User not able to VPN into Junioper SSG5-Serial router

All the users that we setup for VPN are able to connect.
Except for 1.

When I look on the router at the LOgs it shows .
Rejected an IKE packet on ethernet0/0 from External IP to Local IP with cookies 9a9a57aa8e846074 and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway.

I researched and could not find a direct answer
BBraytonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BBraytonAuthor Commented:
I was able to get a windows XP PC to connect with the same user.
This user VPN's from home WIn 7 wont work but XP will
0
JohnBusiness Consultant (Owner)Commented:
The log error says you are not getting to first base.

For the SSG5 (we have some) is this IPsec?

Assuming so, check your policies about users and make sure the policy for the user allows the other computer. There may be a restriction there.

Juniper SSG5 IPsec works fine with Windows 7 and above.
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Are you certain the VPN connection info is exactly the same for your test case with XP? Does it connect from outside your firewall? Which VPN client are you using?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

BBraytonAuthor Commented:
Usinf the VPN built into WIndows.
ans yes we are using L2TP/Ipsec
The credentials are exactly the same with the XP and windows 7.
0
BBraytonAuthor Commented:
the user is connecting from home so it is outside the firewall
0
JohnBusiness Consultant (Owner)Commented:
Windows VPN is PPTP. Are trying to mate PPTP with an IPsec policy?  You should be using a proper Client Application. Juniper has one sourced from NCP. I use the NCP Secure Entry client myself. XP had a Netscreen client that was very good but stopped with XP.
0
BBraytonAuthor Commented:
I'm going to try that Client and let you know if it works
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
John,
Windows supports both PPTP and L2TP/IPsec, so "Windows VPN is PPTP" is wrong.

BBrayton
The IPsec config is different from L2TP/IPsec, you can't exchange them by using e. g.  NCP.
0
JohnBusiness Consultant (Owner)Commented:
Thanks. I have never seen IPsec in Windows but I also never found any value in Windows VPN so I always use a bomb proof VPN client.
0
BBraytonAuthor Commented:
Tried to use the client you seny me bud I dont think I'm setting it up the right way.

I'm new with the juniper router also.
Maybe im not setting up the user on the router correctly.

Do you have steps on how to set it up on the router and client?
0
JohnBusiness Consultant (Owner)Commented:
You need the following settings assuming the Juniper has the correct policies for a VPN connection. The settings are just an example - you need to adapt them to you. Look at the line by line XP configuration that works.

Basic Settings: Profile Name (for your setup)  
Connection Type:  * VPN Connection
Comm. Medium Automatic Media detection
Default profile after reboot - No
Windows Dial-up Network - Never

Line Management: Connection Mode Manual
Inactivity timeout: 6000 seconds
Prioritize VOIP - No
ISDN - No
Pre-Authentication - No

IPsec General Settings      Tunnel Endpoint:   IP address other end
IKE Policy - PSK-DES-SHA-DH2
IPsec Policy - ESP-DES-SHA
Exchange Mode - Aggressive Mode (for client to site setups)
PFS Group - None
Advanced IPsec Options Advanced IPsec options Standard IPsec
All others default

Identities Local Identity  Fully qualified username
Pre-shared Key
Extended Authorization

IPsec Address Assignment      Assignment of Private IP Local IP Address  (0.0.0.0)
DNS /WINS  - No       (0.0.0.0)
Split Tunneling Remote Subnet 255.255.255.0
Certificate Check      None
Link Firewall      Off
0
BBraytonAuthor Commented:
when i hit connect on NCP client. it gives me VPN Gateway not responding Waiting for MSG 2

ok that client setup did not work.
We inherited this Juniper router from the IT company

WHere would I go on the router to set the Policy
0
JohnBusiness Consultant (Owner)Commented:
You need to check the Juniper policies (which is picky and technical). Can you see if the IT company can support the policies for a short while to get you going?
0
BBraytonAuthor Commented:
I must say juniper routers are not my friend right now.
I'm more used to the Cisco Rv042G Routers
0
JohnBusiness Consultant (Owner)Commented:
I used a Cisco RV042G router in my home office and now have a Cisco RV325 router. Yes, they are simpler to set up (a whole lot simpler).

The Juniper Netscreen routers require specific training and expertise to set up. If you have never seen one before, it is most unlikely you could set it up.  Once set up, however, they are excellent and stable boxes. I have several clients with Juniper routers.

So you need to get consulting assistance to set it up, or replace it with a box you like.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Agree on the above. The Juniper has to stand against real Ciscos and the like, and that is a different market sector than the consumer devices RV*. If your requirements are simple, use a simple VPN device ;-). DrayTek or Cisco RV* and the like are suited better for that purpose.
If the scenario is much more complex, like having to support different VPN gateways, creating detailed firewall rules with address translations  and so on, more complex devices like the SSGs come into play.
0
JohnBusiness Consultant (Owner)Commented:
Thanks and good luck with whatever you choose.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.