I’m sure this will apply to other models as well. Trying to make configuration changes to the interface gives an error similar to: “cannot edit interface, interface currently in use”. Sadly, simply unplugging the interface is not the solution. In my case, I had to remove the interface (or rather, an address that routes through that interface) as a DNS Proxy to allow it to be editable (other things I also tried that may or may not be required: deleting all policies associated with the zone the interface is in – I’ve tested this and it looks like it’s not required; deleting policy elements -> addresses for that interface; deleting an address using the interface from DNS -> Host).
I basically went through my config file looking for things referencing the zone that the interface was in / interface / IP addresses that route through that interface. Unfortunately it’s quite irritating.
I used this guide to set up the VPN between my Juniper SSG5 and Shrew Soft client, however, it has a disadvantage; the VPN can only be tunnelled into one zone. To fix this, you can change the VPN from policy-based to route-based.
- Backup your config…
- Delete the VPN policies
- Create a new zone for your VPN – I called mine “VPN”
- Create a new tunnel interface in the new zone, make it unnumbered, and set the interface to whatever interface the incoming VPN will be going through (probably WAN)
- Go into VPNs > AutoKey IKE > edit > advanced, and select to bind to your tunnel interface
- Network > Routing > Destination, create a new route from the IP pool to the tunnel interface
- Create policies allowing communication between your VPN zone and whatever zones it should communicate with
- Test! (No changes needed on Shrew Soft)
I did read a forum post about adding multiple policies, but my SSG5 gave errors that the IKE was already part of another policy when I tried to set up the additional policies. This method seems to work though.
This issue may well effect other firewall models, but I’ve just been playing with the SSG 5.
I want to
Be able to reach 10.9.x.x and 10.10.x.x using my VPN connect (it’s set up like this, by the way)
– With one VPN connection, two policies on the Juniper and in Shrew Soft; for some reason, the wrong policy is often used and my packet gets dropped due to not having a policy to allow it
– With one VPN connection, one policy on Juniper and Shrew (CIDR covering both addresses); also not working, the policy isn’t matching at all, weirdly
– With one VPN connection, two policies in Shrew and one policy using a IP address group in Juniper; policy not matching again…
– With two VPN connections, two policies in Shrew and Juniper; still not working!! policies not matching if both VPNs are active as Juniper seems to disregard which VPN the packet has come from
– With one VPN connection, two policies in Shrew and one ANY policy on Juniper; also not working…think Juniper just doesn’t like this policy
Pick the last problem above; use one VPN connection, whatever policies you need in Shrew and one ANY policy in Juniper, then, log onto your SSG, and use the following command:
unset ike policy-checking
That was much more difficult than it should have been…