Solved

sbs 2011 VPN through a Juniper SSG5 firewall

Posted on 2013-10-22
8
1,184 Views
Last Modified: 2013-11-22
Hi
I'm looking to setup the SBS 2011 VPN through our SSG5 firewall. The SBS side of the VPN is setup fine and I can connect to it from within our network without issue.

But when I try connecting via the web I receive the following message within the firewall logs.

An initial packet arrived from an unrecognized peer gateway

Rejected an IKE packet on ethernet0/0 from 217.42.xxx.xx:500 to xxx.xxx.xxx.xxx:500 with cookies 16169818c721f6ae and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway.

I've set up port forwarding wthin the firewall to the SBS server and that appears to be correct. I've search for this issue but can't find any solutions as to what I am missing or what else I need to do.

Please can you help me fill in the missing steps.

Thanks
0
Comment
Question by:swwells
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 95

Expert Comment

by:John Hurst
ID: 39591502
You need to set up the SSG5 to accept a VPN client incoming.

You need IKE (IPsec) setup, Phase 1 settings, Phase 2 settings, Pre-shared key, and policies for the incoming clients. There is a lot of detail to this and the above is just a top level summary.

Then for the client, you need a VPN application. I use NCP Secure Entry as I consider it to be best of breed.

You need to set up the IP address of the VPN box, Phase 1 and Phase 2 settings to match the above, Pre-Shared key, and settings for NAT Traversal and split tunnels.

There are a couple of dozen settings all told. Any one setting incorrect can cause the tunnel to fail.

So I really suggest you get some consulting help to set it up.

... Thinkpads_User
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 39591574
It seems like you have you VPN terminating at the SSG instead of passing through to the SBS server sitting behind it. Is this your intention?
0
 

Author Comment

by:swwells
ID: 39591605
Hi

No my intention was to pass the traffic through the firewall directly to the SBS server
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 95

Expert Comment

by:John Hurst
ID: 39591622
You need to set up the SSG5 for pass through.  Right now the message you have says it is expecting to be the terminating point.

You need a policy in the SSG5 that goes around the IPsec VPN. If you are not going to use IPsec, then you don't really need an SSG5 for this.

... Thinkpads_User
0
 

Author Comment

by:swwells
ID: 39591632
Thanks for the advice Thinkpads_User.

Sorry could you provide me with step instruction of how to do this, as my knowledge in this area is limited.

Thanks
0
 
LVL 95

Assisted Solution

by:John Hurst
John Hurst earned 250 total points
ID: 39591673
I use a consultant to set these up.

There is a basic policy with a destination of VIP(untrust) that skirts around the IPsec setup. You need to establish the ports and services you will use on the Server.

So you need someone to help you set this up.

... Thinkpads_User
0
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 250 total points
ID: 39591831
If you have only one public IP address, it really gets interesting since the Juniper shares that IP with what ever devices you are mapping using a VIP. Here are the basic steps to follow

From CLI:
set vip multi-port
save
reset

Next, define a custom service for PPTP and apply this service in the VIP.
From the CLI:
set service CustomPPTP group "other" 47 src 2048-2048 dst 2048-2048
set service CustomPPTP + tcp src 0-65535 dst 1723-1723
set interface ethernet0/0 vip 2048 CustomPPTP 10.1.1.10

create an incoming policy with destination address as the VIP using the custom service object
From the CLI:
set policy from untrust to trust "any" "VIP::1" "CustomPPTP" permit [Enter]
save

SBS server in this example is 10.1.1.10. Note for M$ Windows the custom PPTP service must contain both TCP port 1723 and IP protocol 47 with port 2048.
0
 

Author Closing Comment

by:swwells
ID: 39668590
Thanks for your help and advice, I tried multiple options mentioned. But to no avail so looks like the consultant route is the way to go.
Thanks
rob
0

Featured Post

Are You Ransomware's Next Victim?

Worried about ransomware attacks hitting your organization?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with WatchGuard Total Security!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
URGENT- Can't login to Bizportal over VPN 2 58
Port# 500 and 4500 not open by ISP 10 87
port forwarding 2 69
types of VPN 2 57
If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question