Discussion:
[vpn-help] Juniper SSG5 VPN connect Issue
Luke LeBoeuf
2010-03-10 23:29:49 UTC
Permalink
All,
I have a Juniper SSG5 firewall that I am trying to set up to work with
the release shrew client (v2.1.5). I am using the SSG5 firmware version
6.1.0r2.0. I have set up the gateway side and the client side to the letter
of the shrew documentation, but I keep failing to initiate the tunnel and I
am not sure why. Below is the reject event that I get from the gateway. Does
anyone have any ideas? The shrew client trace tool simply says 'resend limit
exceeded for phase1 exchange' and it kills the attempts. Any help would be
greatly appreciated as we are trying to get this off the ground. In the
example below I was using an AT&T 3g card, but it also happened from a
desktop using cox ISP.


Rejected an IKE packet on ethernet0/0 from 166.204.222.138:500 to
xx.xx.xx.xx:500 with cookies 5dba7aba5e660ebc and 0000000000000000 because
an initial Phase 1 packet arrived from an unrecognized peer gateway.

Thanks,
Luke
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shrew.net/pipermail/vpn-help/attachments/20100310/264f88d2/attachment.html>
Matthew Grooms
2010-03-15 01:50:46 UTC
Permalink
Post by Luke LeBoeuf
All,
I have a Juniper SSG5 firewall that I am trying to set up to work
with the release shrew client (v2.1.5). I am using the SSG5 firmware
version 6.1.0r2.0. I have set up the gateway side and the client side to
the letter of the shrew documentation, but I keep failing to initiate
the tunnel and I am not sure why. Below is the reject event that I get
from the gateway. Does anyone have any ideas? The shrew client trace
tool simply says 'resend limit exceeded for phase1 exchange' and it
kills the attempts. Any help would be greatly appreciated as we are
trying to get this off the ground. In the example below I was using an
AT&T 3g card, but it also happened from a desktop using cox ISP.
Rejected an IKE packet on ethernet0/0 from 166.204.222.138:500
<http://166.204.222.138:500> to xx.xx.xx.xx:500 with cookies
5dba7aba5e660ebc and 0000000000000000 because an initial Phase 1 packet
arrived from an unrecognized peer gateway.
The Mode under Define Advanced Parameters of the Autokey Advanced
Gateway definition needs to be set to Aggressive on some gateways. It
says ( Initiator ) which I take to mean when the gateway is acting as
the initiator, but a few people have reported this as a problem with
certain firmware versions. I'll update the document.

Hope this helps,

-Matthew
Luke LeBoeuf
2010-03-15 17:22:17 UTC
Permalink
Matt,
Thanks again. That worked! the tunnel is now established, but now I
can not seem to get to any device on the VPN network. The tunnel shows
up, the firewall logs show a good connection, but I can not navigate to
any devices on the gateway side (i.e. rdp, netbios, ssh, etc.) Any
ideas? Do I need to add additional policies that allow all traffic to
certain devices? I thought the vpn policy would have taken care of that
( Source = DialupVPN to Internal-net (192.168.1.0/24) any service, none
(all) application, action=tunnel, tunnel=vpnclient_tunnel). The VPN rule
is at the top of the list for the inbound (untrust to trust) rules, is
that acceptable?

