SRX

Expand all | Collapse all

Tunnel between SRX's not passing traffic

Jump to Best Answer
  • 1.  Tunnel between SRX's not passing traffic

    Posted 10-20-2019 13:49

    Hello everyone!! 

     

    I have a SRX210 here in my office, and I just setup a cluster of SRX340's at a client network.  I setup a tunnel between them, using a working config example, and the IKE and IPSEC security associations come 'UP' and show good, but no traffic will go across the tunnel.  I cannot ping either side from either side.  I have the host-inbound with ping, and tracerout, but still nothing (and no routing across it).  I can look at the ST interfaces and see that (during ping operations) the outbound packets count is going up, but on my 210 at MY end, no session builds, and no traffic passes.  I have been pouring over the config all day, and am tired of looking at it.  It should just work.  Any ideas? help?  whatever you can see?  

     

    Here is the config of both sides (in set statements):

    My SRX 210:
    set interfaces st0 unit 102 description "Tunnel to Client Network"
    set security ike policy ike-pol-Client-Network mode main
    set security ike policy ike-pol-Client-Network proposal-set standard
    set security ike policy ike-pol-Client-Network pre-shared-key secret
    set security ike gateway ike-gate-Client-Network ike-policy ike-pol-Client-Network
    set security ike gateway ike-gate-Client-Network address 2.2.2.2
    set security ike gateway ike-gate-Client-Network external-interface lo0
    set security ipsec policy ipsec-pol-Client-Network proposal-set standard
    set security ipsec vpn ipsec-vpn-Client-Network bind-interface st0.102
    set security ipsec vpn ipsec-vpn-Client-Network ike gateway ike-gate-Client-Network
    set security ipsec vpn ipsec-vpn-Client-Network ike ipsec-policy ipsec-pol-Client-Network
    set security ipsec vpn ipsec-vpn-Client-Network establish-tunnels immediately
    set security policies from-zone Trust to-zone Client-Network policy Trust-Client-Network match source-address My-LAN
    set security policies from-zone Trust to-zone Client-Network policy Trust-Client-Network match destination-address any
    set security policies from-zone Trust to-zone Client-Network policy Trust-Client-Network match application any
    set security policies from-zone Trust to-zone Client-Network policy Trust-Client-Network then permit
    set security policies from-zone Client-Network to-zone Trust policy Client-Network-Trust match source-address any
    set security policies from-zone Client-Network to-zone Trust policy Client-Network-Trust match destination-address My-LAN
    set security policies from-zone Client-Network to-zone Trust policy Client-Network-Trust match application any
    set security policies from-zone Client-Network to-zone Trust policy Client-Network-Trust then permit
    set security zones security-zone Client-Network host-inbound-traffic system-services ping
    set security zones security-zone Client-Network host-inbound-traffic system-services traceroute
    set security zones security-zone Client-Network interfaces st0.102

    set interfaces st0 unit 102 description "Tunnel to Client"
    set interfaces st0 unit 102 family inet address 10.1.1.6/30

     

    Remote SRX340 Cluster:
    set security ike policy ike-pol-My-Network mode main
    set security ike policy ike-pol-My-Network proposal-set standard
    set security ike policy ike-pol-My-Network pre-shared-key ascii-text secret
    set security ike gateway ike-gate-My-Network ike-policy ike-pol-My-Network
    set security ike gateway ike-gate-My-Network address 1.1.1.1
    set security ike gateway ike-gate-My-Network external-interface reth0
    set security ipsec policy ipsec-pol-My-Network proposal-set standard
    set security ipsec vpn ipsec-vpn-My-Network bind-interface st0.10
    set security ipsec vpn ipsec-vpn-My-Network ike gateway ike-gate-My-Network
    set security ipsec vpn ipsec-vpn-My-Network ike ipsec-policy ipsec-pol-My-Network
    set security ipsec vpn ipsec-vpn-My-Network establish-tunnels immediately
    set security policies from-zone Trust to-zone My-Network policy Trust-My-Network match source-address any
    set security policies from-zone Trust to-zone My-Network policy Trust-My-Network match destination-address My-LAN
    set security policies from-zone Trust to-zone My-Network policy Trust-My-Network match application any
    set security policies from-zone Trust to-zone My-Network policy Trust-My-Network then permit
    set security policies from-zone My-Network to-zone Trust policy My-Network-Trust match source-address My-LAN
    set security policies from-zone My-Network to-zone Trust policy My-Network-Trust match destination-address any
    set security policies from-zone My-Network to-zone Trust policy My-Network-Trust match application any
    set security policies from-zone My-Network to-zone Trust policy My-Network-Trust then permit
    set security zones security-zone My-Network host-inbound-traffic system-services ping
    set security zones security-zone My-Network host-inbound-traffic system-services traceroute
    set security zones security-zone My-Network interfaces st0.10
    set interfaces st0 unit 10 description "Tunnel to My Network"

    set interfaces st0 unit 10 family inet address 10.1.1.5/30

     

    The 210 is:

    Model: srx210he2
    JUNOS Software Release [12.1X46-D40.2]

     

    The 340 cluster:

    node0:
    --------------------------------------------------------------------------
    Hostname: MDF-SRX340-0
    Model: srx340
    Junos: 15.1X49-D70.3
    JUNOS Software Release [15.1X49-D70.3]

    node1:
    --------------------------------------------------------------------------
    Hostname: MDF-SRX340-1
    Model: srx340
    Junos: 15.1X49-D70.3
    JUNOS Software Release [15.1X49-D70.3]

     

    Any help would be greatly appreciated!

    Thank you!

    Sean Garland

    Garland Tech, Inc.



  • 2.  RE: Tunnel between SRX's not passing traffic
    Best Answer

    Posted 10-20-2019 16:12

    Well it's fixed.  Added one line to the config, which may or may not have done anything.  Added the following to the ike gateway information, which wasn't necessary on any other connection:

    set security ike gateway ike-gate-Client-Network local-address 1.1.1.1 (the actual address of MY side)

     

    Not sure if because I'm using a loopback routed interface with a different actual direct connected subnet, that was the case or what.  But it's up now..  

     

    Very strange issue that would be interesting to recreate in the lab to check on.

    Thanks!