Juniper ssg 20 dial-in VPN

I have a Juniper ssg 20 firmware 6.0. I have follwed the steps on the juniper website. However any client I use(Windows, NCP secure client,vs) couldn't connect. The error is always same and it says "VPN gateway not responding"  Can someone help me ?

Note: I am not a pro about this. So I am using WEB UI.

Thanks
aozdamarAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Windows is not using IPSec, it's PPTP or L2TP/IPSec. The former is not available with Juniper, the latter needs a different setup then a "normal" IPSec.

The error message you get from each client you use cannot be the same. They are usually all giving different error messages.

You need to provide further details, logs and so on, else we cannot help. Which setup are you using on the SSG for the dial-in VPN (which manual)?

Using the WebUI is ok, you can set up almost anything with that. But for retrieving diagnostic info, you will need to establish a telnet or serial connection to the SSG.

Are you trying to connect from your office (internal) or from another location? Do you use static public IP or dynamic DNS to connect to the gateway?
0
aozdamarAuthor Commented:
I am trying to connect from my home to the office. I can't set up Netscreen remote client to windows 7. So I found a client named NCP Secure Entry Client. My IP address at home is static but I would like to be able to connect to the vpn from anywhere. Actually i have solved a few things so far. My problem is at the phase 2 authentication. the error says
IKE 217.131.x.y Phase 2: No policy exists for the proxy ID received: local ID (0.0.0.0/0.0.0.0, 0, 0) remote ID (10.100.10.1/255.255.255.255, 0, 0).
and
Rejected an IKE packet on ethernet0/1 from 217.131.x.y:4500 to 88.248.x.y:4500 with cookies a27a27a865e5eb8e and bc0e70f6e29df42a because The VPN does not have an application SA configured.

10.100.10.0 is the IP pool I defned under Objects->IP Pools at the WEBUI.
I have two policy settings.
Untrust->Trust
(Policy ID 73) Source: Dial-Up VPN Destination:10.100.10.0/24 Service:ANY Action :tunnel
Trust->Untrust
(Policy ID 74) Source:10.100.10.0/24 Destination:Dial-Up VPN Service:ANY Action :tunnel

The local ip subnet at the office is 192.168.1.0/24.
On the Monitor Status screen I see something like this :
vpn2010ike 0000000c 73/74 0.0.0.0 AutoIKE Inactive Inactive

Hope this information helps...
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Sorry, should have asked more careful ;-)

> Do you use static public IP or dynamic DNS to connect to the gateway?
That was asking about the SSG side, not home. The home side does not matter, it is always dynamic or at least unspecified with the typical dial-in VPN.

But never mind, the messages above show that the proxy ID is the issue. I assume you did not define a specific proxy ID in your Phase 2 VPN config. That will use the policy settings (source and target networks) then, which are "Dial-Up VPN" and 10.100.10.0/24.

There are several mistakes there.
You need to set your policy Untrust -> Trust to Source: Dial-Up VPN, Destination: 192.168.1.0/24. You do not need the Trust -> Untrust policy, as long as you do not want to use connections from the LAN into your dialed-in VPN clients - very unlikely. But it doesn't hurt to let it defined.

Next, we need to define the correct proxy ID. We could do that on both sides, but I suppose it is much easier done on the SSG.
In WebUI, go into AutoKey IKE, Edit of your policy, Advanced. Tick Proxy-ID, and enter 0.0.0.0/0 and 10.100.10.0/24, service Any. That should be all.

BTW, you can also try to use the free ShrewSoft VPN client (www.shrew.net). Configuration tutorials are available on the Wiki of that site,
0
How the Cloud Can Help You as an MSSP

Today, every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. Register today to learn more!

aozdamarAuthor Commented:
I am a little new to this stuff..:)

"In WebUI, go into AutoKey IKE, Edit of your policy, Advanced. Tick Proxy-ID, and enter 0.0.0.0/0 and 10.100.10.0/24, service Any. That should be all."

When I do this, it tells me
"Proxy ID for dial up VPN must have remote ID set to 255.255.255.255/32"
What does it mean ?
Note I deleted the policy from trust->untrust...
B.regards,

0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
255.255.255.255/32 is the special notation for a Dial-Up VPN client (unknown address, since this is not a valid notation). Try to enter that, and see if the proxy ID is exchanged appropriately.
0
aozdamarAuthor Commented:
Ok. Now I have Proxy ID:
LocalIP/Netmask 0.0.0.0/0
Remote IP/Netmask 255.255.255.255/0
Service:Any

The event log error turned to be :
Rejected an IKE packet on ethernet0/1 from 217.131.x.y:4500 to 88.248.x.y:4500 with cookies a52a3d1569c125bf and 2313316ab93a51a2 because There were no acceptable Phase 2 proposals..

I don2t want to publish the IP addresses on this site so I put xxx...
0
aozdamarAuthor Commented:
I have a connection thanks. Never mind the last error. I changed the proposal and now connected....

However I can't ping any devices on the network other then the internal side of the Juniper...Any ideas ?
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Thanks, Modalot, I was just about to request that ...
 
 
aozdamar,
Check in NCP (or in cmd.exe by issueing a route print 192.168.1.*) that you have received or manually set up the route to your office LAN. If this is not the case, set it up in NCP (but don't ask me how - don't know), or create a persistent route with
route add -p 192.168.100.0 mak 255.255.255.0 10.100.10.1

If the route is ok, and you still do not get into contact with your LAN, the first step is to enable logging on the VPN policy, best on session start. You can do that with the WebUI in your corresponding policy.
After that, try a ping or something, and the look into the policy list - a green grid should appear, which tells you that there are logging entries for that policy. Click on the grid to see the logged data. If you see your attempts, you can be certain that the traffic is passed and delivered.

If your SSG is the default gateway for your LAN, you should be able to access the LAN.
 
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.