Tag Archives: juniper

Juniper SSG5 trouble switching the zone on an interface

I’m sure this will apply to other models as well.  Trying to make configuration changes to the interface gives an error similar to: “cannot edit interface, interface currently in use”.  Sadly, simply unplugging the interface is not the solution.  In my case, I had to remove the interface (or rather, an address that routes through that interface) as a DNS Proxy to allow it to be editable (other things I also tried that may or may not be required: deleting all policies associated with the zone the interface is in – I’ve tested this and it looks like it’s not required; deleting policy elements -> addresses for that interface; deleting an address using the interface from DNS -> Host).

I basically went through my config file looking for things referencing the zone that the interface was in / interface / IP addresses that route through that interface.  Unfortunately it’s quite irritating.

Switching from policy-based to route-based VPN with Juniper SSG5 and Shrew Soft

I used this guide to set up the VPN between my Juniper SSG5 and Shrew Soft client, however, it has a disadvantage; the VPN can only be tunnelled into one zone.  To fix this, you can change the VPN from policy-based to route-based.

  1. Backup your config…
  2. Delete the VPN policies
  3. Create a new zone for your VPN – I called mine “VPN”
  4. Create a new tunnel interface in the new zone, make it unnumbered, and set the interface to whatever interface the incoming VPN will be going through (probably WAN)
  5. Go into VPNs > AutoKey IKE > edit > advanced, and select to bind to your tunnel interface
  6. Network > Routing > Destination, create a new route from the IP pool to the tunnel interface
  7. Create policies allowing communication between your VPN zone and whatever zones it should communicate with
  8. Test! (No changes needed on Shrew Soft)

I did read a forum post about adding multiple policies, but my SSG5 gave errors that the IKE was already part of another policy when I tried to set up the additional policies.  This method seems to work though.

Connecting to multiple subnets with Shrew Soft VPN and Juniper SSG 5

This issue may well effect other firewall models, but I’ve just been playing with the SSG 5.

I want to
Be able to reach 10.9.x.x and 10.10.x.x using my VPN connect (it’s set up like this, by the way)

The problem
– With one VPN connection, two policies on the Juniper and in Shrew Soft; for some reason, the wrong policy is often used and my packet gets dropped due to not having a policy to allow it
– With one VPN connection, one policy on Juniper and Shrew (CIDR covering both addresses); also not working, the policy isn’t matching at all, weirdly
– With one VPN connection, two policies in Shrew and one policy using a IP address group in Juniper; policy not matching again…
– With two VPN connections, two policies in Shrew and Juniper; still not working!!  policies not matching if both VPNs are active as Juniper seems to disregard which VPN the packet has come from
– With one VPN connection, two policies in Shrew and one ANY policy on Juniper; also not working…think Juniper just doesn’t like this policy

The solution
Pick the last problem above; use one VPN connection, whatever policies you need in Shrew and one ANY policy in Juniper, then, log onto your SSG, and use the following command:
unset ike policy-checking

That was much more difficult than it should have been…