aozdamar
asked on
Juniper ssg 20 dial-in VPN
I have a Juniper ssg 20 firmware 6.0. I have follwed the steps on the juniper website. However any client I use(Windows, NCP secure client,vs) couldn't connect. The error is always same and it says "VPN gateway not responding" Can someone help me ?
Note: I am not a pro about this. So I am using WEB UI.
Thanks
Note: I am not a pro about this. So I am using WEB UI.
Thanks
ASKER
I am trying to connect from my home to the office. I can't set up Netscreen remote client to windows 7. So I found a client named NCP Secure Entry Client. My IP address at home is static but I would like to be able to connect to the vpn from anywhere. Actually i have solved a few things so far. My problem is at the phase 2 authentication. the error says
IKE 217.131.x.y Phase 2: No policy exists for the proxy ID received: local ID (0.0.0.0/0.0.0.0, 0, 0) remote ID (10.100.10.1/255.255.255.2
and
Rejected an IKE packet on ethernet0/1 from 217.131.x.y:4500 to 88.248.x.y:4500 with cookies a27a27a865e5eb8e and bc0e70f6e29df42a because The VPN does not have an application SA configured.
10.100.10.0 is the IP pool I defned under Objects->IP Pools at the WEBUI.
I have two policy settings.
Untrust->Trust
(Policy ID 73) Source: Dial-Up VPN Destination:10.100.10.0/24
Trust->Untrust
(Policy ID 74) Source:10.100.10.0/24 Destination:Dial-Up VPN Service:ANY Action :tunnel
The local ip subnet at the office is 192.168.1.0/24.
On the Monitor Status screen I see something like this :
vpn2010ike 0000000c 73/74 0.0.0.0 AutoIKE Inactive Inactive
Hope this information helps...
IKE 217.131.x.y Phase 2: No policy exists for the proxy ID received: local ID (0.0.0.0/0.0.0.0, 0, 0) remote ID (10.100.10.1/255.255.255.2
and
Rejected an IKE packet on ethernet0/1 from 217.131.x.y:4500 to 88.248.x.y:4500 with cookies a27a27a865e5eb8e and bc0e70f6e29df42a because The VPN does not have an application SA configured.
10.100.10.0 is the IP pool I defned under Objects->IP Pools at the WEBUI.
I have two policy settings.
Untrust->Trust
(Policy ID 73) Source: Dial-Up VPN Destination:10.100.10.0/24
Trust->Untrust
(Policy ID 74) Source:10.100.10.0/24 Destination:Dial-Up VPN Service:ANY Action :tunnel
The local ip subnet at the office is 192.168.1.0/24.
On the Monitor Status screen I see something like this :
vpn2010ike 0000000c 73/74 0.0.0.0 AutoIKE Inactive Inactive
Hope this information helps...
Sorry, should have asked more careful ;-)
> Do you use static public IP or dynamic DNS to connect to the gateway?
That was asking about the SSG side, not home. The home side does not matter, it is always dynamic or at least unspecified with the typical dial-in VPN.
But never mind, the messages above show that the proxy ID is the issue. I assume you did not define a specific proxy ID in your Phase 2 VPN config. That will use the policy settings (source and target networks) then, which are "Dial-Up VPN" and 10.100.10.0/24.
There are several mistakes there.
You need to set your policy Untrust -> Trust to Source: Dial-Up VPN, Destination: 192.168.1.0/24. You do not need the Trust -> Untrust policy, as long as you do not want to use connections from the LAN into your dialed-in VPN clients - very unlikely. But it doesn't hurt to let it defined.
Next, we need to define the correct proxy ID. We could do that on both sides, but I suppose it is much easier done on the SSG.
In WebUI, go into AutoKey IKE, Edit of your policy, Advanced. Tick Proxy-ID, and enter 0.0.0.0/0 and 10.100.10.0/24, service Any. That should be all.
