Connecting to multiple subnets with Shrew Soft VPN and Juniper SSG 5

This issue may well effect other firewall models, but I’ve just been playing with the SSG 5.

I want to
Be able to reach 10.9.x.x and 10.10.x.x using my VPN connect (it’s set up like this, by the way)

The problem
– With one VPN connection, two policies on the Juniper and in Shrew Soft; for some reason, the wrong policy is often used and my packet gets dropped due to not having a policy to allow it
– With one VPN connection, one policy on Juniper and Shrew (CIDR covering both addresses); also not working, the policy isn’t matching at all, weirdly
– With one VPN connection, two policies in Shrew and one policy using a IP address group in Juniper; policy not matching again…
– With two VPN connections, two policies in Shrew and Juniper; still not working!!  policies not matching if both VPNs are active as Juniper seems to disregard which VPN the packet has come from
– With one VPN connection, two policies in Shrew and one ANY policy on Juniper; also not working…think Juniper just doesn’t like this policy

The solution
Pick the last problem above; use one VPN connection, whatever policies you need in Shrew and one ANY policy in Juniper, then, log onto your SSG, and use the following command:
unset ike policy-checking

That was much more difficult than it should have been…

Leave a Reply

Your email address will not be published. Required fields are marked *