11-11-2011 02:25 AM
So far i've configure dial up vpn without any problem..
However. we would like to make it further to other networks using linksys vpn routers.
Anyone can provide some ideas ?
11-11-2011 03:47 AM
To connect a Linksys remote site you will use a site to site vpn tunnel and not the dial up vpn.
If the linksys site has a dynamic ip address you can sign p for DynDNS.com and use this service to create a DNS entry you can use for the tunnel gateway. This will be also configured on the Linksys side to keep the entry up to day.
For the Juniper side of the tunnel use these instructions. You will need to find the similar document for the Linksys model.
11-11-2011 08:40 AM
the connect function well with same linksys brand products..
however , cant make it work when connection with ssg5
settings in wrvs4400n are all ready. also tried similar kb as yours.. but no good.
11-11-2011 09:43 AM
You will need to get some log information to see why the tunnel does not come up. Walk through the steps in kb9221 and see which settings will need to be adjusted for this connection.
11-11-2011 07:19 PM - edited 11-11-2011 07:44 PM
Tried many things and make the tunnel active & up on both sides. However, still unable to ping across the tunnel
Routing in SSG and Policy already define properly. the difficult part now is the WRVS4400N
-> get sa
total configured sa: 2
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000001< 0.0.0.0 500 esp:3des/sha1 00000000 expir unlim I/I 45 0
00000001> 0.0.0.0 500 esp:3des/sha1 00000000 expir unlim I/I -1 0
00000003< 18.104.22.168 4500 esp:3des/sha1 663c8358 3558 unlim A/U -1 0
00000003> 22.214.171.124 4500 esp:3des/sha1 16360607 3558 unlim A/U -1 0
and below events find.. please advise
VPN 'VPN for ROL801 Home' from 126.96.36.199 is up.
Rejected an IKE packet on ethernet0/0 from 188.8.131.52:500 to 10.254.254.5:500 with cookies f0b62040080c8952 and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway.
11-12-2011 04:29 AM
Phase 1 packet arrived from an unrecognized peer gateway.
This message usually means that the gateway address configured in the gateway object of the VPN does not match the remote gateway.
But I also notice that you have a private address as one of the two partners. Is there another nat device between the SSG and the Linksys? This will normally not work as the gateway connections cannot be on a nat address.
11-12-2011 09:07 AM - edited 11-12-2011 09:15 AM
you can find a private ip address because it's static mapped from a router infront of it. entire public ip address are route to SSG5 untrust interface for NAT or MIP. This makes me more easier to managment entire network.
Finally fix all connection issues after hours of trying and testing. things are working now.
sometimes below event appear.. but vpn connection remain active.
"Rejected an IKE packet on ethernet0/0 from 184.108.40.206:500 to 10.254.254.5:500 with cookies e126643785f3608f and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway."
basically, all things are correct regarding to previous setup. such as Routing, Policy...
3 key points are critial to the entire setup
1. in Auto IKE, Advance . VPN monitor , Optimized and Rekey must ticked. otherwise connection will fail
2. in AutoKey Advance, Gateway, Advance, require to put to internet ip address to local ID
3. even dynamic ip using in WRVS4400N, with dyndns configure. in SSG5 gateway setting still require to use "Static IP Address"
above 3 things must follow , otherwise connection will drop immediately
and after this.. a new question to ask.. i can see alerts appear in regular bascis..
i'm require to configure more , or block these ip as well ?
"Port scan! From 220.127.116.11:19000 to 18.104.22.168:9722, proto TCP (zone Untrust, int ethernet0/0). Occurred 1 times."