Thanks,
Luke
Post by Matthew Grooms
Post by Luke LeBoeuf
All,
I have a Juniper SSG5 firewall that I am trying to set up to work
with the release shrew client (v2.1.5). I am using the SSG5 firmware
version 6.1.0r2.0. I have set up the gateway side and the client side to
the letter of the shrew documentation, but I keep failing to initiate
the tunnel and I am not sure why. Below is the reject event that I get
from the gateway. Does anyone have any ideas? The shrew client trace
tool simply says 'resend limit exceeded for phase1 exchange' and it
kills the attempts. Any help would be greatly appreciated as we are
trying to get this off the ground. In the example below I was using an
AT&T 3g card, but it also happened from a desktop using cox ISP.
Rejected an IKE packet on ethernet0/0 from 166.204.222.138:500
<http://166.204.222.138:500> to xx.xx.xx.xx:500 with cookies
5dba7aba5e660ebc and 0000000000000000 because an initial Phase 1 packet
arrived from an unrecognized peer gateway.
The Mode under Define Advanced Parameters of the Autokey Advanced
Gateway definition needs to be set to Aggressive on some gateways. It
says ( Initiator ) which I take to mean when the gateway is acting as
the initiator, but a few people have reported this as a problem with
certain firmware versions. I'll update the document.
Hope this helps,
-Matthew
_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net
http://lists.shrew.net/mailman/listinfo/vpn-help
Stian Jordet
2010-03-24 10:10:52 UTC
Permalink
Post by Luke LeBoeuf
Matt,
Thanks again. That worked! the tunnel is now established, but now I
can not seem to get to any device on the VPN network. The tunnel shows
up, the firewall logs show a good connection, but I can not navigate to
any devices on the gateway side (i.e. rdp, netbios, ssh, etc.) Any
ideas? Do I need to add additional policies that allow all traffic to
certain devices? I thought the vpn policy would have taken care of that
( Source = DialupVPN to Internal-net (192.168.1.0/24) any service, none
(all) application, action=tunnel, tunnel=vpnclient_tunnel). The VPN rule
is at the top of the list for the inbound (untrust to trust) rules, is
that acceptable?
If your vpn-tunnel is coming in on an interface on your Untrust virtual
router, you need to either enable "Auto Export Route to Untrust-VR" on
your Trust-VR, or manually set up destination routing in your Untrust-VR.

If your tunnel is coming in on the same virtual router as the network
you are trying to reach, I don't know what's wrong, but you can debug it
with debug flow basic.

-Stian
Stian Jordet
2010-03-24 10:10:52 UTC
Permalink
Post by Luke LeBoeuf
Matt,
Thanks again. That worked! the tunnel is now established, but now I
can not seem to get to any device on the VPN network. The tunnel shows
up, the firewall logs show a good connection, but I can not navigate to
any devices on the gateway side (i.e. rdp, netbios, ssh, etc.) Any
ideas? Do I need to add additional policies that allow all traffic to
certain devices? I thought the vpn policy would have taken care of that
( Source = DialupVPN to Internal-net (192.168.1.0/24) any service, none
(all) application, action=tunnel, tunnel=vpnclient_tunnel). The VPN rule
is at the top of the list for the inbound (untrust to trust) rules, is
that acceptable?
If your vpn-tunnel is coming in on an interface on your Untrust virtual
router, you need to either enable "Auto Export Route to Untrust-VR" on
your Trust-VR, or manually set up destination routing in your Untrust-VR.

If your tunnel is coming in on the same virtual router as the network
you are trying to reach, I don't know what's wrong, but you can debug it
with debug flow basic.

-Stian
Stian Jordet
2010-03-24 10:10:52 UTC
Permalink
Post by Luke LeBoeuf
Matt,
Thanks again. That worked! the tunnel is now established, but now I
can not seem to get to any device on the VPN network. The tunnel shows
up, the firewall logs show a good connection, but I can not navigate to
any devices on the gateway side (i.e. rdp, netbios, ssh, etc.) Any
ideas? Do I need to add additional policies that allow all traffic to
certain devices? I thought the vpn policy would have taken care of that
( Source = DialupVPN to Internal-net (192.168.1.0/24) any service, none
(all) application, action=tunnel, tunnel=vpnclient_tunnel). The VPN rule
is at the top of the list for the inbound (untrust to trust) rules, is
that acceptable?
If your vpn-tunnel is coming in on an interface on your Untrust virtual
router, you need to either enable "Auto Export Route to Untrust-VR" on
your Trust-VR, or manually set up destination routing in your Untrust-VR.

If your tunnel is coming in on the same virtual router as the network
you are trying to reach, I don't know what's wrong, but you can debug it
with debug flow basic.

-Stian

Luke LeBoeuf
2010-03-15 17:22:17 UTC
Permalink
Matt,
Thanks again. That worked! the tunnel is now established, but now I
can not seem to get to any device on the VPN network. The tunnel shows
up, the firewall logs show a good connection, but I can not navigate to
any devices on the gateway side (i.e. rdp, netbios, ssh, etc.) Any
ideas? Do I need to add additional policies that allow all traffic to
certain devices? I thought the vpn policy would have taken care of that
( Source = DialupVPN to Internal-net (192.168.1.0/24) any service, none
(all) application, action=tunnel, tunnel=vpnclient_tunnel). The VPN rule
is at the top of the list for the inbound (untrust to trust) rules, is
that acceptable?

