Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.


Problems with VPNC client and SSG-20 (NS-OS 6.1)

Problems with VPNC client and SSG-20 (NS-OS 6.1)

I am running vpnc as an ipsec xauth client against a remote Juniper SSG20 running screenOS 6.1.x

I appear to be establishing my Ph1 and Ph2 portions successfully, but subsequently cannot get anywhere beyond the SSG20 with my client. I can ping the IP pool host he has been assigned (natch) and can ping the trusted side of the Juniper, but I cannot ping the inside default GW address, or anything else.

Here is an anonymized session from the SSG20's perspective:

2010-10-15 12:59:16    crit    VPN 'RAS-VPN-P2' XAuth from is down.
2010-10-15 12:57:26    crit    VPN 'RAS-VPN-P2' XAuth from is up.
2010-10-15 12:55:56    crit    VPN 'RAS-VPN-P2' XAuth from is down.
2010-10-15 12:49:49    info    IKE x.x.x.x Phase 2 msg ID fc8676d1: Completed negotiations with SPI 48c5c684, tunnel ID 32769, and lifetime 3600 seconds/0 KB.
2010-10-15 12:49:49    info    IKE x.x.x.x Phase 2 msg-id fc8676d1: Completed for user
2010-10-15 12:49:48    info    IKE x.x.x.x Phase 2 msg ID fc8676d1: Responded to the peer's first message from user
2010-10-15 12:49:47    info    IKE x.x.x.x : XAuth login was passed for gateway RAS-VPN-P1GW, username xauthuser, retry: 0, Client IP Addr, IPPool name: vpnpool, Session-Timeout: 0s, Idle-Timeout: 0s.
2010-10-15 12:49:47    info    IKE x.x.x.x : Received initial contact notification and removed Phase 1 SAs.
2010-10-15 12:49:47    info    IKE x.x.x.x Phase 1: Completed Aggressive mode negotiations with a 28800-second lifetime.
2010-10-15 12:49:47    info    IKE x.x.x.x Phase 1: Completed for user
2010-10-15 12:49:47    info    IKE x.x.x.x: Received initial contact notification and removed Phase 2 SAs.
2010-10-15 12:49:47    info    IKE x.x.x.x: Received a notification message for DOI 1 24578 INITIAL-CONTACT.
2010-10-15 12:49:46    info    IKE x.x.x.x Phase 1: Responder starts AGGRESSIVE mode negotiations.

My DG is defined on the untrust-vr.
The IP Pool route is associated with tunnel.1 interface
The route to my internal nets is associated with bgroup0, which is in the trust zone.
tunnel.1 is unnumbered, is in the trust zone and is associated with bgroup0.

This is a route based VPN with 2 simple "any-any" policies (trust-untrust / untrust-trust).

I suppose that the link up/ link down are symptoms of what's going on.

At this point I assume that it Layer3 related, but I can't figure it out and I have played a lot with the routes.



RE: Problems with VPNC client and SSG-20 (NS-OS 6.1)

Do you have the log option enabled on the 2 VPN Policies? Does it show any activity?
Does each internal net have Policies defined for the VPN, and are all the IP addresses shown in the Policy Elements Address List?


RE: Problems with VPNC client and SSG-20 (NS-OS 6.1)

Ok, here's what was going on and why I could bring up Phase 1 and 2 but not be able to get anywhere.

Static ARP entries in our core switches.

For some reason we needed to create ARP entries in our Cisco switches that matched up an IP address from the IP Pool (assigned by the SSG) to the bgroup0 MAC address.

I'm not sure why I had to do this. It isn't an issue with our ASA5505 or old Cisco VPNC3005. Just ScreenOS units.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!


Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close