Screen OS

Hi All,

 

Hoping you guys can help..

 

I have a Juniper SSG-140 firewall. I have about 2 dozen clients connecting using the NetScreen-Remote client version 10.7.7

 

The remote gateway type for all is “Dialup user” using shared keys. Each user has their own policy.

 

I have a problem with 2 users who are dialling in from another company, (through an unknown firewall) When there was one users there was no problem connecting. Now that a second user is at that site he cannot get a connection he is getting the following error on his client:

 

7-25: 16:15:27.859 My Connections\Company - Initiating IKE Phase 1 (IP ADDR=80.169.139.110)

 7-25: 16:15:28.078 My Connections\Company - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 6x)

 7-25: 16:15:43.343 My Connections\Company - message not received! Retransmitting!

 7-25: 16:15:43.343 My Connections\Company - SENDING>>>> ISAKMP OAK AG (Retransmission)

 7-25: 16:15:58.343 My Connections\Company - message not received! Retransmitting!

 7-25: 16:15:58.343 My Connections\Company - SENDING>>>> ISAKMP OAK AG (Retransmission)

 7-25: 16:16:13.343 My Connections\Company - message not received! Retransmitting!

 7-25: 16:16:13.343 My Connections\Company - SENDING>>>> ISAKMP OAK AG (Retransmission)

 7-25: 16:16:28.343 My Connections\Company - Exceeded 3 IKE SA negotiation attempts

 

Could it be that both clients are originating from the same IP (the company’s external ip address) ? If so how do I get around this problem?

 

Cheers,

 

Stephen

#single
#connection
#dial
#address
#up
#vpn
#ip
#firewall
#source
#problem

Hi Stephen,

 

like most IPSec clients, you'll need to have the clients approach the termination point with a unique ip.

Reason is source and destination port of UDP 500.

 

I've seen this in the past with cisco clients also , where (on a ns firewall) a mip was needed per user traversing the firewall using a IPSec client.

 

Hope this helps

 

Kind regards

 

Colin

Hi CB, thanks for your prompt reply.

 

You will have to forgive my limited knowledge on firewalls and clients I’m a jack of all trades master of none!

 

Are you saying that’s its not possible in any client configuration to have 2 clients coming from the same IP address?

 

Cheers,

 

Stephen

Try to enable NAT-T in PHASE 1. I had to do that with a Cisco 3000 and I'll assume this will work with Juniper. However I'm like you "jack of all trade master at none" and I'm new to Juniper as well.

 

Rick 

hi,

 

u have to enable NAT traversing on SSG. Go to VPN->Autokey Advanced->Edit here check NAT traversal

 

Hope this helps

 

 

Hi Guys,

 

Thanks for that it looks like enabling Nat in VPN > Autokey Advanced >  Gateway > edit

 

Did the trick.

 

Cheers

 

Stephen

I believe you should create a VPN tunnel between the two networks and apply a policy that allows only those two users access to the tunnel, and your network resources.

I have a question for you, how are you defining a different policy for each user?