Screen OS

Hello,

I am hoping someone can help me understand what I am doing wrong. I followed the following when setting up VPN access: http://kb.juniper.net/InfoCenter/index?page=content&id=KB14878

and the following when setting up Shrew Soft VPN Access: http://kb.juniper.net/InfoCenter/index?page=content&id=KB22074

But I keep getting the following messave when I try to connect.

config loaded for site 'Work'
configuring client settings ...
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
pre-shared key configured
bringing up tunnel ...
negotiation timout occurred
tunnel disabled
detached from key daemon ...

 

Firewall event log shows the following but it doesn't go any further.

 

Date/Time	Level	Description
2013-02-13 16:49:59	information	IKE 209.66.114.182 phase 1:The symmetric crypto key has been generated successfully.
2013-02-13 16:49:59	information	IKE 209.66.114.182 Phase 1: Responder starts AGGRESSIVE mode negotiations.

 

#vpn
#SSG550
#shrew
#netscreen

Hi,

You may have better luck following this steps instead if working with shrew soft client:

http://www.shrew.net/support/Howto_Juniper_SSG

 

Note: under "Gateway Configuration"  where it reads: "Number of Multiple logins with same ID" you change it to something else besides '1' (the default) otherwise you wont be able to have more than one user logged in at the time.. use the maximum your juniper unit allows.. (e.g. ssg5 is 25)...

 

 

 

 

 

I have tried the link provided by Shrew.  I was finally able to connect using the beta version 2.2.0-rc-2 of Shrew and get an IP (192.168.1.1) but I can't ping any of my internal PC or map a network drive.

 

I used the connection from my phone to test since I am at work and able to connect.

config loaded for site 'work'
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
remote id configured
pre-shared key configured
bringing up tunnel ...
network device configured
tunnel enabled

But when I try my home PC which has an IP of 192.168.1.3, I cannot connect and still get the same message as below

 

config loaded for site 'work'
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
remote id configured
pre-shared key configured
bringing up tunnel ...
negotiation timout occurred
tunnel disabled
detached from key daemon

 

I am using the same client and the same configuration.

Correction. I was able to connect from my home pc as well. Now I just need to figure out how I can map drives and be able to ping my internal network.

Any and all help is greatly appreciated.

Try using a completelly different ip segment for the VPN pool not 192.168.1... (Users > IP Pools) use something like 10.10.1...... if you google this you will see it needs to be something diferent from your segment.. give it a try.. shrew docs does not mention it... I had the same problem until I used different segment.

 

I did that, but when I connecet using VPN, I am still getting the 192.168.IP.  I don't have option to remove the 192.168 IP pool.

 

Name    Start IP                End IP                 In use           Configure

IPPool 192.168.1.1        192.168.1.10          1                      - -
Home 10.10.1.1              10.10.1.254            0             Edit      Remove

 

There is nothing that I can find that is using the 192.168 IP, all connections have been disconnected.

Hi, I see on your post the "192.168.1" pool is "in use", it has 'one' lease... you need to disconnect (or reboot/restart your SSG) and dont connect via VPN to it, just  then the info "In use" will disappear and the option for "Remove" will re-apear (as you see it for the pool 10.10.1.1 you created) .. the lease has to be released first..

 

or you can just wait, the lease will be released eventually (dont know how long though...), the fastes way to release it is just restart the SSG.

 

Name    Start IP                End IP                 In use           Configure

IPPool 192.168.1.1        192.168.1.10          1                  --

So here is the latest.  I am able to connect, but cannot ping any internal IPs or map any network drives.  I am getting the internal network's DNS.

 

config loaded for site 'work'
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
remote id configured
pre-shared key configured
bringing up tunnel ...
network device configured
tunnel enabled

 

 

Ethernet adapter Local Area Connection* 12:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Shrew Soft Virtual Adapter
Physical Address. . . . . . . . . : AA-AA-AA-AC-A4-00
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::e556:c101:7c0f:4acf%40(Preferred)
IPv4 Address. . . . . . . . . . . : 10.10.1.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.50.100.12
4.2.2.2
NetBIOS over Tcpip. . . . . . . . : Disabled

At his point you should be able to ping the SSG once the vpn is connected correct?

 

Question on how you setup is... do you have a route to the internet from your SSG? something like eg.

