Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Shrew VPN Client / SSG VPN Issue

    Posted 12-27-2009 08:59

    I have followed this tutorial to a T.

    http://www.shrew.net/support/wiki/HowtoJuniperSsg

     

    I am able to connect using XAUTH to the VPN. I am only able to communicate to my SSG via the local IP 10.1.1.1.

     

    I can ping the router and telnet in however I am not able to talk to the machines behine my SSG from a remote location using the shrew client.

     

    My Policy Log:

    2009-12-27 11:12:30 10.1.1.10:65112 10.1.1.5:53 10.1.1.10:65112 10.1.1.5:53 DNS 60 sec. 97 0 Close - AGE OUT 2009-12-27 11:12:30 10.1.1.10:65466 10.1.1.5:53 10.1.1.10:65466 10.1.1.5:53 DNS 60 sec. 90 0 Close - AGE OUT 2009-12-27 11:12:30 10.1.1.10:58084 10.1.1.5:53 10.1.1.10:58084 10.1.1.5:53 DNS 60 sec. 94 0 Close - AGE OUT 2009-12-27 11:12:00 10.1.1.10:55996 10.1.1.3:2492 10.1.1.10:55996 10.1.1.3:2492 TCP PORT 2492 22 sec. 70 0 Close - AGE OUT 2009-12-27 11:11:38 10.1.1.10:55996 10.1.1.3:2492 10.1.1.10:55996 10.1.1.3:2492 TCP PORT 2492 0 sec. 0 0 Creation 2009-12-27 11:11:34 10.1.1.10:56181 10.1.1.5:53 10.1.1.10:56181 10.1.1.5:53 DNS 0 sec. 0 0 Creation 2009-12-27 11:11:34 10.1.1.10:315 10.1.1.7:1 10.1.1.10:315 10.1.1.7:1 ICMP 0 sec. 0 0 Creation 2009-12-27 11:11:33 10.1.1.10:54185 10.1.1.5:53 10.1.1.10:54185 10.1.1.5:53 DNS 0 sec. 0 0 Creation 2009-12-27 11:11:31 10.1.1.10:63074 10.1.1.5:53 10.1.1.10:63074 10.1.1.5:53 DNS 0 sec. 0 0 Creation 2009-12-27 11:11:30 10.1.1.10:58084 10.1.1.5:53 10.1.1.10:58084 10.1.1.5:53 DNS 0 sec. 0 0 Creation

     

    The 10.1.1.10 is my Virtual IP which I succsessfully get from the IP Pool I created within the SSG

    the 10.1.1.5 is my DNS server.

    I am able to ping SSG via 10.1.1.1

    I have added a VPN Policy from trust to untrust which made the policy bidirectional (which I do not think I need) did not make a difference. i never needed that before however I saw that someone said to do that from within this forum.

    I am not sure what to do next. Thanks

     

    UPDATE:

    I have been using an IP Pool of the same IP as my internal subnet (behind my firewall). I have read that you should use a unique IP POOL. I have since changed it and will test this tomorrow when I am off my network.

     

    If I am wrong please let me know.



  • 2.  RE: Shrew VPN Client / SSG VPN Issue
    Best Answer

    Posted 12-28-2009 04:50

    I have fixed the issue.

     

    The issue was in fact the IP POOL not being unique to my internal LAN. I had a hunch and was right. The tutorial I submitted above is a very good one and the shrew client is great!

     

    Regards,



  • 3.  RE: Shrew VPN Client / SSG VPN Issue

    Posted 01-13-2010 19:33

    Hi,

    I have configured juniperfor Dial UP VPN and i can successfully accessing via netscreen Remote but NSR is not compatabity to windows 7. so i testing with shrew.

    can you plz advice on what should i select at Server CA in Authendication

    or if you have any docs on how to configur shrew vpn client, plz share to me

     

    Thanks in Advance

     

    Sona



  • 4.  RE: Shrew VPN Client / SSG VPN Issue

    Posted 01-14-2010 14:47

    I provided the tutorial above. In the Authentication tab you would choose RSA + XAUTH from the drop down.  If you are not using XAUTH then just Mutual RSA. I am not sure about your setup so as we all do, try it and see where it leads you. Good Luck!



  • 5.  RE: Shrew VPN Client / SSG VPN Issue

    Posted 01-21-2010 10:52

    I have also followed the Shrew tutorial and can successfully connect using the Shrew VPN client to a Netscreen device. However, I would also like to still use Netscreen Remote on machines that already have it installed and working, and just send out an updated policy to the remote users, instead of switching everyone over to Shrew. However, I can't seem to configure Netscreen Remote with the same parameters as with the Shrew setup. The first stumbling block is that the shrew setup has you put in vpngw.domain.com in the local id of the vpnclient_gateway on the Netscreen, but I don't see a way to enter this into Netscreen Remote. Any help would with this would be greatly appreciated.



  • 6.  RE: Shrew VPN Client / SSG VPN Issue

    Posted 01-22-2010 15:40

    Sorry I cannot help much using netscreen remote setup as I never used that client. I can tell you that I have used the shrew client for both my Juniper:

     

    My VPN site using shrew PSK and Xauth:

    Local identity = client.mydomain.local – which is the FQDN string I placed in Shrew, and also put in the Users Object (vpnclient_group) IKE Identity. I am assuming that Netscreen would have to permit you to create a group to use Xauth?

     

    Different VPN site just using shrew PSK:

    In that same local Identity Tab (shrew) I have chosen Identification Type: IP Address and checked Use a discovered local host address. (Same for Remote Identity) (Credentials Tab I used the PSK)



  • 7.  RE: Shrew VPN Client / SSG VPN Issue

    Posted 03-03-2013 12:07

    I too have followed the Shrew wiki article and achieved a working Dial-In connection. However the connection is the 1st IP address in the SSG5 IP Pool, with a /32 netmask. I need a /16 netmask to access other subnet resources, and preferably log in with a static IP address (not IP Pool). As a SSG5 noob, does anyone have CLI specific info or a reference on how to go about this?

    Unfortunately the more I read the ref materials, the more overwhelming it appears...

    Thanks