Hi Sam!!
I could give you a big hug right now!
Setting the host-inbound-traffic system-services ike on the interface did the trick!
VPN tunnel's up BUT no traffic is coming through...
I double checked the config on both sides and also was going through this kb:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB9276
This described exactly what I tested anyway
Since I know my SSG (screen os) very well, I will post the SRX side:
IKE:
root@metze> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
7910063 UP 986abde0dca36582 d818606d4904bb6b Aggressive 86.103.130.68
IPSec:
root@metze> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:aes-256/sha1 9544ecfe 1350/ unlim - root 4500 86.103.130.68
>131073 ESP:aes-256/sha1 3d15cd47 1350/ unlim - root 4500 86.103.130.68
NAT:
root@metze> show security nat source rule all
Total rules: 2
Total referenced IPv4/IPv6 ip-prefixes: 4/0
source NAT rule: no_nat Rule-set: nsw_srcnat
Rule-Id : 1
Rule position : 1
From zone : trust
To zone : Internet
Match
Source addresses : 192.168.179.0 - 192.168.179.255
Destination addresses : 192.168.8.0 - 192.168.8.255
Destination port : 0 - 0
Action : off
Persistent NAT type : N/A
Persistent NAT mapping type : address-port-mapping
Inactivity timeout : 0
Max session number : 0
Translation hits : 4868
source NAT rule: nsw-src-interface Rule-set: nsw_srcnat
Rule-Id : 2
Rule position : 2
From zone : trust
To zone : Internet
Match
Source addresses : 192.168.179.0 - 192.168.179.255
Destination addresses : 0.0.0.0 - 255.255.255.255
Destination port : 0 - 0
Action : interface
Persistent NAT type : N/A
Persistent NAT mapping type : address-port-mapping
Inactivity timeout : 0
Max session number : 0
Translation hits : 1241
Policies:
root@metze> show security policies from-zone Internet to-zone trust
From zone: Internet, To zone: trust
Policy: from_transfair, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1
Source addresses: netz_transfair
Destination addresses: netz_metze
Applications: any
Action: permit, log
root@metze> show security policies from-zone trust to-zone Internet
From zone: trust, To zone: Internet
Policy: to_transfair, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source addresses: netz_metze
Destination addresses: netz_transfair
Applications: any
Action: permit, log
Policy: All_trust_Internet, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 2
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
Route:
root@metze> show route 192.168.8.1
inet.0: 6 destinations, 7 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
192.168.8.0/24 *[Static/5] 03:46:46
> via st0.0
Security flow:
root@metze> ...prefix 192.168.179.0/24 destination-prefix 192.168.8.0/24
Session ID: 23416, Policy name: to_transfair/4, Timeout: 2, Valid
In: 192.168.179.99/13128 --> 192.168.8.14/12868;icmp, If: fe-0/0/1.0, Pkts: 1, Bytes: 84
Out: 192.168.8.14/12868 --> 192.168.179.99/13128;icmp, If: st0.0, Pkts: 0, Bytes: 0
So, the correct policy (4) and correct tunnel interface (st0.0).
Logging on my SSG520:
cluster:tfkiel_kiwi_fw_2(M)-> get log traffic src-ip 192.168.179.99
No entry matched.
I want to go from 192.168.179.0/24 (home) to 192.168.8.0/24 (remote) and vice versa.
Everything looks fine to me...
Thank you so much for your help so far!!
Cheers
Andy