Hi, I have a VPN between a SSG5 and a Shrewsoft VPN Client. VPN is correctly build up, I can ping the trust interface but i can't ping the server. Maybe a routing problem? Consider that i have a VLAN on Video (5) zone and I can ping 10.70.7.218 (SSG5 interface in Video(5) ). The policy give me this report: 2010-02-23 09:55:38 172.16.0.1:57726 10.70.7.150:53 172.16.0.1:57726 10.70.7.150:53 DNS 63 sec. 158 0 Close - AGE OUT 2010-02-23 09:54:05 172.16.0.1:63141 10.70.7.150:53 172.16.0.1:63141 10.70.7.150:53 DNS 62 sec. 328 0 Close - AGE OUT 2010-02-23 09:54:03 172.16.0.1:63182 10.70.7.150:53 172.16.0.1:63182 10.70.7.150:53 DNS 60 sec. 150 0 Close - AGE OUT This is my config file: set clock timezone 0 set vrouter trust-vr sharable set vrouter "untrust-vr" exit set vrouter "trust-vr" unset auto-route-export exit set alg appleichat enable unset alg appleichat re-assembly enable set alg sctp enable set auth-server "Local" id 0 set auth-server "Local" server-name "Local" set auth default auth server "Local" set auth radius accounting port 1646 set admin name "admin" set admin password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" set admin auth web timeout 10 set admin auth dial-in timeout 3 set admin auth server "Local" set admin format dos set zone "Trust" vrouter "trust-vr" set zone "Untrust" vrouter "trust-vr" set zone "DMZ" vrouter "trust-vr" set zone "VLAN" vrouter "trust-vr" set zone id 100 "Video (5)" set zone "Untrust-Tun" vrouter "trust-vr" set zone id 101 "vpn_client" tunnel Video (5) set zone "vpn_client" vrouter "untrust-vr" set zone "Trust" tcp-rst set zone "Untrust" block unset zone "Untrust" tcp-rst set zone "MGT" block set zone "DMZ" tcp-rst set zone "VLAN" block unset zone "VLAN" tcp-rst unset zone "Video (5)" tcp-rst set zone "Untrust" screen tear-drop set zone "Untrust" screen syn-flood set zone "Untrust" screen ping-death set zone "Untrust" screen ip-filter-src set zone "Untrust" screen land set zone "V1-Untrust" screen tear-drop set zone "V1-Untrust" screen syn-flood set zone "V1-Untrust" screen ping-death set zone "V1-Untrust" screen ip-filter-src set zone "V1-Untrust" screen land set interface "ethernet0/0" zone "Untrust" set interface "ethernet0/1" zone "DMZ" set interface "bgroup0" zone "Trust" set interface "bgroup1" zone "Video (5)" set interface bgroup0 port ethernet0/2 set interface bgroup1 port ethernet0/5 unset interface vlan1 ip set interface ethernet0/0 ip 83.0.0..180/24 set interface ethernet0/0 route set interface bgroup0 ip 192.168.10.218/24 set interface bgroup0 nat set interface bgroup1 ip 10.70.7.218/24 set interface bgroup1 route set interface ethernet0/0 gateway 83.0.0..177 unset interface vlan1 bypass-others-ipsec unset interface vlan1 bypass-non-ip set interface ethernet0/0 ip manageable set interface bgroup0 ip manageable set interface bgroup1 ip manageable set interface ethernet0/0 manage ping set interface ethernet0/0 manage web set interface bgroup0 manage mtrace set interface bgroup1 manage ping set interface bgroup1 manage web set interface "serial0/0" modem settings "USR" init "AT&F" set interface "serial0/0" modem settings "USR" active set interface "serial0/0" modem speed 115200 set interface "serial0/0" modem retry 3 set interface "serial0/0" modem interval 10 set interface "serial0/0" modem idle-time 10 set flow tcp-mss unset flow tcp-syn-check unset flow tcp-syn-bit-check set flow reverse-route clear-text prefer set flow reverse-route tunnel always set pki authority default scep mode "auto" set pki x509 default cert-path partial set address "Trust" "10.70.0.0/255.255.0.0" 10.70.0.0 255.255.0.0 set address "Trust" "10.70.7.0/24" 10.70.7.0 255.255.255.0 set address "Trust" "Video rete" 10.70.7.0 255.255.255.0 set address "Trust" "Video server" 10.70.7.150 255.255.255.255 set address "Video (5)" "10.70.7.0/24" 10.70.7.0 255.255.255.0 set address "Video (5)" "10.70.7.150/32" 10.70.7.150 255.255.255.255 set ippool "vpn_ippool" 10.0.0.1 10.0.0.10 set ippool "ippool_vpn" 172.16.0.1 172.16.0.20 set user "leo" uid 10 set user "leo" type xauth set user "leo" remote ippool "ippool_vpn" set user "leo" remote dns1 "10.70.7.150" set user "leo" password "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" unset