Can you share the output from
show
route 10.9.0.0/16
show interface st0.28------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home------------------------------
Original Message:
Sent: 07-30-2021 05:54
From: INFRASTRUCTURE DEPARTMENT
Subject: ipsec tunnel static route not being added to the routing table
Running an ipsec tunnel between a SRX340 and a Fortigate 600E. Both Phase 1 and Phase 2 are showing up as I have successful IKE cookies and SA's for the tunnel. I bound st0.28 to the vpn and it shows up. I have configured a static route to use st0.28 as the next-hop but this route does NOT appear in the routing table when I issue a show route command. It is also not in the forwarding-table. I'm completely stumped and have worked on this for hours. Any assistance would be GREATLY appreciated. Here is the config:
set security ike proposal RB-FDON-IKE-PROPOSAL authentication-method pre-shared-keys
set security ike proposal RB-FDON-IKE-PROPOSAL dh-group group20
set security ike proposal RB-FDON-IKE-PROPOSAL authentication-algorithm sha-256
set security ike proposal RB-FDON-IKE-PROPOSAL encryption-algorithm aes-256-cbc
set security ike proposal RB-FDON-IKE-PROPOSAL lifetime-seconds 28800
set security ike policy RB-FDON-IKE-POLICY mode main
set security ike policy RB-FDON-IKE-POLICY proposals RB-FDON-IKE-PROPOSAL
set security ike policy RB-FDON-IKE-POLICY pre-shared-key ascii-text *******
set security ike gateway RB-FDON-VPN-GW ike-policy RB-FDON-IKE-POLICY
set security ike gateway RB-FDON-VPN-GW address 81.x.x.x
set security ike gateway RB-FDON-VPN-GW dead-peer-detection interval 10
set security ike gateway RB-FDON-VPN-GW dead-peer-detection threshold 1
set security ike gateway RB-FDON-VPN-GW nat-keepalive 10
set security ike gateway RB-FDON-VPN-GW external-interface reth0.0
set security ike gateway RB-FDON-VPN-GW version v2-only
set security ipsec proposal RB-FDON-IPSEC-PROPOSAL protocol esp
set security ipsec proposal RB-FDON-IPSEC-PROPOSAL authentication-algorithm hmac-sha-256-128
set security ipsec proposal RB-FDON-IPSEC-PROPOSAL encryption-algorithm aes-256-cbc
set security ipsec proposal RB-FDON-IPSEC-PROPOSAL lifetime-seconds 86400
set security ipsec policy RB-FDON-IPSEC-POLICY perfect-forward-secrecy keys group20
set security ipsec policy RB-FDON-IPSEC-POLICY proposals RB-FDON-IPSEC-PROPOSAL
set security ipsec vpn RB-FDON-IPSEC-VPN bind-interface st0.28
set security ipsec vpn RB-FDON-IPSEC-VPN ike gateway RB-FDON-VPN-GW
set security ipsec vpn RB-FDON-IPSEC-VPN ike ipsec-policy RB-FDON-IPSEC-POLICY
set security ipsec vpn RB-FDON-IPSEC-VPN bind-interface st0.28
set security ipsec vpn RB-FDON-IPSEC-VPN ike gateway RB-FDON-VPN-GW
set security ipsec vpn RB-FDON-IPSEC-VPN ike proxy-identity local 10.3.0.0/16
set security ipsec vpn RB-FDON-IPSEC-VPN ike proxy-identity remote 10.9.0.0/16
set security ipsec vpn RB-FDON-IPSEC-VPN ike proxy-identity service any
set security ipsec vpn RB-FDON-IPSEC-VPN ike ipsec-policy RB-FDON-IPSEC-POLICY
set security ipsec vpn RB-FDON-IPSEC-VPN establish-tunnels immediately
set security zones security-zone untrust interfaces st0.28
set routing-options static route 10.9.0.0/16 next-hop st0.28
------------------------------
INFRASTRUCTURE DEPARTMENT
------------------------------