I used this guide to set up the VPN between my Juniper SSG5 and Shrew Soft client, however, it has a disadvantage; the VPN can only be tunnelled into one zone. To fix this, you can change the VPN from policy-based to route-based.
- Backup your config…
- Delete the VPN policies
- Create a new zone for your VPN – I called mine “VPN”
- Create a new tunnel interface in the new zone, make it unnumbered, and set the interface to whatever interface the incoming VPN will be going through (probably WAN)
- Go into VPNs > AutoKey IKE > edit > advanced, and select to bind to your tunnel interface
- Network > Routing > Destination, create a new route from the IP pool to the tunnel interface
- Create policies allowing communication between your VPN zone and whatever zones it should communicate with
- Test! (No changes needed on Shrew Soft)
I did read a forum post about adding multiple policies, but my SSG5 gave errors that the IKE was already part of another policy when I tried to set up the additional policies. This method seems to work though.