SRX

Hi! I am trying to add one more ipsec tunnel and I can't manage to figure out why Juniper didn't initiate SA.

How it is configured and working now:

linux _box 192.168.70.0/24 ---- L_IP ------------------- Juniper-1 IP ----- 192.168.10.0/24

linux_box 192.168.70.0/24 ---- L_IP ------------------- Juniper-2 IP ----- 192.168.11.0/24 

I want to add 1 more tunnel to Juniper-1 and connet it to Juniper-2

linux_box 192.168.70.0/24 ---- L_IP ------------------- Juniper-1 IP ----- 192.168.10.0/24

                                                                                                  |

                                                                                                  |

linux_box 192.168.70.0/24 ---- L_IP ------------------- Juniper-2 IP ----- 192.168.11.0/24

But there is no ike SA at all:

show security ike security-associations
    Index State Initiator cookie Responder cookie Mode Remote Address
    7890123 UP 00c9d224cf899b9c 76d39d264b3585dc Main Linux_box

show security ike security-associations inactive
    Total inactive ike SAs: 0

Juniper-1 conf is: http://pastebin.com/G7sCF9m2

Juniper-2 conf is: http://pastebin.com/JGhrSRbX

I think you would need to add "ike" as an allowed system-service under your host-inbound-traffic policy on your external interface in your external security zone.  Also, we generally either have the st interface in a different zone than "trust", or create some NAT exclusions so that your trust->untrust NAT statement does not cover your VPN traffic.

Ron

Aww, thank you! 

Not a problem at all...  I cannot tell you how many times a missed host-inbound-traffic issue has caused me to spend an inordinate amount of time troubleshooting BGP, OSPF, IKE, etc.

Ron