ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

Unable to change user setting

05.11.12   |  
‎05-11-2012 07:20 AM

Hi

 

I have created a dial up vpn policy on a ssg-5 using the wizzard.

I have used a single user profile for ID and now I wan't to allow multiple use of this user ID.

But I get errors when I try to change it:

First I get: user ike id check failed

Then I get: You can only change the user status, IKE options and/or password for the current user.

 

Is there a work around for that?

6 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: Unable to change user setting

05.11.12   |  
‎05-11-2012 08:46 AM

Hi,

 

You need to remove the user from the active VPN that they are currently tied to before you can make the change.

 

Regards

Pier
Network and telephony support engineer
JNCIA-FWV, CCNP Voice, CCNA
ScreenOS Firewalls (NOT SRX)

Re: Unable to change user setting

05.13.12   |  
‎05-13-2012 12:00 PM

Thanks. that worked.

Isn't it possible to use the same user on multiple connections? If I try to use a user with "Number of Multiple Logins with Same ID" lager than 1 it's told that I have to use a group. If I put this user in a group, I'm told that I have to enalbe xauth. 

ScreenOS Firewalls (NOT SRX)

Re: Unable to change user setting

05.13.12   |  
‎05-13-2012 12:13 PM

If I try to set the vpn to Dynamic with a remote id provided I get:

VPN "VPN for Any" which use this IKE gateway have manually configured proxy ID

fail set non-dial-up gateway

Error in set ike gateway.


ScreenOS Firewalls (NOT SRX)

Re: Unable to change user setting

05.15.12   |  
‎05-15-2012 12:25 AM

Yes you need to use IKE and Xauth please see

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15272

Pier
Network and telephony support engineer
JNCIA-FWV, CCNP Voice, CCNA
ScreenOS Firewalls (NOT SRX)

Re: Unable to change user setting

[ Edited ]
05.15.12   |  
‎05-15-2012 04:27 AM

You don't actually have to use XAuth (you can use a shared IKE user in a group with additional IKE users containing similar IKE IDs) but it's recommended for additional security.

 

You can't edit a user that's currently in use by a VPN gateway, so the easiest way (other than deleting the VPN definition and starting from scratch) is to create a temporary dummy IKE user, then modify the VPN gateway to use this user. You should now be able to edit the original user (bumping up the Multiple Logins number), add it to a new group, modify the VPN gateway again to use the new group containing the original IKE user, and delete the dummy user.

 

You now have a choice between adding additional IKE users, or additional XAuth users.

ScreenOS Firewalls (NOT SRX)

Re: Unable to change user setting

05.15.12   |  
‎05-15-2012 05:25 AM

Thanks for your answers. I' setting up Xauth now :-)