On 07/27/2011 05:54 AM, Christian Brandes wrote:
Hi Chris,
Rejected an IKE packet on ethernet0/2 from 86.189.19.236:57958 to
XXX.XXX.XXX.XXXX:500 with cookies 202fae23c1e61f6b and 0000000000000000 because
an initial Phase 1 packet arrived from an unrecognized peer gateway.
This means, your Juniper appliance does not recognize the calling peer.
It could be an issue with IKE Identity / IKE ID Type. Both must match at both
ends (Juniper and VPN client).
If you set IKE ID Type to "Auto" on the Juniper it changes to FQDN, IPADDR or
U-FQDN on its own, depending on the IKE Identity inserted.
If this does not solve your problem, please use "Shrew Soft VPN Trace" to
gather more meaningfull information.
Possibly you have to run it with administrator permissions to be able to see
log entries.
I think that's the right advice, especially since the SSG Howto has an
error when it comes to the identities.
In the Howto, it says to first create on the SSG a user called
'vpnclient_ph1id' and give it an IKE Identity = 'client.shrew.net'.
Later, when configuring the Shrew client, the Howto says that the 'Local
Identity' should be set to 'client.domain.com'.
This is incorrect, because as you point out IKE Identity = Local
Identity, so both of them should be 'client.shrew.net' or both should be
'whatever.somedomain.com.'
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help
