Matthew Grooms | 6 Oct 00:55 2010
Picon

Re: Shrew soft VPN client configuration for juniper SSG

On 10/4/2010 8:13 AM, Zigmunds Vītiņš wrote:
> Hello,
>
> I have changed PFS option to group 5, but still without any success.
> I tried to disable DPD on SrewSoft vpn client, but nothing changed.
>
> This is output log for trace utility:
>

The client gets an Xauth result before it receives an IP address from 
the gateway address pool. Are your netscreen clients configured to get 
an addresses from an address pool?

-Matthew
_______________________________________________
vpn-help mailing list
vpn-help <at> lists.shrew.net
http://lists.shrew.net/mailman/listinfo/vpn-help
Zigmunds Vītiņš | 8 Oct 15:46 2010
Picon

Re: Shrew soft VPN client configuration for juniper SSG

  Hello,

I don't have address pool for this vpn.

Thanks.
Zigmunds

On 10/6/2010 1:55 AM, Matthew Grooms wrote:
> On 10/4/2010 8:13 AM, Zigmunds Vītiņš wrote:
>> Hello,
>>
>> I have changed PFS option to group 5, but still without any success.
>> I tried to disable DPD on SrewSoft vpn client, but nothing changed.
>>
>> This is output log for trace utility:
>>
>
> The client gets an Xauth result before it receives an IP address from 
> the gateway address pool. Are your netscreen clients configured to get 
> an addresses from an address pool?
>
> -Matthew
_______________________________________________
vpn-help mailing list
vpn-help <at> lists.shrew.net
http://lists.shrew.net/mailman/listinfo/vpn-help
Matthew Grooms | 10 Oct 23:55 2010
Picon

Re: Shrew soft VPN client configuration for juniper SSG

On 10/8/2010 8:46 AM, Zigmunds Vītiņš wrote:
> Hello,
>
> I don't have address pool for this vpn.
>

Hi Zigmunds,

If you don't supply an address pool for the connection, the site config 
needs to be modified. In the general properties page, there is an option 
for selecting the Auto Configuration type. Setting it to 'ike config 
push' means that the client will expect to be sent configuration options 
such as virtual IP address/netmask ( when virtual adapter mode is used ) 
and other settings such as DNS server, WINS server settings. From your 
log output, your gateway appears to be sending an Xauth result without 
sending any configuration information. This is confusing the client 
because its configured to receive a configuration push request.

So, I would try the following ...

1) If the client is set to use "virtual adapter and assigned address", 
you need to change it to "existing adapter and current address". This 
should hopefully match the mode in which your Netscreen remote clients 
operate ( not getting a virtual IP so there is no virtual adapter ). For 
more information on this topic, please see ...

http://www.shrew.net/static/help-2.1.x/files/ClientManagement.html

2) If the client is set to use "ike config push" as described in our 
Juniper SSG howto, you need to set this to "disabled" instead. Your 
(Continue reading)

Zigmunds Vītiņš | 13 Oct 13:43 2010
Picon

Re: Shrew soft VPN client configuration for juniper SSG

  Hi Matthew,

thank's a lot.
Now I can successfully establish tunnel.
But I still have one problem - I can not access any server behind ssg.
In policy log on ssg I can not see any attempt - what should I change else?
Now my config is:

n:version:2
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:0
n:network-notify-enable:1
n:client-wins-used:0
n:client-wins-auto:0
n:client-dns-used:1
n:client-dns-auto:0
n:client-splitdns-used:0
n:client-splitdns-auto:0
n:phase1-dhgroup:5
n:phase1-keylen:256
n:phase1-life-secs:28800
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-keylen:256
(Continue reading)


Gmane