BTW, you can also try to use the free ShrewSoft VPN client (www.shrew.net). Configuration tutorials are available on the Wiki of that site,
> Do you use static public IP or dynamic DNS to connect to the gateway?
That was asking about the SSG side, not home. The home side does not matter, it is always dynamic or at least unspecified with the typical dial-in VPN.
But never mind, the messages above show that the proxy ID is the issue. I assume you did not define a specific proxy ID in your Phase 2 VPN config. That will use the policy settings (source and target networks) then, which are "Dial-Up VPN" and 10.100.10.0/24.
There are several mistakes there.
You need to set your policy Untrust -> Trust to Source: Dial-Up VPN, Destination: 192.168.1.0/24. You do not need the Trust -> Untrust policy, as long as you do not want to use connections from the LAN into your dialed-in VPN clients - very unlikely. But it doesn't hurt to let it defined.
Next, we need to define the correct proxy ID. We could do that on both sides, but I suppose it is much easier done on the SSG.
In WebUI, go into AutoKey IKE, Edit of your policy, Advanced. Tick Proxy-ID, and enter 0.0.0.0/0 and 10.100.10.0/24, service Any. That should be all.
BTW, you can also try to use the free ShrewSoft VPN client (www.shrew.net). Configuration tutorials are available on the Wiki of that site,
ASKER
I am a little new to this stuff..:)
"In WebUI, go into AutoKey IKE, Edit of your policy, Advanced. Tick Proxy-ID, and enter 0.0.0.0/0 and 10.100.10.0/24, service Any. That should be all."
When I do this, it tells me
"Proxy ID for dial up VPN must have remote ID set to 255.255.255.255/32"
What does it mean ?
Note I deleted the policy from trust->untrust...
B.regards,
"In WebUI, go into AutoKey IKE, Edit of your policy, Advanced. Tick Proxy-ID, and enter 0.0.0.0/0 and 10.100.10.0/24, service Any. That should be all."
When I do this, it tells me
"Proxy ID for dial up VPN must have remote ID set to 255.255.255.255/32"
What does it mean ?
Note I deleted the policy from trust->untrust...
B.regards,
255.255.255.255/32 is the special notation for a Dial-Up VPN client (unknown address, since this is not a valid notation). Try to enter that, and see if the proxy ID is exchanged appropriately.
ASKER
Ok. Now I have Proxy ID:
LocalIP/Netmask 0.0.0.0/0
Remote IP/Netmask 255.255.255.255/0
Service:Any
The event log error turned to be :
Rejected an IKE packet on ethernet0/1 from 217.131.x.y:4500 to 88.248.x.y:4500 with cookies a52a3d1569c125bf and 2313316ab93a51a2 because There were no acceptable Phase 2 proposals..
I don2t want to publish the IP addresses on this site so I put xxx...
LocalIP/Netmask 0.0.0.0/0
Remote IP/Netmask 255.255.255.255/0
Service:Any
The event log error turned to be :
Rejected an IKE packet on ethernet0/1 from 217.131.x.y:4500 to 88.248.x.y:4500 with cookies a52a3d1569c125bf and 2313316ab93a51a2 because There were no acceptable Phase 2 proposals..
I don2t want to publish the IP addresses on this site so I put xxx...
ASKER
I have a connection thanks. Never mind the last error. I changed the proposal and now connected....
However I can't ping any devices on the network other then the internal side of the Juniper...Any ideas ?
However I can't ping any devices on the network other then the internal side of the Juniper...Any ideas ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The error message you get from each client you use cannot be the same. They are usually all giving different error messages.
You need to provide further details, logs and so on, else we cannot help. Which setup are you using on the SSG for the dial-in VPN (which manual)?
Using the WebUI is ok, you can set up almost anything with that. But for retrieving diagnostic info, you will need to establish a telnet or serial connection to the SSG.
Are you trying to connect from your office (internal) or from another location? Do you use static public IP or dynamic DNS to connect to the gateway?