SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  [SOLVED] Juniper SRX 100 multiple ipsec vpn tunnels

    Posted 04-14-2014 02:32

    Hi! I am trying to add one more ipsec tunnel and I can't manage to figure out why Juniper didn't initiate SA.

     

    How it is configured and working now:

    linux _box 192.168.70.0/24 ---- L_IP ------------------- Juniper-1 IP ----- 192.168.10.0/24

     

     

    linux_box 192.168.70.0/24 ---- L_IP ------------------- Juniper-2 IP ----- 192.168.11.0/24 

     

    I want to add 1 more tunnel to Juniper-1 and connet it to Juniper-2

    linux_box 192.168.70.0/24 ---- L_IP ------------------- Juniper-1 IP ----- 192.168.10.0/24

     

                                                                                                      |

                                                                                                      |

    linux_box 192.168.70.0/24 ---- L_IP ------------------- Juniper-2 IP ----- 192.168.11.0/24

     

     

    But there is no ike SA at all:

    show security ike security-associations
        Index State Initiator cookie Responder cookie Mode Remote Address
        7890123 UP 00c9d224cf899b9c 76d39d264b3585dc Main Linux_box

    show security ike security-associations inactive
        Total inactive ike SAs: 0

     

    Juniper-1 conf is: http://pastebin.com/G7sCF9m2

    Juniper-2 conf is: http://pastebin.com/JGhrSRbX

     

     

     


    #ipsecsrx100


  • 2.  RE: [SOLVED] Juniper SRX 100 multiple ipsec vpn tunnels
    Best Answer

    Posted 04-14-2014 05:08

    I think you would need to add "ike" as an allowed system-service under your host-inbound-traffic policy on your external interface in your external security zone.  Also, we generally either have the st interface in a different zone than "trust", or create some NAT exclusions so that your trust->untrust NAT statement does not cover your VPN traffic.

     

    Ron



  • 3.  RE: [SOLVED] Juniper SRX 100 multiple ipsec vpn tunnels

    Posted 04-14-2014 05:16

    Aww, thank you! 



  • 4.  RE: [SOLVED] Juniper SRX 100 multiple ipsec vpn tunnels

    Posted 04-14-2014 05:35

    Not a problem at all...  I cannot tell you how many times a missed host-inbound-traffic issue has caused me to spend an inordinate amount of time troubleshooting BGP, OSPF, IKE, etc.

     

    Ron