Thanks,
Luke
Post by Matthew Grooms
Post by Luke LeBoeuf
All,
I have a Juniper SSG5 firewall that I am trying to set up to work
with the release shrew client (v2.1.5). I am using the SSG5 firmware
version 6.1.0r2.0. I have set up the gateway side and the client side to
the letter of the shrew documentation, but I keep failing to initiate
the tunnel and I am not sure why. Below is the reject event that I get
from the gateway. Does anyone have any ideas? The shrew client trace
tool simply says 'resend limit exceeded for phase1 exchange' and it
kills the attempts. Any help would be greatly appreciated as we are
trying to get this off the ground. In the example below I was using an
AT&T 3g card, but it also happened from a desktop using cox ISP.
Rejected an IKE packet on ethernet0/0 from 166.204.222.138:500
<http://166.204.222.138:500> to xx.xx.xx.xx:500 with cookies
5dba7aba5e660ebc and 0000000000000000 because an initial Phase 1 packet
arrived from an unrecognized peer gateway.
The Mode under Define Advanced Parameters of the Autokey Advanced
Gateway definition needs to be set to Aggressive on some gateways. It
says ( Initiator ) which I take to mean when the gateway is acting as
the initiator, but a few people have reported this as a problem with
certain firmware versions. I'll update the document.
Hope this helps,
-Matthew
_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net
http://lists.shrew.net/mailman/listinfo/vpn-help
Luke LeBoeuf
2010-03-15 17:22:17 UTC
Permalink
Matt,
Thanks again. That worked! the tunnel is now established, but now I
can not seem to get to any device on the VPN network. The tunnel shows
up, the firewall logs show a good connection, but I can not navigate to
any devices on the gateway side (i.e. rdp, netbios, ssh, etc.) Any
ideas? Do I need to add additional policies that allow all traffic to
certain devices? I thought the vpn policy would have taken care of that
( Source = DialupVPN to Internal-net (192.168.1.0/24) any service, none
(all) application, action=tunnel, tunnel=vpnclient_tunnel). The VPN rule
is at the top of the list for the inbound (untrust to trust) rules, is
that acceptable?

Thanks,
Luke
Post by Matthew Grooms
Post by Luke LeBoeuf
All,
I have a Juniper SSG5 firewall that I am trying to set up to work
with the release shrew client (v2.1.5). I am using the SSG5 firmware
version 6.1.0r2.0. I have set up the gateway side and the client side to
the letter of the shrew documentation, but I keep failing to initiate
the tunnel and I am not sure why. Below is the reject event that I get
from the gateway. Does anyone have any ideas? The shrew client trace
tool simply says 'resend limit exceeded for phase1 exchange' and it
kills the attempts. Any help would be greatly appreciated as we are
trying to get this off the ground. In the example below I was using an
AT&T 3g card, but it also happened from a desktop using cox ISP.
Rejected an IKE packet on ethernet0/0 from 166.204.222.138:500
<http://166.204.222.138:500> to xx.xx.xx.xx:500 with cookies
5dba7aba5e660ebc and 0000000000000000 because an initial Phase 1 packet
arrived from an unrecognized peer gateway.
The Mode under Define Advanced Parameters of the Autokey Advanced
Gateway definition needs to be set to Aggressive on some gateways. It
says ( Initiator ) which I take to mean when the gateway is acting as
the initiator, but a few people have reported this as a problem with
certain firmware versions. I'll update the document.
Hope this helps,
-Matthew
_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net
http://lists.shrew.net/mailman/listinfo/vpn-help
Luke LeBoeuf
2010-03-10 23:29:49 UTC
Permalink
All,
I have a Juniper SSG5 firewall that I am trying to set up to work with
the release shrew client (v2.1.5). I am using the SSG5 firmware version
6.1.0r2.0. I have set up the gateway side and the client side to the letter
of the shrew documentation, but I keep failing to initiate the tunnel and I
am not sure why. Below is the reject event that I get from the gateway. Does
anyone have any ideas? The shrew client trace tool simply says 'resend limit
exceeded for phase1 exchange' and it kills the attempts. Any help would be
greatly appreciated as we are trying to get this off the ground. In the
example below I was using an AT&T 3g card, but it also happened from a
desktop using cox ISP.