(here eth0/2 is the Untrust port, 192.168.1.1 is the gateway router (not the SSG):

 

set route 0.0.0.0/0 interface ethernet0/2 gateway 192.168.1.1

 

Is your SSG directly connected to the internet or you have a firewall router in between?

 

is this SSG at home or at your work place? if its at home and trying to connect form work, and your company has (or may have) the IPSec ports needed are blocked.. a lot of companies have it this way for security reason, if this is the case you wont be able to connect from work this way unless you admin lets you and open the ports needed....

 

Attached is my working SSG5 config and Shrew client config, maybe you can tell by looking at both what is missing..

 

Are using Untrust- to-trust or just Trust-ti-Trust ?

 

I am not able to ping from home to work, what is what I need to do. I do have a route to the internet as shown in the attached firewll config and the attached shrew config.  I was not able to see much difference between the your files and mines.  Perhaps I am missing something and you can guide me to the correct resolution.

 

I am assuming that I am not able to ping anyting internally because I am not getting a gateway?  This is what I get when I do an ipconfig for the shrew adapter.

 

Ethernet adapter Local Area Connection* 12:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Shrew Soft Virtual Adapter
Physical Address. . . . . . . . . : AA-AA-AA-AC-A4-00
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::e556:c101:7c0f:4acf%40(Preferred)
IPv4 Address. . . . . . . . . . . : 10.10.1.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.50.100.12
4.2.2.2
NetBIOS over Tcpip. . . . . . . . : Disabled

 

Appreciate the assistance.

HI, its time for bed 🙂

 

I will look at the files tomorrow.. but..

No showing a gateway under shrew client is normal so that is ok.

 

The problem I think is that when you connect the VPN, it does not know how to come back to the client once connected, it can be a policy or route problem..

One thing I can see is the order of the policies could be wrong, I believe the VPN Dialup supposed to be on top (use GUI to move them if needed).. on a command line connected to your Juniper, run the following and if there is a problem you can correct it, order of policies are important.. give it a quick test using the following as example:

 

e.g.  (I run these in my ssg5 and see the responses I get):

 

ssg5-serial-> exec policy verify global
No firewall rules found
ssg5-serial-> exec policy verify from trust
Rulebase verified successfully
ssg5-serial-> exec policy verify from untrust
Rulebase verified successfully
ssg5-serial-> exec policy verify from untrust to trust
Rulebase verified successfully
ssg5-serial-> exec policy verify from trust to untrust
Rulebase verified successfully

 

Once you change the policy order if you needed it, log off you pc before trying to connect again....

 

Hopefully someone else with a lot more experience jumps in too.. you are almost there, just a simple thing is missing...

Before Changes were made.

Firewall-2-> exec policy verify global
No firewall rules found
Firewall-2-> exec policy verify from trust
Rulebase verified successfully
Firewall-2-> exec policy verify from untrust
Rule 4 is shadowed by rule 2
Rulebase verification done: shadowed rules were found
Firewall-2-> exec policy verify from untrust to trust
Rule 4 is shadowed by rule 2
Rulebase verification done: shadowed rules were found
Firewall-2-> exec policy verify from trust to untrust
Rulebase verified successfully
Firewall-2->

After Policy changes

Firewall-2-> exec policy verify global
No firewall rules found
Firewall-2-> exec policy verify from trust
Rulebase verified successfully
Firewall-2-> exec policy verify g
No firewall rules found
Firewall-2-> exec policy verify from untrust
Rulebase verified successfully
Firewall-2-> exec policy verify from untrust to trust
Rulebase verified successfully
Firewall-2-> exec policy verify from trust to untrust
Rulebase verified successfully
Firewall-2->

 

I also had to make some Phase 2 changes in the Shrew Client

Phase 2: 

Transform Algorith: Auto

HMAC Algorithm: Auto

PFS Exchange: Disabled

Compress Algorithm: Disabled

Key Life time limit: 3600

 

I am now able to ping and map network drives......WOOOO   HOOOO

 

Thanks for all your help. I will post my Shrew settings so others can benefit as well.

 

One question, Can I have users logon using their AD credentials or do I need to create a VPN acct for all the users under Objects, local users?

I was able to setup the VPN access.  Now what I woudl like to do is be able to use AD for all users who connect using VPN.  At the moment only the users with an account on the firewall can connect and map shares.  I don't want to create accounts for all the users, i would like use AD authentication.

 

I did setup NSP on windows 2008 and a Radius server on the firewall, but I am not able to connect using any AD credentials.

 

AN IDEAS....