Security

 View Only
last person joined: yesterday 

Ask questions and share experiences with Juniper Connected Security. Discuss Advanced Threat Protection, SecIntel, Secure Analytics, Secure Connect, Security Director, and all things related to Juniper security technologies.
  • 1.  ipsec tunnel static route not being added to the routing table

    Posted 07-30-2021 08:44

    Running an ipsec tunnel between a SRX340 and a Fortigate 600E. Both Phase 1 and Phase 2 are showing up as I have successful IKE cookies and SA's for the tunnel. I bound st0.28 to the vpn and it shows up. I have configured a static route to use st0.28 as the next-hop but this route does NOT appear in the routing table when I issue a show route command. It is also not in the forwarding-table. I'm completely stumped and have worked on this for hours. Any assistance would be GREATLY appreciated. Here is the config:

    set security ike proposal RB-FDON-IKE-PROPOSAL authentication-method pre-shared-keys
    set security ike proposal RB-FDON-IKE-PROPOSAL dh-group group20
    set security ike proposal RB-FDON-IKE-PROPOSAL authentication-algorithm sha-256
    set security ike proposal RB-FDON-IKE-PROPOSAL encryption-algorithm aes-256-cbc
    set security ike proposal RB-FDON-IKE-PROPOSAL lifetime-seconds 28800
    set security ike policy RB-FDON-IKE-POLICY mode main
    set security ike policy RB-FDON-IKE-POLICY proposals RB-FDON-IKE-PROPOSAL
    set security ike policy RB-FDON-IKE-POLICY pre-shared-key ascii-text *******
    set security ike gateway RB-FDON-VPN-GW ike-policy RB-FDON-IKE-POLICY
    set security ike gateway RB-FDON-VPN-GW address 81.x.x.x
    set security ike gateway RB-FDON-VPN-GW dead-peer-detection interval 10
    set security ike gateway RB-FDON-VPN-GW dead-peer-detection threshold 1
    set security ike gateway RB-FDON-VPN-GW nat-keepalive 10
    set security ike gateway RB-FDON-VPN-GW external-interface reth0.0
    set security ike gateway RB-FDON-VPN-GW version v2-only
    set security ipsec proposal RB-FDON-IPSEC-PROPOSAL protocol esp
    set security ipsec proposal RB-FDON-IPSEC-PROPOSAL authentication-algorithm hmac-sha-256-128
    set security ipsec proposal RB-FDON-IPSEC-PROPOSAL encryption-algorithm aes-256-cbc
    set security ipsec proposal RB-FDON-IPSEC-PROPOSAL lifetime-seconds 86400
    set security ipsec policy RB-FDON-IPSEC-POLICY perfect-forward-secrecy keys group20
    set security ipsec policy RB-FDON-IPSEC-POLICY proposals RB-FDON-IPSEC-PROPOSAL
    set security ipsec vpn RB-FDON-IPSEC-VPN bind-interface st0.28
    set security ipsec vpn RB-FDON-IPSEC-VPN ike gateway RB-FDON-VPN-GW
    set security ipsec vpn RB-FDON-IPSEC-VPN ike ipsec-policy RB-FDON-IPSEC-POLICY
    set security ipsec vpn RB-FDON-IPSEC-VPN bind-interface st0.28
    set security ipsec vpn RB-FDON-IPSEC-VPN ike gateway RB-FDON-VPN-GW
    set security ipsec vpn RB-FDON-IPSEC-VPN ike proxy-identity local 10.3.0.0/16
    set security ipsec vpn RB-FDON-IPSEC-VPN ike proxy-identity remote 10.9.0.0/16
    set security ipsec vpn RB-FDON-IPSEC-VPN ike proxy-identity service any
    set security ipsec vpn RB-FDON-IPSEC-VPN ike ipsec-policy RB-FDON-IPSEC-POLICY
    set security ipsec vpn RB-FDON-IPSEC-VPN establish-tunnels immediately


    set security zones security-zone untrust interfaces st0.28

    set routing-options static route 10.9.0.0/16 next-hop st0.28




    ------------------------------
    INFRASTRUCTURE DEPARTMENT
    ------------------------------


  • 2.  RE: ipsec tunnel static route not being added to the routing table

    Posted 08-04-2021 05:27
    Can you share the output from

    show route 10.9.0.0/16

    show interface st0.28


    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------