ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Windows 2003 RRAS connect to SSG 5 issue (Newbie)

08.26.08   |  
‎08-26-2008 12:27 AM



I followed this How-To article:


Even though the screen shots are alittle different I believe I did this right.


Here is a brief description of network:


The CA server is behind the firewall.(Don't know if it needs to be exposed to the internet?)

The windows 2003 machine is on a dynamic network behind a NAT.


Think that is all that is needed.  If you need more info on network let me know.


I did a debug ike detail.  This is the failure part of the debug output:


## 2008-08-26 01:09:42 : IKE<        >   ct:CN=peterVPN
## 2008-08-26 01:09:42 : IKE<        >   ctSmiley SurprisedU=Dev
## 2008-08-26 01:09:42 : IKE<        >   ctSmiley Surprised=Nextricity
## 2008-08-26 01:09:42 : IKE<        >   ct:L=Thousand Oaks
## 2008-08-26 01:09:42 : IKE<        >   ctSmiley FrustratedT=CA
## 2008-08-26 01:09:42 : IKE<        >   ct:C=US
## 2008-08-26 01:09:42 : IKE<        >   ct:Email=peter@quahog.lcl
## 2008-08-26 01:09:42 : IKE<        >   count_num_required_elems: ret num elem<7>.
## 2008-08-26 01:09:42 : IKE<        >   Failed to find user of dynamic peer.
## 2008-08-26 01:09:42 : IKE<> Packet has arrived with ID type ASN1
_DN, but no user configuration was found for that ID.
## 2008-08-26 01:09:42 : IKE<> ID processed. return 1. sa->p1_state
 = 2.
## 2008-08-26 01:09:42 : IKE<> Error processing ID
## 2008-08-26 01:09:42 : IKE<> Phase 1: Main mode negotiations have


Does it seem my server can't find the correct Cert to send the Juniper?  How does it know which cert to send the juniper?


Thank you very much,



ScreenOS Firewalls (NOT SRX)

Re: Windows 2003 RRAS connect to SSG 5 issue (Newbie)

09.03.08   |  
‎09-03-2008 10:32 PM

First of all the Certificate needs to be installed on the SSG. The SSG does not need to talk the CA server after cert is installed except for perhaps CRL checking. The CA cert and loaded CRL list should be adequate to validate the cert identity so long as the CA cert is from the same server as the one which was generated for the Windows XP client.


But I suspect that your issue is elsewhere. I suspect that your IKE/L2TP user may not be configured correctly with correct DN information. Make sure that you specify wildcard and that all fields which are configured match the corresponding DN which was sent by the Windows XP client. Either that or your IKE configuration is specifying the wrong IKE user.  Perhaps you can post your IKE and user configs.