Juniper Networks - How to configure Shrew Soft VPN client to work with ScreenOS firewalls - Knowledge Base

How to Buy | Contact Us | United States(Change) Search

SOLUTIONS PRODUCTS & SERVICES COMPANY PARTNERS SUPPORT EDUCATION

KnowledgeSearch

Keywords or Article ID... User ID (e.g. pat@abc.net)

Password

How to configure Shrew Soft VPN client to work with ScreenOS firewalls Login

[KB22074] Show KB Properties Login assistance

SUMMARY:
This article provides information on how to configure the Shrew Soft VPN client to work with ScreenOS firewalls.
Back to Answers
For VPN setup on the firewall, refer to KB14878 - Configure ScreenOS Firewall for use with a VPN Client using Pre-
shared Keys (ScreenOS 6.0 and later) (ScreenOS 6.x) or KB6233 - Configure NetScreen-Remote VPN Client with Printer Friendly
Pre-shared Keys (ScreenOS 5.x).
PR Search
For policy based VPN setup using a single IKE ID with XAuth, refer to KB14883 - How To: Create Multiple Dial Up Create a Support Case
VPN using same IKE ID (ScreenOS 6.0 and later) (ScreenOS 6.x) or KB6623 - How To: Create Multiple Dial Up VPN
using same IKE ID (ScreenOS 5.x). All Security Advisories

For route based VPN setup using a single IKE ID with XAuth, refer to KB15272 - How To: Create Route based Dial Knowledge Center Feedback
Up VPN using same IKE ID (ScreenOS 6.0 and later) (ScreenOS 6.x). Report a Security Vulnerability

Knowledge Search Help

SYMPTOMS:
Configure the Shrew Soft VPN client to work with ScreenOS firewalls.

CAUSE:

SOLUTION:
1. Open the Shrew Soft VPN Access Manager.

2. Click Add to add a new VPN.

3. General tab:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB22074&actp=search[2/13/2017 3:40:51 PM]

Juniper Networks - How to configure Shrew Soft VPN client to work with ScreenOS firewalls - Knowledge Base

a. Hostname or IP: 1.1.1.1.

b. Auto Configuration - Disabled (or ike config push if using IP Pool).

c. Address Method - Use an existing adapter and current address (or 'Use a virtual adapter and assigned
address' if using IP Pools; also select the 'Obtain Automatically' option).

4. Client tab:

a. NAT Traversal - enable.

b. NAT Traversal Port - 4500.

c. Keep-alive packet rate - 15 seconds.

d. IKE Fragmentation - enable.

e. Maximum packet size - 540 bytes.

f. Enable Dead Peer Detection - uncheck.

g. Enable ISAKMP Failure Notifications - uncheck.

h. Enable Client Login Banner - uncheck.

5. Name Resolution tab:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB22074&actp=search[2/13/2017 3:40:51 PM]

Juniper Networks - How to configure Shrew Soft VPN client to work with ScreenOS firewalls - Knowledge Base

a. Enable WINS - uncheck (unless you are using XAuth with IP Pools and WINS).

b. Enable DNS - uncheck (unless you are using XAuth with IP Pools and DNS).

6. Authentication tab:

a. Authentication Method - Mutual PSK (or "Mutual PSK + XAuth" if using XAuth).

b. Local Identity tab:

i. Identification Type - User Fully Qualified Domain Name.

ii. UFQDN String - user1@screenos.com.

c. Credentials tab:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB22074&actp=search[2/13/2017 3:40:51 PM]

Juniper Networks - How to configure Shrew Soft VPN client to work with ScreenOS firewalls - Knowledge Base

a. Pre Shared Key - screenos.

7. Phase 1 tab:

a. Exchange Type - Aggressive.

b. DH Exchange - group 2.

c. Cipher Algorithm - 3des.

d. Hash Algorithm - sha1.

e. Key Life Time limit - 28800 Secs.

f. Key Life Data limit - 0 Kbytes.

g. Enable Check Point Compatible Vendor ID - uncheck.

8. Phase 2 tab:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB22074&actp=search[2/13/2017 3:40:51 PM]

Juniper Networks - How to configure Shrew Soft VPN client to work with ScreenOS firewalls - Knowledge Base

a. Transform Algorithm - esp-3des.

b. HMAC Algorithm - sha1.

c. PFS Exchange - group 2.

d. Compress Algorithm - disabled

e. Key Life Time limit - 3600 seconds.

f. Key Life Data limit - 0 Kbytes.

9. Policy tab:

a. Policy Generation Level - auto.

b. Maintain Persistent Security Associations - uncheck.

c. Obtain Topology Automatically or Tunnel All - uncheck.

d. Click Add:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB22074&actp=search[2/13/2017 3:40:51 PM]

Juniper Networks - How to configure Shrew Soft VPN client to work with ScreenOS firewalls - Knowledge Base

i. Type - Include.

ii. Address - 172.16.10.0.

iii. Netmask - 255.255.255.0.

iv. Click OK.

10. Click Save.

11. Provide a name for the connection.

12. Click Connect.

13. When the next dialog box is displayed, click Connect (or enter your XAuth username\password if using XAuth):

If the client connects successfully, the connect button will change to disconnect and the windows will display
tunnel enabled:

If you have followed the above procedure and now require help in troubleshooting, refer to the VPN Configuration and
Troubleshooting Guide.

PURPOSE:
Configuration
Interoperability

RELATED LINKS:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB22074&actp=search[2/13/2017 3:40:51 PM]

Juniper Networks - How to configure Shrew Soft VPN client to work with ScreenOS firewalls - Knowledge Base

About Juniper Resources Community Support Follow Us

Investor Relations How to Buy Forums Technical Documentation

Press Releases Partner Locator Blogs Knowledge Base (KB)

Newsletters Image Library Junos Central Software Downloads

Juniper Offices Visio Templates Social Media Product Licensing

Security Center Contact Support

Site Map / RSS Feeds / Careers / Accessibility / Feedback / Privacy & Policy / Legal Notices Copyright 1999-2012 Juniper Networks, Inc. All rights reserved.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB22074&actp=search[2/13/2017 3:40:51 PM]