Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to configure Shrew Soft VPN client to work with Netscreen firewalls



Article ID: KB22074 KB Last Updated: 21 Mar 2020Version: 4.0

This article provides information on how to configure the Shrew Soft VPN client to work with ScreenOS firewalls.


Configure the Shrew Soft VPN client to work with ScreenOS firewalls.

Note: Shrew Soft VPN client is a product of and supported by Shrew Soft (

  1. Open the Shrew Soft VPN Access Manager.

  2. Click Add to add a new VPN.

  3. General tab:

    1. Hostname or IP:
    2. Auto Configuration - Disabled (or ike config push if using IP Pool).
    3. Address Method - Use an existing adapter and current address (or 'Use a virtual adapter and assigned address' if using IP Pools; also select the 'Obtain Automatically' option).
  4. Client tab:

    1. NAT Traversal - enable.
    2. NAT Traversal Port - 4500.
    3. Keep-alive packet rate - 15 seconds.
    4. IKE Fragmentation - enable.
    5. Maximum packet size - 540 bytes.
    6. Enable Dead Peer Detection - uncheck.
    7. Enable ISAKMP Failure Notifications - uncheck.
    8. Enable Client Login Banner - uncheck.
  5. Name Resolution tab:

    1. Enable WINS - uncheck (unless you are using XAuth with IP Pools and WINS).
    2. Enable DNS - uncheck (unless you are using XAuth with IP Pools and DNS).
  6. Authentication tab:

    1. Authentication Method - Mutual PSK (or "Mutual PSK + XAuth" if using XAuth).
    2. Local Identity tab:
      1. Identification Type - User Fully Qualified Domain Name.
      2. UFQDN String -
    3. Credentials tab:

      Pre Shared Key - screenos.
  7. Phase 1 tab:

    1. Exchange Type - Aggressive.
    2. DH Exchange - group 2.
    3. Cipher Algorithm - 3des.
    4. Hash Algorithm - sha1.
    5. Key Life Time limit - 28800 Secs.
    6. Key Life Data limit - 0 Kbytes.
    7. Enable Check Point Compatible Vendor ID - uncheck.
  8. Phase 2 tab:

    1. Transform Algorithm - esp-3des. 
    2. HMAC Algorithm - sha1. 
    3. PFS Exchange - group 2. 
    4. Compress Algorithm - disabled 
    5. Key Life Time limit - 3600 seconds. 
    6. Key Life Data limit - 0 Kbytes.
  9. Policy tab:

    1. Policy Generation Level - auto.
    2. Maintain Persistent Security Associations - uncheck.
    3. Obtain Topology Automatically or Tunnel All - uncheck.
    4. Click Add:

      1. Type - Include.
      2. Address -
      3. Netmask -
      4. Click OK.

  10. Click Save.

  11. Provide a name for the connection.

  12. Click Connect.

  13. When the next dialog box is displayed, click Connect (or enter your XAuth username\password if using XAuth):

    If the client connects successfully, the connect button will change to disconnect and the windows will display tunnel enabled:

If you have followed the above procedure and now require help in troubleshooting, refer to KB9221 - How to Troubleshoot a Firewall VPN Issue

Modification History:
2020-03-21: Removed references to NS Remote.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search