Rejected an IKE packet on ethernet0/0 from 166.204.222.138:500 to
xx.xx.xx.xx:500 with cookies 5dba7aba5e660ebc and 0000000000000000 because
an initial Phase 1 packet arrived from an unrecognized peer gateway.

Thanks,
Luke
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20100310/264f88d2/attachment-0001.html>
Matthew Grooms
2010-03-15 01:50:46 UTC
Permalink
Post by Luke LeBoeuf
All,
I have a Juniper SSG5 firewall that I am trying to set up to work
with the release shrew client (v2.1.5). I am using the SSG5 firmware
version 6.1.0r2.0. I have set up the gateway side and the client side to
the letter of the shrew documentation, but I keep failing to initiate
the tunnel and I am not sure why. Below is the reject event that I get
from the gateway. Does anyone have any ideas? The shrew client trace
tool simply says 'resend limit exceeded for phase1 exchange' and it
kills the attempts. Any help would be greatly appreciated as we are
trying to get this off the ground. In the example below I was using an
AT&T 3g card, but it also happened from a desktop using cox ISP.
Rejected an IKE packet on ethernet0/0 from 166.204.222.138:500
<http://166.204.222.138:500> to xx.xx.xx.xx:500 with cookies
5dba7aba5e660ebc and 0000000000000000 because an initial Phase 1 packet
arrived from an unrecognized peer gateway.
The Mode under Define Advanced Parameters of the Autokey Advanced
Gateway definition needs to be set to Aggressive on some gateways. It
says ( Initiator ) which I take to mean when the gateway is acting as
the initiator, but a few people have reported this as a problem with
certain firmware versions. I'll update the document.

Hope this helps,

-Matthew
Luke LeBoeuf
2010-03-10 23:29:49 UTC
Permalink
All,
I have a Juniper SSG5 firewall that I am trying to set up to work with
the release shrew client (v2.1.5). I am using the SSG5 firmware version
6.1.0r2.0. I have set up the gateway side and the client side to the letter
of the shrew documentation, but I keep failing to initiate the tunnel and I
am not sure why. Below is the reject event that I get from the gateway. Does
anyone have any ideas? The shrew client trace tool simply says 'resend limit
exceeded for phase1 exchange' and it kills the attempts. Any help would be
greatly appreciated as we are trying to get this off the ground. In the
example below I was using an AT&T 3g card, but it also happened from a
desktop using cox ISP.


Rejected an IKE packet on ethernet0/0 from 166.204.222.138:500 to
xx.xx.xx.xx:500 with cookies 5dba7aba5e660ebc and 0000000000000000 because
an initial Phase 1 packet arrived from an unrecognized peer gateway.

Thanks,
Luke
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20100310/264f88d2/attachment-0002.html>
Matthew Grooms
2010-03-15 01:50:46 UTC
Permalink
Post by Luke LeBoeuf
All,
I have a Juniper SSG5 firewall that I am trying to set up to work
with the release shrew client (v2.1.5). I am using the SSG5 firmware
version 6.1.0r2.0. I have set up the gateway side and the client side to
the letter of the shrew documentation, but I keep failing to initiate
the tunnel and I am not sure why. Below is the reject event that I get
from the gateway. Does anyone have any ideas? The shrew client trace
tool simply says 'resend limit exceeded for phase1 exchange' and it
kills the attempts. Any help would be greatly appreciated as we are
trying to get this off the ground. In the example below I was using an
AT&T 3g card, but it also happened from a desktop using cox ISP.
Rejected an IKE packet on ethernet0/0 from 166.204.222.138:500
<http://166.204.222.138:500> to xx.xx.xx.xx:500 with cookies
5dba7aba5e660ebc and 0000000000000000 because an initial Phase 1 packet
arrived from an unrecognized peer gateway.
The Mode under Define Advanced Parameters of the Autokey Advanced
Gateway definition needs to be set to Aggressive on some gateways. It
says ( Initiator ) which I take to mean when the gateway is acting as
the initiator, but a few people have reported this as a problem with
certain firmware versions. I'll update the document.

Hope this helps,

-Matthew
Loading...