Hello junos guy ... please provide some help setting my vpn.
After many attempts , this is what I get:
Tunel is established only after remote site sends traffic.
Only one network at time can send me traffic. (im trying to encript multiple source networks)
note:
I tryed the vpn generation tool but I have some problems when I tray to attach untrust zone to a second address-book as the aplication suggest.
Mine is running:
JUNOS Software Release [11.4R9.4]
is any problem with this release?
Please if some body can take a look to mi lines I will apreciate.
Regards.
Leandro.
leandro@SRX01COR-cluster# show security address-book bsas_lan
address bsas_net 172.22.162.0/23;
address bsas_net2 172.22.6.0/24;
address bsas_net3 172.22.165.0/24;
address bsas_net4 172.21.104.0/24;
address bsas_net5 172.22.164.0/24;
address bsas_net6 172.22.118.0/24;
address bsas_net7 172.22.11.0/24;
address bsas_net8 172.22.46.0/24;
attach {
zone untrust;
}
leandro@SRX01COR-cluster# show security address-book cdba_mgmt
address mgmt_server 172.31.160.250/32;
attach {
zone OAM;
}
leandro@SRX01COR-cluster# show security policies from-zone OAM to-zone untrust
policy vpn-OAM-untrust {
match {
source-address mgmt_server;
destination-address [ bsas_net bsas_net2 bsas_net3 bsas_net4 bsas_net5 bsas_net6 bsas_net7 bsas_net8 ];
application any;
}
then {
permit {
tunnel {
ipsec-vpn BSAS_tunnel;
pair-policy vpn-untr-OAM;
}
}
}
}
policy permit-any {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
leandro@SRX01COR-cluster# show security policies from-zone untrust to-zone OAM
policy vpn-untr-OAM {
match {
source-address [ bsas_net bsas_net2 bsas_net3 bsas_net4 bsas_net5 bsas_net6 bsas_net7 bsas_net8 ];
destination-address mgmt_server;
application any;
}
then {
permit {
tunnel {
ipsec-vpn BSAS_tunnel;
pair-policy vpn-OAM-untrust;
}
}
}
}
leandro@SRX01COR-cluster# show security ike
respond-bad-spi 20;
proposal to_BSAS_ike-prop {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 86400;
}
policy BSAS_ike_policy {
mode main;
proposals to_BSAS_ike-prop;
pre-shared-key ascii-text "$9$wxsaZDi.Q36qmRhSlXxqmP5nCIEcylMSyVY"; ## SECRET-DATA
}
gateway BSAS_GW {
ike-policy BSAS_ike_policy;
address XXX.XXX.XXX.XXX;
external-interface reth0.10;
}
leandro@SRX01COR-cluster# show security ipsec
vpn-monitor-options {
interval 2;
threshold 5;
}
proposal BSAS_ipsec_prop {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy BSAS_ipsec_policy {
perfect-forward-secrecy {
keys group2;
}
proposals BSAS_ipsec_prop;
}
vpn BSAS_tunnel {
ike {
gateway BSAS_GW;
ipsec-policy BSAS_ipsec_policy;
}
establish-tunnels immediately;
}