Solved

Juniper SSG5  Shrew 2.1.6 Windows 7 64 bit and Verizon or ATT cellular wireless cards

Posted on 2010-09-03
13
1,254 Views
Last Modified: 2012-05-10
Hi,
I have several setups with the Juniper SSG5 with 6.1 to 6.3 Screen OS on them.  Clients with windows XP / windows vista 32 / windows 7 32 and 64 running the shrew VPN client 2.1.5 and 2.1.6 (testing 2.1.6)  It works very well except that I am having problems with some of the latest systems that are running windows 7 64 bit.  These clients can connect to the SSG5 no problem with their wired ethernet card , standard wireless ethernet  card, usb wirleess card etc.  What I cant get to work is a verizon cellular wireless, or ATT fcellular wireless card.  These same cards with the same policy will work on a windows 7 32 system, so it does not seem to be the carrier.  The shrew client looks like it connects successfully and says the tunnel is up, but I cant get any traffic through and if you look in the log on the juniper I am getting
Rejected an IKE packet on ethernet0/0 from 166.217.xx.xx:4500 to 207.180.xx.xx:4500 with cookies c6b7e7xx6a410xxx and 4b4b36xx693dxxx because There were no acceptable Phase 2 proposals..
anybody else run into this?  

0
Comment
Question by:andysussman44
  • 4
  • 4
  • 3
  • +1
13 Comments
 
LVL 4

Expert Comment

by:Allvirtual
ID: 33600357
Don't use Shrew. Use the officially supported client from NCP: http://www.ncp-e.com. It works.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 33602823
Bad advice to buy a software you can get for free. The Juniper Edition is at $100, the (non-proprietary) Entry Level few Dollars more.

I have heard from similar issues regarding ATT WLAN for other users of Shrew. I would try the current dev release 2.1.7-beta-1, which has some stability issues resolved. If that does not help, use the trace tool on Shrew to get some details about what is exchanged (or debug on SSG).
0
 
LVL 4

Expert Comment

by:Allvirtual
ID: 33604126
It comes with many interesting features plus a much more professional design. As a high paid consultant I am looking for professional design, look&feel. Plus the gold old fashioned customer service they offer is worth alone the price. I even argue it's cheap. One of my customers once called them and they spend an hour on the phone configuring his gateway which was not even Client related! And he even had not purchased the license yet he was still evaluating. They don't ask for your Serial Number of give you headaches or red tape like other companies. You can't even talk to the janitor in most places without a paid support contract and when you finally talk to someone they either have no clue what they are talking about or they are some "gurus" in India or somewhere else in Asia that either don't understand you or you don't understand them. With NCP you talk to an educated intelligent engineer and many of their folks as it appears speaks several languages fluently. Plus they know their stuff. Also I had at least 2-3 customers that somewhat get aggressive when I talk about Shrew - tried it and ain't worth it is what they would tell me. Crashes, blue screens, trashed operating systems, you name it. Well, you get what you pay for is all I say. There must be a reason why thousands of people pay the price for this software. And also my time is valuable. So I guess you are either unemployed or charge cheap rates so you can tinker all day. My customers don't have time for this nonsense. I charge $300+ per hour so if I pick up the phone to call NCP they resolve my issues typically within minutes. Just that alone pays for itself. Following Qlemo logic you should not buy Windows because it costs money. Just run Linux and be happy. Right 8)
So before you listen to those nerds here on the board think twice and act once. Cheers.
0
 

Author Comment

by:andysussman44
ID: 33619186
Allvirtual,
I will look into the client you recommended, but if it is a $100 a user then that is going to be an issue as I would have to buy at least 30 clients at this point.  
Qlemo, I am trying the 2.1.7 client today I'll post later my results
thanks for the help!
Andy
0
 
LVL 4

Expert Comment

by:Allvirtual
ID: 33619281
The client pricing from what I understand is an individual license. You should get substantial discount when you purchase several licenses.
Also it seems to me you want to look at the Enterprise client which is a managed product. This client will pay for itself over time just by being able to manage and control your VPN environment. I'd give them (NCP) a call. The phone number should be on the web site. Talk to them and see what they say. They are nice people to deal with.
0
 

Author Comment

by:andysussman44
ID: 33649354
The one I was testing on had to go away this week, so I hope to have it next week
Thanks!
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 1

Accepted Solution

by:
woodall01 earned 500 total points
ID: 33828314
FYI, Shrew does work, at least with Sprint, the key is the link below, you need to make sure you choose all of the policies. It fact it connects quicker then the NCP client and it's a whole lot cheaper. It took me all of about an hour and half to figure out.  http://www.shrew.net/support/wiki/HowtoJuniperSsg  If you need and example of my config let me know and I will paste it.  

BTW to "AllVirtual", a good engineer will figure out the hard stuff, that'ss how you learn. Also, if was going to connect more then 25 people then using NCP, I would opt for an SA700 or just set up an IPSEC VPN using Windows 7 and SSL.
0
 

Author Comment

by:andysussman44
ID: 33842451
Woodall01,
Did you set it up on a windows 7 64 bit machine?  That's where I run into issues with both AT&T & Verizon 3G wireless cards.  I have several machines that will connect no problem with shrew through a wired or wireless network card, but will not connect through the 3G card.  Take the 3G card put it into a xp machine or windows 7 32 bit, and there is no issue.
 
0
 
LVL 1

Expert Comment

by:woodall01
ID: 33849187
I am running x64 with a wireless hotspot, I will get one of my employees' cards any try it in the next day or two and let you know. It might be a timing thing, shrew is a little fast on the whole auth thing.
0
 

Author Comment

by:andysussman44
ID: 33961429
Woodall01
Did you ever try it with the att or verizon card?  I am thinking I am just going to have to wait or find another solution with this configuration which is a bummer

Thanks!
Andy
0
 
LVL 1

Expert Comment

by:woodall01
ID: 33961718
It works with my Sprint Card.  It's slow but it works.  
0
 
LVL 4

Expert Comment

by:Allvirtual
ID: 33961790
woodall01: argued: "BTW to "AllVirtual", a good engineer will figure out the hard stuff, that'ss how you learn. Also, if was going to connect more then 25 people then using NCP, I would opt for an SA700 or just set up an IPSEC VPN using Windows 7 and SSL."

1. Not everyone is an engineer
2. Smart designed software must not be hard but I understand that engineers would like it that way cause they need to validate all the time and effort they put in their education.
3. SSL VPN is much less performant - as an engineer you should know that but then again most "engineers" have no cloud. Seems you drank the SSL coolaid as well like everyone else. Cheers.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
Computer running slow? Taking forever to open a folder, documents, or any programs that you didn't have an issue with before? Here are a few steps to help speed it up. The programs mentioned below ALL have free versions, you can buy them if you w…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now