/2
                                       from 24.***.***.153:500 to
                                       209.***.***.118:500 with cookies
                                       9f5cda49b9b1c59c and 0000000000000000
                                       because an initial Phase 1 packet
                                       arrived from an unrecognized peer
                                       gateway.
2009-08-15 16:40:17 system info  00536 Rejected an IKE packet on ethernet0/2
                                       from 24.***.***.153:500 to
                                       209.***.***.118:500 with cookies
                                       9f5cda49b9b1c59c and 0000000000000000
                                       because an initial Phase 1 packet
                                       arrived from an unrecognized peer
                                       gateway.
2009-08-15 16:40:02 system info  00536 Rejected an IKE packet on ethernet0/2
                                       from 24.***.***.153:500 to
                                       209.***.***.118:500 with cookies
                                       9f5cda49b9b1c59c and 0000000000000000
                                       because an initial Phase 1 packet
                                       arrived from an unrecognized peer
                                       gateway.
Total entries matched = 8
FW2->

                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:

Select allOpen in new window

 

by: cyexxPosted on 2009-08-15 at 14:51:59ID: 25107038

i turned off the forward security, and addon options since prefer getting base vpn working before adding security options to it, I have copy and pasted in the auth key and email address.  


I have just put the auth key and domain back in again and still no change in connection

 

by: deimarkPosted on 2009-08-15 at 14:53:28ID: 25107044

Yup, agree with marmata75.

The firewall is getting the request from the user with NS remote and is rejecting it.

There are mismatched settings for phase 1 or the user himself (including shared secrets etc).

As it says its an unrecognised peer, the firewall is saying, it does not "know" of the user

 

by: cyexxPosted on 2009-08-15 at 14:57:44ID: 25107060

i never get the option to put in the username password to auth with since its dropping on the attempt

 

by: deimarkPosted on 2009-08-15 at 14:59:34ID: 25107064

NS remote doesnt need it, the username,. pass and shared secret etc are all entered into the client BEFORE you connect.

Once its all configured, all you need to do is select "connect to...."

Its cos you the client is not the same settings as the firewall

 

by: cyexxPosted on 2009-08-15 at 15:11:43ID: 25107100

I don't have the option for user/pass I have attached screen shot of the remote software.

 

by: deimarkPosted on 2009-08-15 at 15:14:55ID: 25107107

In the top right window, have you added the pre shared key at the button top right?

 

by: deimarkPosted on 2009-08-15 at 15:15:08ID: 25107110

and the username is the email address

 

by: cyexxPosted on 2009-08-15 at 15:20:17ID: 25107130

i have added the pre shared key in that window before

I have tried my user name and the stadd@domain.com for the email address field.

I was following this KB - http://kb.juniper.net/KB4772

Still nothing connecting

 

by: marmata75Posted on 2009-08-15 at 15:21:32ID: 25107132

In the "My Identitity" screen, click on the preshared key and double check it's the same as the one you inputted on the firewall. The identity (the email address) looks fine!
Then it looks like you phase 1 in ns remote does not match with the one on your firewall. In ns remote you're using 3des and sha1, while on the firewall you're using des and md5. So in the "Authentication (Phase 1) -> Proposal 1" change Triple des with des, and sha-1 with md5.
This way you should be able to arrive to the xauth prompt, and being able to successfully access the vpn!

Cheers,
]\/[arco

 

by: deimarkPosted on 2009-08-15 at 15:22:54ID: 25107136

Forget xauth for now bud, lets just get you connected.

I would test this myself as I have an SSG set up with remote users, but as I run vista 64, there isnts a VPN client built that will work on 64 bit OS's.

I will see if I can fire up a VM to do this

 

by: deimarkPosted on 2009-08-15 at 15:24:10ID: 25107141

Go back to basics

Do the deed at http://kb.juniper.net/KB4769

Once we have this working and made sure that the basics are there, we cna then go onto xauth

 

by: cyexxPosted on 2009-08-15 at 16:01:17ID: 25107227

I have tired changing the remote auth to the des and md5 no change.

I have followed the KB from deimark and still unable to connect

I have phase1 as pre-shared with DES/ MD5/ DH-Group1
I have phase2 as des/sha-1/tunnel

these are the settings on both side

connection still dropped.

 

by: marmata75Posted on 2009-08-16 at 01:08:40ID: 25108180

Cyexx are the error messages on both the juniper and the netscreen remote the same as before? In that case could you repost the firewall config and the ns remote config, there's surely something that does not match!

Cheers,
]\/[arco

 

by: cyexxPosted on 2009-08-16 at 09:02:55ID: 25109357

I finally got a ticket open with juniper and finally took care of the issue.  The issue was that the xauth and ike config setup had changed from what the kb had in to what the tech was able to assist with.

Also found out that the security profile for the remote PC kept rotating the phase1 and phase2 cyhpers on saves

Also issue with the policy that it was not routing once the tunnel was built and would drop the tunnel.

 

by: deimarkPosted on 2009-08-16 at 09:05:02ID: 25109363

Glad to hear is resolved bud. :D

 

by: cyexxPosted on 2009-08-16 at 09:05:50ID: 31616069

Thank you everyone for the help, Issue was closed with your help

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...