How do i configurate SSG5 & netscreen Remote for Remote VPN Access

Dear sir

I follow instructions from standard juniper doc to set up netscreen remote VPN (Policy based).
It fail to connect from home.

The followings are the log i collect from netscreen Remote client.
Experts, i am a beginner for SSG5 firewall, please kindly help me to trouble shoot this case.

 4-17: 18:31:08.078 NetScreen-Remote Version 10.8.1 (Build 10).
 4-17: 18:31:13.093 Interface added: 10.0.0.102/255.255.255.0 on LAN "VMware Accelerated AMD PCNet Adapter".
 4-17: 18:31:13.093 Clearing arp for adapter 2
 4-17: 18:31:13.562 Filter table loaded (2 entries).
 4-17: 18:31:13.562 This is a GA version of NetScreen-Remote.
 4-17: 18:32:11.042
 4-17: 18:32:11.042 My Connections\OneOasis - Initiating IKE Phase 1 (IP ADDR=202.177.73.210)
 4-17: 18:32:11.308 My Connections\OneOasis - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 6x)
 4-17: 18:32:11.386 My Connections\OneOasis - RECEIVED<<< ISAKMP OAK AG (SA, VID 3x, KE, NON, ID, HASH, VID, NAT-D 2x)
 4-17: 18:32:11.386 My Connections\OneOasis - Peer supports Dead Peer Detection Version 1.0
 4-17: 18:32:11.386 My Connections\OneOasis - Dead Peer Detection enabled
 4-17: 18:32:11.386 My Connections\OneOasis - Peer is NAT-T draft-02 capable
 4-17: 18:32:11.386 My Connections\OneOasis - Dead Peer Detection enabled
 4-17: 18:32:11.386 My Connections\OneOasis - NAT is detected for Client
 4-17: 18:32:11.386 My Connections\OneOasis - Floating to IKE non-500 port
 4-17: 18:32:11.573 My Connections\OneOasis - SENDING>>>> ISAKMP OAK AG *(HASH, NAT-D 2x, NOTIFY:STATUS_REPLAY_STATUS, NOTIFY:STATUS_INITIAL_CONTACT)
 4-17: 18:32:11.573 My Connections\OneOasis - Established IKE SA
 4-17: 18:32:11.573 My Connections\OneOasis -   MY COOKIE 1a 59 12 3 75 fc bf b3
 4-17: 18:32:11.573 My Connections\OneOasis -   HIS COOKIE 2d fb 6e 6 1c 67 c7 65
 4-17: 18:32:11.823 My Connections\OneOasis - Initiating IKE Phase 2 with Client IDs (message id: 58242332)
 4-17: 18:32:11.823 My Connections\OneOasis -   Initiator = IP ADDR=10.0.0.102, prot = 0 port = 0
 4-17: 18:32:11.823 My Connections\OneOasis -   Responder = IP SUBNET/MASK=10.10.189.0/255.255.255.0, prot = 0 port = 0
 4-17: 18:32:11.823 My Connections\OneOasis - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, KE, ID 2x)
 4-17: 18:32:11.855 My Connections\OneOasis - RECEIVED<<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN)
 4-17: 18:32:11.855 My Connections\OneOasis - Discarding IPSec SA negotiation
 4-17: 18:32:11.870 My Connections\OneOasis - Discarding IKE SA negotiation
 4-17: 18:32:11.870 My Connections\OneOasis - Deleting IKE SA (IP ADDR=202.175.76.219)
 4-17: 18:32:11.870 My Connections\OneOasis -   MY COOKIE 1a 59 12 3 75 fc bf b3
 4-17: 18:32:11.870 My Connections\OneOasis -   HIS COOKIE 2d fb 6e 6 1c 67 c7 65
 4-17: 18:32:11.870 My Connections\OneOasis - SENDING>>>> ISAKMP OAK INFO *(HASH, DEL)


 
Gordon TinIT ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
You have a policy mismatch.

Are you using the web based policy creation or are you using the CLI?

The error is: NO_PROPOSAL_CHOSEN
Start from configuring the policy on the SSG5.
Then configure the policy in reverse on the Client to match.
Server:
Remote LAN: Client Side
Preshared key:
Key length: 768,1024metc
Policy type 3des-md5 etc.
tunnel

Client Side:
remote LAN: server Side
Policy: 3des-md5
Key lenght:768,1024,etc.

Check Juniper's site for sample remote policy configurations.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Gordon TinIT ManagerAuthor Commented:
Good Answer
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.