SSG5 VPN not working with Verizon Wireless

Hi, the VPN (via netscreen remote) from my laptop using my home cable internet connection works great. However, when I try to connect using my Verizon Wireless broadband connection it does not work. I have tried enabling Nat traversal, turning off zone alarm, trying each virtual adapter setting, etc. I do not have any compression software installed (e.g. Venturi)

Netscreen remote Log is below:
7-01: 18:38:16.734 My Connections\1 - Initiating IKE Phase 1 (IP ADDR=XX.XXX.252.194)
 7-01: 18:38:16.968 My Connections\1 - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 6x)
 7-01: 18:38:32.546 My Connections\1 - message not received! Retransmitting!
 7-01: 18:38:32.546 My Connections\1 - SENDING>>>> ISAKMP OAK AG (Retransmission)
 7-01: 18:38:47.593 My Connections\1 - message not received! Retransmitting!
 7-01: 18:38:47.593 My Connections\1 - SENDING>>>> ISAKMP OAK AG (Retransmission)
 7-01: 18:39:02.593 My Connections\1 - message not received! Retransmitting!
 7-01: 18:39:02.593 My Connections\1 - SENDING>>>> ISAKMP OAK AG (Retransmission)
 7-01: 18:39:17.687 My Connections\1 - Exceeded 3 IKE SA negotiation attempts
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
What happens if you restart the laptop and use only the Verizon wireless connection? I ask this because sometimes the Netscreen Remote services need to be restarted between different connection types. I don't know why, but I know it gave me some relief.

I am using the SafeNet product for Vista 64-bit now, and don't use the Netscreen Remote product any longer.

It is also possible that Netscreen Remote is not compatible with Verizon Wireless. That I do not know  .... Thinkpads_User
wn411Author Commented:
Yes, I am only using the Verizon Connection. The computer is off before connection. I have also selected the WAN connection that Verizon is using.
It might also be that verizon are just blocking the IPSec connection.

Some wireless providers only allow http and https, similar to hotspot.

See if you can tunnel through https with the nsremote (off teh top of my head I cant recall if you can)
Webinar: What were the top threats in Q2 2018?

Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that describes and analyzes the top threat trends impacting companies around the world. Are you ready to learn more about the top threats of Q2 2018? Register for our Sept. 26th webinar to learn more!

wn411Author Commented:
From other articles I read IPSEC should be OK. I dont see the option to tunnel over SSL.
IPSec is normally fine, however, as I said, some providers of wireless stuf, like hotspots etc, do limit the protocols that can traverse their networks.

All we can see in the logs is that nsremote keeps trying to send the phase 1 1st packet and gets no response.  Which can indicate that either the firewall is dropping the packet (which will be seen in the firewall logs) or the provider is not allowing the traffic through.

I would double check with verizon first, to make sure that they allow ipsec across the wireless connection
JohnBusiness Consultant (Owner)Commented:
As I more or less indicated in my earlier post, there is just no guarantee that Juniper Netscreen will work through any given router, any given modem, or any given ISP. While I have had good success with Netscreen over a 5 year period, I have had glitches as well, and as the log above showed, the Netscreen software didn't even get to first base which is further evidence of incompatability. ... Thinkpads_User
AFAIK, the NSRemote product is a rebranded safenet one, so not sure what you're getting at here bud.

Juniper is only 1 of many that provide the remote access solutions to connect o firewall/routers etc.  They are all pretty much the same as long as they follow the standards for teh protocol to be used, which in this case is ipsec.

As we know that NSremote works on other networks, its reasonable to assume the differentiating factor of this one is that its a verizon provided wireless.

It may be a red herring but I have been burned by serveral wireless providers NOT allowing the transit of IPSec packets in their network, they only allow http and https.  To get around this, I have had to set the VPN client to use SSL (in the past its been check points secure client, which works fine) so I do know what I am talking about.

I still stand by my post above, before we go trying to troubleshoot the juniper side, a quick call to verizon support to see if they allow ipsec packets through their network would be my first obvious and most sensible port of call.

And yes I do know that there are better utilities out there to act as VPN clietns, but sadly, as the SSG boxes do not offer SSL VPN functionality, all of them will hit the same problem if verizon is blocking ipsec.
wn411Author Commented:
deimark, I was talking about other articles saying IPSEC was OK with Verizon. But, I will call them as well and get back to all :)
wn411Author Commented:
I found this in the Verizon site. I am going to call them to confirm.