user "leo" type auth set user "leo" "enable" set user "vpnclient_phase1_id" uid 9 set user "vpnclient_phase1_id" ike-id fqdn "client.gigli" share-limit 1 set user "vpnclient_phase1_id" type ike set user "vpnclient_phase1_id" "enable" set user-group "vpnclient_group" id 4 set user-group "vpnclient_group" user "leo" set user-group "vpnclient_group" user "vpnclient_phase1_id" set ike gateway "vpnclient_gateway" dialup "vpnclient_group" Aggr local-id "vpngw.gigli" outgoing-interface "ethernet0/0" preshare "zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz" proposal "pre-g2-3des-sha" "pre-g2-3des-md5" "pre-g2-aes128-sha" "pre-g2-aes128-md5" set ike gateway "vpnclient_gateway" dpd-liveness interval 30 unset ike gateway "vpnclient_gateway" nat-traversal udp-checksum set ike gateway "vpnclient_gateway" nat-traversal keepalive-frequency 5 set ike gateway "vpnclient_gateway" xauth server "Local" unset ike gateway "vpnclient_gateway" xauth do-edipi-auth set ike respond-bad-spi 1 set ike ikev2 ike-sa-soft-lifetime 60 unset ike ikeid-enumeration unset ike dos-protection unset ipsec access-session enable set ipsec access-session maximum 5000 set ipsec access-session upper-threshold 0 set ipsec access-session lower-threshold 0 set ipsec access-session dead-p2-sa-timeout 0 unset ipsec access-session log-error unset ipsec access-session info-exch-connected unset ipsec access-session use-error-log set xauth default ippool "ippool_vpn" set xauth default dns1 10.70.7.150 set vpn "vpnclient_tunnel" gateway "vpnclient_gateway" replay tunnel idletime 0 proposal "nopfs-esp-3des-sha" "nopfs-esp-3des-md5" "nopfs-esp-aes128-sha" "nopfs-esp-aes128-md5" set vrouter "untrust-vr" exit set vrouter "trust-vr" exit set url protocol websense exit set policy id 2 from "Untrust" to "Video (5)" "Dial-Up VPN" "10.70.7.0/24" "ANY" tunnel vpn "vpnclient_tunnel" id 0x9 pair-policy 5 log set policy id 2 exit set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log set policy id 1 exit set policy id 5 from "Video (5)" to "Untrust" "10.70.7.0/24" "Dial-Up VPN" "ANY" tunnel vpn "vpnclient_tunnel" id 0x9 pair-policy 2 log set policy id 5 exit set nsmgmt bulkcli reboot-timeout 60 set ssh version v2 set config lock timeout 5 unset license-key auto-update set snmp port listen 161 set snmp port trap 162 set vrouter "untrust-vr" exit set vrouter "trust-vr" unset add-default-route exit set vrouter "untrust-vr" exit set vrouter "trust-vr" exit This is the report: 2010-02-23 10:01:18 info IKE 82.0.0.149 Phase 2 msg ID 9c8df9fe: Completed negotiations with SPI b32b6823, tunnel ID 32775, and lifetime 3600 seconds/0 KB. 2010-02-23 10:01:18 info IKE 82.0.0.149 Phase 2 msg ID 9c8df9fe: Responded to the peer's first message. 2010-02-23 10:01:05 info IKE 82.0.0.149: XAuth login was passed for gateway vpnclient_gateway, username leo, retry: 0, Client IP Addr 172.16.0.1, IPPool name: ippool_vpn, Session-Timeout: 0s, Idle-Timeout: 0s. 2010-02-23 10:01:05 info IKE 82.0.0.149: XAuth login was refreshed for username leo at 172.16.0.1/255.255.255.255. 2010-02-23 10:01:05 info Rejected an IKE packet on ethernet0/0 from 82.0.0.149:5916 to 83.0.0.180:4500 with cookies b055e36ced0c7ad5 and 0f3abbb6fc5fdbbc because A Phase 2 packet arrived while XAuth was still pending. 2010-02-23 10:01:05 info IKE 82.0.0.149 Phase 1: Completed Aggressive mode negotiations with a 28800-second lifetime. 2010-02-23 10:01:05 info IKE 82.0.0.149 Phase 1: Completed for user vpnclient_phase1_id. 2010-02-23 10:01:05 info IKE<82.0.0.149> Phase 1: IKE responder has detected NAT in front of the remote device. 2010-02-23 10:01:05 info IKE<82.0.0.149> Phase 1: IKE responder has detected NAT in front of the local device. 2010-02-23 10:01:05 info IKE 82.0.0.149 Phase 1: Responder starts AGGRESSIVE mode negotiations. 2010-02-23 10:01:02 notif All logged events or alarms were cleared by admin admin Routing table: trust-vr IP/Netmask Gateway Interface Protocol Preference Metric Vsys Configure * 83.0.0.0/24 ethernet0/0 C Root - * 83.0.0.180/32 ethernet0/0 H Root - 192.168.10.0/24 bgroup0 C Root - 192.168.10.218/32 bgroup0 H Root - * 10.70.7.0/24 bgroup1 C Root - * 10.70.7.218/32 bgroup1 H Root - * 0.0.0.0/0 83.0.0.177 ethernet0/0 C 1 Root - ... View more