Security

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

ipsec tunnel static route not being added to the routing table

  • 1.  ipsec tunnel static route not being added to the routing table

    Posted 07-30-2021 08:44

    Running an ipsec tunnel between a SRX340 and a Fortigate 600E. Both Phase 1 and Phase 2 are showing up as I have successful IKE cookies and SA's for the tunnel. I bound st0.28 to the vpn and it shows up. I have configured a static route to use st0.28 as the next-hop but this route does NOT appear in the routing table when I issue a show route command. It is also not in the forwarding-table. I'm completely stumped and have worked on this for hours. Any assistance would be GREATLY appreciated. Here is the config:

    set security ike proposal RB-FDON-IKE-PROPOSAL authentication-method pre-shared-keys
    set security ike proposal RB-FDON-IKE-PROPOSAL dh-group group20
    set security ike proposal RB-FDON-IKE-PROPOSAL authentication-algorithm sha-256
    set security ike proposal RB-FDON-IKE-PROPOSAL encryption-algorithm aes-256-cbc
    set security ike proposal RB-FDON-IKE-PROPOSAL lifetime-seconds 28800
    set security ike policy RB-FDON-IKE-POLICY mode main
    set security ike policy RB-FDON-IKE-POLICY proposals RB-FDON-IKE-PROPOSAL
    set security ike policy RB-FDON-IKE-POLICY pre-shared-key ascii-text *******
    set security ike gateway RB-FDON-VPN-GW ike-policy RB-FDON-IKE-POLICY
    set security ike gateway RB-FDON-VPN-GW address 81.x.x.x
    set security ike gateway RB-FDON-VPN-GW dead-peer-detection interval 10
    set security ike gateway RB-FDON-VPN-GW dead-peer-detection threshold 1
    set security ike gateway RB-FDON-VPN-GW nat-keepalive 10
    set security ike gateway RB-FDON-VPN-GW external-interface reth0.0
    set security ike gateway RB-FDON-VPN-GW version v2-only
    set security ipsec proposal RB-FDON-IPSEC-PROPOSAL protocol esp
    set security ipsec proposal RB-FDON-IPSEC-PROPOSAL authentication-algorithm hmac-sha-256-128
    set security ipsec proposal RB-FDON-IPSEC-PROPOSAL encryption-algorithm aes-256-cbc
    set security ipsec proposal RB-FDON-IPSEC-PROPOSAL lifetime-seconds 86400
    set security ipsec policy RB-FDON-IPSEC-POLICY perfect-forward-secrecy keys group20
    set security ipsec policy RB-FDON-IPSEC-POLICY proposals RB-FDON-IPSEC-PROPOSAL
    set security ipsec vpn RB-FDON-IPSEC-VPN bind-interface st0.28
    set security ipsec vpn RB-FDON-IPSEC-VPN ike gateway RB-FDON-VPN-GW
    set security ipsec vpn RB-FDON-IPSEC-VPN ike ipsec-policy RB-FDON-IPSEC-POLICY
    set security ipsec vpn RB-FDON-IPSEC-VPN bind-interface st0.28
    set security ipsec vpn RB-FDON-IPSEC-VPN ike gateway RB-FDON-VPN-GW
    set security ipsec vpn RB-FDON-IPSEC-VPN ike proxy-identity local 10.3.0.0/16
    set security ipsec vpn RB-FDON-IPSEC-VPN ike proxy-identity remote 10.9.0.0/16
    set security ipsec vpn RB-FDON-IPSEC-VPN ike proxy-identity service any
    set security ipsec vpn RB-FDON-IPSEC-VPN ike ipsec-policy RB-FDON-IPSEC-POLICY
    set security ipsec vpn RB-FDON-IPSEC-VPN establish-tunnels immediately


    set security zones security-zone untrust interfaces st0.28

    set routing-options static route 10.9.0.0/16 next-hop st0.28




    ------------------------------
    INFRASTRUCTURE DEPARTMENT
    ------------------------------


  • 2.  RE: ipsec tunnel static route not being added to the routing table

     
    Posted 08-04-2021 05:27
    Can you share the output from

    show route 10.9.0.0/16

    show interface st0.28


    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------