06-05-2008 05:21 PM
I am trying to configure the SSG 550 to accept a VPN connection from a Cisco VPN client using a dynamic IP address. I have tried several different configurations on the SSG, but keep getting the error unknown peer from the SSG. It appears that the SSG is showing the peer based on the source IP. Has anyone managed to get the Cisco VPN client to work with the SSG? Please let me know.
06-06-2008 03:49 PM
I am one of those wierdos that wants to know why the Cisco VPN client won't work with the Netscreen. I think standards are very important in the industry, and IPSec should be a standard. Do you happen to know why the Cisco VPN client is not supported by the SSG550? What part of the IPSec protocol does Cisco/Juniper not adhere to or support? I have done sniffer traces from my Cisco VPN client and see where the group name is being passed to the Juniper from the Cisco client, however, the Juniper seems to be insistent on using the source IP for identification. I keep getting the error in the Juniper logs of unknown VPN client <IP Address>. Any ideas?
06-08-2008 10:56 AM
The Netscreen Client is very standardt aware : I mean you can specify any parameters of IPSEC protocol ( encryption level/algo , PSK , proxy id ...) i don t think it the same with the cisco one (Correct me if i m false ) : You only specify login and password and then the client get all the other parameters from the gateway : That s why i thing it does not work
So Cisco and Juniper ipsec Negotiation are a bit differents ( in a Client to Site scenario ) even if they use the same protocol : IPSEC.
06-09-2008 07:01 AM
I know that the Netscreen client and the Cisco Client don't play well together on the same computer, so I can understand this issue. I do need to configure the SSG to support VPNs from dynamic IP addresses (most connections will be coming from cable/DSL users). Do you have any information on how to configure the SSG for VPNs from dynamic IP addresses?
06-09-2008 09:45 AM
Here is an example with a site to site connection :
In a client to site case, you must use the "Dialup VPN" object "255.255.255.255/32" as your source. Here is an example :
03-07-2012 11:55 AM
The thread is really old, but I believe it might be possible.
But you have to use certificates to get this done.
I believe junos/netscreen sends IP as groupname?
Using certs lets you complete phase1 without that mismatch.
I havent gotten this working, but I wont to try this out myself. Will post back if I have success.
(btw this is why shrewsoft client works with cisco or juniper because its flexible in what negotiation you send to server)
03-20-2012 11:32 AM
If there's an option in the Cisco client to send an FQDN or U-FQDN (User fully-qualified domain name; same format as an email address) as the local IKE ID, then you should be able to connect without a certificate. I've used this method to connect using Shrew and IPSecuritas clients.
03-26-2012 01:34 AM
Cisco VPN client will not work with the SSG. After the certificate authentication has completed the client sends a vendor specific parameter and drops the IKE negotiaition because the remote GW is not a Cisco one...
03-26-2012 05:39 AM
Use the NCP Client. It is the best in the industry and it works - fast and reliable.
There are two IPsec clients. The Universal Client which will work against any IPsec VPN gateway and the Juniper Edition client which is cheaper but only will work against Juniper gateways.
The Configuration Guides provide details on how to configure it all: