ScreenOS Firewalls (NOT SRX)
Reply
Visitor
boricua
Posts: 9
Registered: ‎07-28-2008
0

Windows 2003 RRAS connect to SSG 5 issue (Newbie)

Hello,

 

I followed this How-To article:

http://kb.juniper.net/kb/documents/public/VPN/ScreenOS_Windows_L2TP_IPSec.pdf

 

Even though the screen shots are alittle different I believe I did this right.

 

Here is a brief description of network:

 

The CA server is behind the firewall.(Don't know if it needs to be exposed to the internet?)

The windows 2003 machine is on a dynamic network behind a NAT.

 

Think that is all that is needed.  If you need more info on network let me know.

 

I did a debug ike detail.  This is the failure part of the debug output:

 

## 2008-08-26 01:09:42 : IKE<0.0.0.0        >   ct:CN=peterVPN
## 2008-08-26 01:09:42 : IKE<0.0.0.0        >   ct:smileysurprised:U=Dev
## 2008-08-26 01:09:42 : IKE<0.0.0.0        >   ct:smileysurprised:=Nextricity
## 2008-08-26 01:09:42 : IKE<0.0.0.0        >   ct:L=Thousand Oaks
## 2008-08-26 01:09:42 : IKE<0.0.0.0        >   ct:smileyfrustrated:T=CA
## 2008-08-26 01:09:42 : IKE<0.0.0.0        >   ct:C=US
## 2008-08-26 01:09:42 : IKE<0.0.0.0        >   ct:Email=peter@quahog.lcl
## 2008-08-26 01:09:42 : IKE<0.0.0.0        >   count_num_required_elems: ret num elem<7>.
## 2008-08-26 01:09:42 : IKE<0.0.0.0        >   Failed to find user of dynamic peer.
## 2008-08-26 01:09:42 : IKE<75.82.231.166> Packet has arrived with ID type ASN1
_DN, but no user configuration was found for that ID.
## 2008-08-26 01:09:42 : IKE<75.82.231.166> ID processed. return 1. sa->p1_state
 = 2.
## 2008-08-26 01:09:42 : IKE<75.82.231.166> Error processing ID
## 2008-08-26 01:09:42 : IKE<75.82.231.166> Phase 1: Main mode negotiations have
 failed.

 

Does it seem my server can't find the correct Cert to send the Juniper?  How does it know which cert to send the juniper?

 

Thank you very much,

 

Rick

Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: Windows 2003 RRAS connect to SSG 5 issue (Newbie)

First of all the Certificate needs to be installed on the SSG. The SSG does not need to talk the CA server after cert is installed except for perhaps CRL checking. The CA cert and loaded CRL list should be adequate to validate the cert identity so long as the CA cert is from the same server as the one which was generated for the Windows XP client.

 

But I suspect that your issue is elsewhere. I suspect that your IKE/L2TP user may not be configured correctly with correct DN information. Make sure that you specify wildcard and that all fields which are configured match the corresponding DN which was sent by the Windows XP client. Either that or your IKE configuration is specifying the wrong IKE user.  Perhaps you can post your IKE and user configs.

 

-Richard

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.