SRX

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  VPN Traffic selector issue multiple subnets

    Posted 01-15-2018 08:05

    Hi,

     

    I had a VPN up between 2 sites all working fine, I now need for another subnet on each of my SRX's to communicate via the VPN. I have adde traffic selectors for all options but when I apply, only the original networks communicate.

    Site A  192.168.30.0/24 192.168.13.0/24
    Site B 192.168.20.0/24 192.168.12.0/24

    As example 192.168.30.10 can communicate with 192.168.20.10 without issue.
    But 192.168.30.10 fails to communicate with 192.168.12.10.

    Any combination site to site involving 192.168.13.0/24 & 192.168.12.0/24 do not work.

     

    Below is example of config from  one of the sites, the other side is identical but reserving of IP's.

     

    vpn site-to-site{
            bind-interface st0.1;
            ike {
                gateway site_to_site;
				ipsec-policy site_to_site;
			}
                               traffic-selector t1 {
                    local-ip 192.168.30.0/24;
                    remote-ip 192.168.20.0/24;
            }
				traffic-selector t2 {
                    local-ip 192.168.30.0/24;
                    remote-ip 192.168.12.0/24;
            }
				traffic-selector t3 {
                    local-ip 192.168.13.0/24;
                    remote-ip 192.168.20.0/24;
            }
				traffic-selector t4 {
                    local-ip 192.168.13.0/24;
                    remote-ip 192.168.12.0/24;
            }
        }

     


    #vpn
    #trafficselector


  • 2.  RE: VPN Traffic selector issue multiple subnets

    Posted 01-16-2018 03:02

    Did you add the static route for 192.168.12.0/24  pointing to the st0.1 interface?

     



  • 3.  RE: VPN Traffic selector issue multiple subnets

    Posted 01-16-2018 03:37

    No, I didnt add any static routes due to "auto route insertion".



  • 4.  RE: VPN Traffic selector issue multiple subnets

    Posted 01-16-2018 08:47

    In that case, I would recommend running flow traceoptions on both sides for problematic IP address pairs.

     

    VPN with traffic selector do not allow traffic out-side traffic selector. so flow is dropping this traffic for any such reasons, we should see it in there.



  • 5.  RE: VPN Traffic selector issue multiple subnets
    Best Answer

    Posted 01-17-2018 03:13

    Thanks all but I found the issue now, my vpn policy did not have the correct to-zone and source-address! Corrected and all works as expected..

     



  • 6.  RE: VPN Traffic selector issue multiple subnets

    Posted 01-17-2018 03:12

    Is this a policy or route based VPN?

     

    These will be the steps to verify the VPN is up and all the policies and routes are in place for the traffic to pass.

    Let us know which step fails and what data you get from these collections.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB10093