swwells
asked on
sbs 2011 VPN through a Juniper SSG5 firewall
Hi
I'm looking to setup the SBS 2011 VPN through our SSG5 firewall. The SBS side of the VPN is setup fine and I can connect to it from within our network without issue.
But when I try connecting via the web I receive the following message within the firewall logs.
An initial packet arrived from an unrecognized peer gateway
Rejected an IKE packet on ethernet0/0 from 217.42.xxx.xx:500 to xxx.xxx.xxx.xxx:500 with cookies 16169818c721f6ae and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway.
I've set up port forwarding wthin the firewall to the SBS server and that appears to be correct. I've search for this issue but can't find any solutions as to what I am missing or what else I need to do.
Please can you help me fill in the missing steps.
Thanks
I'm looking to setup the SBS 2011 VPN through our SSG5 firewall. The SBS side of the VPN is setup fine and I can connect to it from within our network without issue.
But when I try connecting via the web I receive the following message within the firewall logs.
An initial packet arrived from an unrecognized peer gateway
Rejected an IKE packet on ethernet0/0 from 217.42.xxx.xx:500 to xxx.xxx.xxx.xxx:500 with cookies 16169818c721f6ae and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway.
I've set up port forwarding wthin the firewall to the SBS server and that appears to be correct. I've search for this issue but can't find any solutions as to what I am missing or what else I need to do.
Please can you help me fill in the missing steps.
Thanks
It seems like you have you VPN terminating at the SSG instead of passing through to the SBS server sitting behind it. Is this your intention?
ASKER
Hi
No my intention was to pass the traffic through the firewall directly to the SBS server
No my intention was to pass the traffic through the firewall directly to the SBS server
You need to set up the SSG5 for pass through. Right now the message you have says it is expecting to be the terminating point.
You need a policy in the SSG5 that goes around the IPsec VPN. If you are not going to use IPsec, then you don't really need an SSG5 for this.
... Thinkpads_User
You need a policy in the SSG5 that goes around the IPsec VPN. If you are not going to use IPsec, then you don't really need an SSG5 for this.
... Thinkpads_User
ASKER
Thanks for the advice Thinkpads_User.
Sorry could you provide me with step instruction of how to do this, as my knowledge in this area is limited.
Thanks
Sorry could you provide me with step instruction of how to do this, as my knowledge in this area is limited.
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your help and advice, I tried multiple options mentioned. But to no avail so looks like the consultant route is the way to go.
Thanks
rob
Thanks
rob
You need IKE (IPsec) setup, Phase 1 settings, Phase 2 settings, Pre-shared key, and policies for the incoming clients. There is a lot of detail to this and the above is just a top level summary.
Then for the client, you need a VPN application. I use NCP Secure Entry as I consider it to be best of breed.
You need to set up the IP address of the VPN box, Phase 1 and Phase 2 settings to match the above, Pre-Shared key, and settings for NAT Traversal and split tunnels.
There are a couple of dozen settings all told. Any one setting incorrect can cause the tunnel to fail.
So I really suggest you get some consulting help to set it up.
... Thinkpads_User