Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  VPN IPSec problems, port 500?

    Posted 10-28-2010 14:14

    Setting up my first Juniper device. I am working on VPN connections, and telnet port 500 fails., 80 works. Where do I set policy/other if needed? I am open to suggestions for VPN solutions. TIA!

     

    JS



  • 2.  RE: VPN IPSec problems, port 500?

    Posted 10-28-2010 15:03

    More info if needed. I am using Shrewsoft VPN. IKE service shows resending phase1 packet(s) timeout.



  • 3.  RE: VPN IPSec problems, port 500?

    Posted 10-28-2010 16:43

    Most of the time I've found that phase 1 timeout errors have the gateway address misconfigured on one side or the other.

     

    Here is the landing page for troubleshooting VPN connection problems kb9221.

     

    The phase 1 timeout issues are detailed here in kb9349



  • 4.  RE: VPN IPSec problems, port 500?

    Posted 10-28-2010 17:47

    Thankx for the reply. I have found my first error, initial Phase 1 packet arrived from an unrecognized peer gateway.

     

    -JS



  • 5.  RE: VPN IPSec problems, port 500?
    Best Answer

    Posted 10-29-2010 03:49

    Did you get the gateway address fixed then?

     

    Or do you need this from kb9238

     

    • Message:  IKE <ip_addr> Phase 1: Rejected an initial Phase 1 packet from an unrecognized peer gateway. 
      Meaning:  The responder did not recognize the incoming request as originating from a valid gateway peer. 
      Action:      On the responder, confirm the following IKE gateway configuration settings are correct:
      • The Static IP Address specified for the Remote Gateway is correct.
      • The Peer ID specified for the Remote Gateway is correct.
      • The outgoing interface is correct.  (Unfortunately, you cannot change the IKE Gateway's outgoing interface.  Create a new IKE Gateway that points to the correct outgoing interface and then change the AutoKey IKE so that it matches the new gateway.)

    The entire dialup VPN troubleshooting process is in kb9224 once you get past this issue.



  • 6.  RE: VPN IPSec problems, port 500?

    Posted 10-29-2010 05:37

    I got the client to connect. Your link was not a direct answer, but helped to troubleshoot.

     

    Event activity for telnet and http the SSG5, but no vpn client event activity.

    By mistake I tried to connect Win 7 L2TP client, and event activity appeared. 

    I switched from wireless to NIC, and now I have vpn client event activity.

    Error: initial Phase 1 packet arrived from an unrecognized peer gateway.

    Unchecking "Replay Protection" in Autokey IKE advanced got the client to connect,

    Pool IP assigned, no network access, but much closer.

     

    So after hours of trying to get port 500 to work, turns out it the was the wireless adapter and Shrew Soft VPN. Dunno whats next.

    I am very disappointed there is no Juniper VPN support for mobile and remote users. I cannot got back to the table and say we need to spend another $1000 for NCP VPN client software. I will rant in another thread. Thankx for the replies.

     

    -JS