ScreenOS Firewalls (NOT SRX)
Reply
JS
Contributor
JS
Posts: 14
Registered: ‎10-22-2008
0
Accepted Solution

Unable to change user setting

Hi

 

I have created a dial up vpn policy on a ssg-5 using the wizzard.

I have used a single user profile for ID and now I wan't to allow multiple use of this user ID.

But I get errors when I try to change it:

First I get: user ike id check failed

Then I get: You can only change the user status, IKE options and/or password for the current user.

 

Is there a work around for that?

Trusted Contributor
Stac Polaidh
Posts: 90
Registered: ‎01-24-2012
0

Re: Unable to change user setting

Hi,

 

You need to remove the user from the active VPN that they are currently tied to before you can make the change.

 

Regards

Pier
Network and telephony support engineer
JNCIA-FWV, CCNP Voice, CCNA
JS
Contributor
JS
Posts: 14
Registered: ‎10-22-2008
0

Re: Unable to change user setting

Thanks. that worked.

Isn't it possible to use the same user on multiple connections? If I try to use a user with "Number of Multiple Logins with Same ID" lager than 1 it's told that I have to use a group. If I put this user in a group, I'm told that I have to enalbe xauth. 

JS
Contributor
JS
Posts: 14
Registered: ‎10-22-2008
0

Re: Unable to change user setting

If I try to set the vpn to Dynamic with a remote id provided I get:

VPN "VPN for Any" which use this IKE gateway have manually configured proxy ID

fail set non-dial-up gateway

Error in set ike gateway.


Trusted Contributor
Stac Polaidh
Posts: 90
Registered: ‎01-24-2012
0

Re: Unable to change user setting

Yes you need to use IKE and Xauth please see

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15272

Pier
Network and telephony support engineer
JNCIA-FWV, CCNP Voice, CCNA
Super Contributor
Spud
Posts: 134
Registered: ‎02-08-2008
0

Re: Unable to change user setting

[ Edited ]

You don't actually have to use XAuth (you can use a shared IKE user in a group with additional IKE users containing similar IKE IDs) but it's recommended for additional security.

 

You can't edit a user that's currently in use by a VPN gateway, so the easiest way (other than deleting the VPN definition and starting from scratch) is to create a temporary dummy IKE user, then modify the VPN gateway to use this user. You should now be able to edit the original user (bumping up the Multiple Logins number), add it to a new group, modify the VPN gateway again to use the new group containing the original IKE user, and delete the dummy user.

 

You now have a choice between adding additional IKE users, or additional XAuth users.

JS
Contributor
JS
Posts: 14
Registered: ‎10-22-2008
0

Re: Unable to change user setting

Thanks for your answers. I' setting up Xauth now :-)

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.