Will Mobile Broadband and NationalAccess work with IP Sec and existing VPN Solutions?
Yes, your VPN product should treat the NationalAccess and Mobile Broadband data networks exactly as it treats the Internet; however, we recommend testing your specific VPN over the NationalAccess and Mobile Broadband networks before you deploy the service. Verizon Wireless' national data sales team, in conjunction with system engineers and data solutions managers, work with customers and VPN providers to enable secure, wireless access to their VPN over the NationalAccess and Mobile Broadband networks. Your Verizon Wireless sales representative can provide additional information on VPN access over the Verizon Wireless networks. Verizon Wireless Data Sales Engineers are also available to meet with your corporate IT group to answer any questions and ensure a smooth implementation.
Kewl bud.

As I said, it might not be the case however, its where I would check 1st before investigating the nsremote stuff.

Also, might be worth looking into an alternative to nsremote, in case its that causing the issues, and its shrew.  Personally, I have never used it, but others on EE seem to rate it quite highly.
If shrew doesnt work, then it may something in between interfering with the ipsec packets.
wn411Author Commented:
Thanks, I called them and they confirmed IPSEC is fine. I am going to try the shrew software now :)
wn411Author Commented:
Also, it was mentioned that perhaps my Blackberry device used for tethering to the laptop was blocking it. I checked the firewall on the blackberry and it was off.
wn411Author Commented:
OK I fixed it!!! I tried the Shrew software. But that did not work. I had to then uninstall that and reboot because it broke the Netscreen Remote client software.

Here is what I had to do.

1) Connection the the Verizon Cellular Broadband connection as you would normally do.
2) Start > Control Panel > Network Connections
3) You will see National Access-Broadband Access under the Dial-Up Category.
4) Right click that connection. Choose Properties.
5) Click the advanced tab. Check "Allow other network users to connect thorough this computers Internet connection.
6) Choose Local Area Connection.
7) Click OK.

Start the VPN connection normally :)

I first tried to bridge the connections. But that option was not possible. So, I tried this and it worked!
Although the VPN software allowed me to choose the dial-up connection, I guess it was still trying to connect via the LAN connection.

I will leave this open for a day for any other comments.
Hmm, never seen that one before bud, but it must be that the nsremote did bind to the lan and not the other interface.

btw, i have never seen many VON clients that olay well together, all of them want to control the interfaces as they bind their own virtual adaptors to the physical one.

wn411Author Commented:
OK, I have even better info based on hours of troubleshooting this.

1) If I connect to the VPN via my normal LAN internet connection over cable modem broadband, the VPN connects.
2) I disconnect from the LAN cable modem connection.
3) I start the Verizon connection via tethered Balckberry.
4) I do NOT share the Internet connection as mentioned above. The VPN connects!

Then I rebooted the PC, tried to connect to the VPN over the Verizon connection and it fails.
I noticed the following:
Netscreen Remote installs a shortcut in the Startup folder. So, the program starts upon boot and gives you a icon in the systray (clock). As an experiment, I killed all the Netscreen related .exe files in task manager. Those files can be found in C:\Program Files\Juniper\NetScreen-Remote as a reference.

I then started the Verizon connection, THEN the Netscreen software Safecfg.exe, then restarted the following services: SafeNet IKE Service, SafeNet Monitor Service.

I then successfully connect to the VPN!

I think what is happening is that since the Netscreen software is starting first, it does not see the available Verizon Connection because it does not exist. So you have to start the Verizon Connection, then you will see a listing in your Control Panel > Network Connections titled Verizon. At that point you fire up the Netscreen Remote software. It then sees that as an available connection.

My next attempt is to remove the shortcut in the start menu startup folder and set the two services above to Manual. I am hoping that will prevent me from having to kill all the startup process and services each time.
wn411Author Commented:
Just did the above and it worked. So, the final solution is:

1) Remove SafeCfg.exe from the Startup folder in the Start Menu
2) Set SafeNetIKE and SafeNet Monitor Service to Manual Start

To connect:

1) Start the Verizon connection normally
2) Run SafeCfg.exe
3) Start SafeNetIKE and SafeNet Monitor
4) Start VPN

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Nice find bud and well investigated.

Thanks for letting us know.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.