How do i configurate SSG5 & netscreen Remote for Remote VPN Access

Dear sir

I follow instructions from standard juniper doc to set up netscreen remote VPN (Policy based).
It fail to connect from home.

The followings are the log i collect from netscreen Remote client.
Experts, i am a beginner for SSG5 firewall, please kindly help me to trouble shoot this case.

 4-17: 18:31:08.078 NetScreen-Remote Version 10.8.1 (Build 10).
 4-17: 18:31:13.093 Interface added: 10.0.0.102/255.255.255.0 on LAN "VMware Accelerated AMD PCNet Adapter".
 4-17: 18:31:13.093 Clearing arp for adapter 2
 4-17: 18:31:13.562 Filter table loaded (2 entries).
 4-17: 18:31:13.562 This is a GA version of NetScreen-Remote.
 4-17: 18:32:11.042
 4-17: 18:32:11.042 My Connections\OneOasis - Initiating IKE Phase 1 (IP ADDR=202.177.73.210)
 4-17: 18:32:11.308 My Connections\OneOasis - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 6x)
 4-17: 18:32:11.386 My Connections\OneOasis - RECEIVED<<< ISAKMP OAK AG (SA, VID 3x, KE, NON, ID, HASH, VID, NAT-D 2x)
 4-17: 18:32:11.386 My Connections\OneOasis - Peer supports Dead Peer Detection Version 1.0
 4-17: 18:32:11.386 My Connections\OneOasis - Dead Peer Detection enabled
 4-17: 18:32:11.386 My Connections\OneOasis - Peer is NAT-T draft-02 capable
 4-17: 18:32:11.386 My Connections\OneOasis - Dead Peer Detection enabled
 4-17: 18:32:11.386 My Connections\OneOasis - NAT is detected for Client
 4-17: 18:32:11.386 My Connections\OneOasis - Floating to IKE non-500 port
 4-17: 18:32:11.573 My Connections\OneOasis - SENDING>>>> ISAKMP OAK AG *(HASH, NAT-D 2x, NOTIFY:STATUS_REPLAY_STATUS, NOTIFY:STATUS_INITIAL_CONTACT)
 4-17: 18:32:11.573 My Connections\OneOasis - Established IKE SA
 4-17: 18:32:11.573 My Connections\OneOasis -   MY COOKIE 1a 59 12 3 75 fc bf b3
 4-17: 18:32:11.573 My Connections\OneOasis -   HIS COOKIE 2d fb 6e 6 1c 67 c7 65
 4-17: 18:32:11.823 My Connections\OneOasis - Initiating IKE Phase 2 with Client IDs (message id: 58242332)
 4-17: 18:32:11.823 My Connections\OneOasis -   Initiator = IP ADDR=10.0.0.102, prot = 0 port = 0
 4-17: 18:32:11.823 My Connections\OneOasis -   Responder = IP SUBNET/MASK=10.10.189.0/255.255.255.0, prot = 0 port = 0
 4-17: 18:32:11.823 My Connections\OneOasis - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, KE, ID 2x)
 4-17: 18:32:11.855 My Connections\OneOasis - RECEIVED<<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN)
 4-17: 18:32:11.855 My Connections\OneOasis - Discarding IPSec SA negotiation
 4-17: 18:32:11.870 My Connections\OneOasis - Discarding IKE SA negotiation
 4-17: 18:32:11.870 My Connections\OneOasis - Deleting IKE SA (IP ADDR=202.175.76.219)
 4-17: 18:32:11.870 My Connections\OneOasis -   MY COOKIE 1a 59 12 3 75 fc bf b3
 4-17: 18:32:11.870 My Connections\OneOasis -   HIS COOKIE 2d fb 6e 6 1c 67 c7 65
 4-17: 18:32:11.870 My Connections\OneOasis - SENDING>>>> ISAKMP OAK INFO *(HASH, DEL)


 
Gordon TinIT ManagerAsked:
Who is Participating?
 
arnoldCommented:
You have a policy mismatch.

Are you using the web based policy creation or are you using the CLI?

The error is: NO_PROPOSAL_CHOSEN
Start from configuring the policy on the SSG5.
Then configure the policy in reverse on the Client to match.
Server:
Remote LAN: Client Side
Preshared key:
Key length: 768,1024metc
Policy type 3des-md5 etc.
tunnel

Client Side:
remote LAN: server Side
Policy: 3des-md5
Key lenght:768,1024,etc.

Check Juniper's site for sample remote policy configurations.
0
 
Gordon TinIT ManagerAuthor Commented:
Good Answer
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.