Hi,
We have a Juniper SSG5 version 6.0.0r4.0 . We have an existing VPN that we use with the Netscreen Remote 9.04 Client successfully. We have an employee with Vista Home Premium 64 at home now and are looking into Shrew VPN Client to support 64 bit clients. I have setup a policy on her system using the Shrew and it seems to be successfully negotiating Phase 1 but I am having trouble getting the Phase 2 to successfully connect (I think) with SSG5
I am getting this logged on the SSG5 when I try to connect from the Shrew client on her machine.
IKE xx.xx.33.215: Received initial contact notification and removed Phase 1 SAs.
IKE xx.xx.33.215: Received initial contact notification and removed Phase 2 SAs.
IKE xx.xx.33.215: Received a notification message for DOI 1 24578 INITIAL-CONTACT.
IKE xx.xx.33.215: Phase 1: Completed Aggressive mode negotiations with a 28800-second lifetime.
IKE xx.xx.33.215: Phase 1: Completed for user TEST.
IKE xx.xx.33.215: Phase 1: IKE responder has detected NAT in front of the remote device.
IKE xx.xx.33.215: Phase 1: IKE responder has detected NAT in front of the local device.
IKE xx.xx.33.215: Phase 1: Responder starts AGGRESSIVE mode negotiations
My configuration on the SSG5 is as follows: (just VPN parts)
set user "test" uid 1
set user "test" ike-id u-fqdn "test.mydomain.com" share-limit 1
set user "test" type ike
set user "test" "enable"
set user-group "VPN Users" id 1
set user-group "VPN Users" user "test"
set ike gateway "My VPN Gateway" dialup "VPN Users" Aggr outgoing-interface "ethernet0/0" preshare "DELTETED" proposal "pre-g2-3des-md5"
set ike gateway "MY VPN Gateway" cert peer-ca-hash DELTETED
unset ike gateway "MY VPN Gateway" nat-traversal udp-checksum
set ike gateway "MY VPN Gateway" nat-traversal keepalive-frequency 5
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "MY VPN" gateway "MY VPN Gateway" no-replay tunnel idletime 0 proposal "g2-esp-des-md5"
set vpn "My VPN" bind zone Untrust-Tun
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set policy id 3 name "vpn" from "Untrust" to "Trust" "Dial-Up VPN" "10.0.0.0/255.255.255.0" "ANY" tunnel vpn "My VPN" id 2 log
set policy id 3
set log session-init
exit
set ssh version v2
set config lock timeout 5
My Shrew configuration is:
n:version:2
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:0
n:network-notify-enable:1
n:client-wins-used:1
n:client-wins-auto:1
n:client-dns-used:1
n:client-dns-auto:1
n:client-splitdns-used:1
n:client-splitdns-auto:1
n:phase1-dhgroup:2
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:0
s:network-host:xxx.xxx.xxx
.xxx
s:client-auto-mode:push
s:client-iface:virtual
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-psk
s:ident-client-type:fqdn
s:ident-server-type:addres
s
s:ident-client-data:test.m
ydomain.co
m
s:ident-server-data:xxx.xx
.xxx.xxx
b:auth-mutual-psk: I Deleted it
s:phase1-exchange:aggressi
ve
s:phase1-cipher:3des
s:phase1-hash:md5
s:phase2-transform:esp-des
s:phase2-hmac:md5
s:ipcomp-transform:disable
d
n:phase2-pfsgroup:2
s:policy-list-include:10.0
.0.0 / 255.255.255.0
Can anyone help me with correctly setting up the Shrew Client without having to change my existing Netscreen configuration and policies (if possible) If not then I can update all the users as well.
Thanks!
Andy
