Hi
I want to have this configuration with srx210. Please see attached diagra also configuration. I also attached chassis cluster diagram which is not important, I think. Just in case...
I have remote site. It's name is (branch-)pernik and a central site domino. Branch consist of chassis cluster srx210. Domino is a single srx210 but with selective packet services enabled.
I want this:
- pernik should ipsec vpn to domino
- domino have 2 routing instances. One is master - flow and second is packet based.
- domino instances are interconnected with lt interfaces that have ip address.
- packet vr has input firewall filters enabled with action modifier ... then packet-mode
- flow mode router has routes only to 192.168.2.0/24 subnet and to packet VR
Is this configuration (with lt-0/0/1 as external-interface in ike gateway configuration) supported?
My previous configuration without selective packet services worked as it should so I think it is problem of selective packet serv. and that this conf. is unsupported. Now after router startup the ipsec association is created for some time but traffic cant go through. And after couple of minutes ipsec associationt is toren down, but ike still remain UP. But now I after weekend I cannot even see ike UP 😞
see some logs and output
- Second thing I want to have is 192.168.2.0/24 subnet to be source-natted to public assigned to lt-0/0/1 (is even this supported or possible?)
Branch srx series and j series selective packet services:
http://www.juniper.net/us/en/local/pdf/app-notes/3500192-en.pdf
There is a little bit similar configuration with ipsec as wan failover.
Now I am thinking as my config isn't supported, I will assign from subnet to ISP A also to flow master VR to act as gateway and also to our network.
***Logs aren't very clear. There is so much I should post here. But as I said. Firstly, I want to know wether nat and ipsec is supported on lt interfaces***
Disabling nat also disabled creating ike association. It was connecting to port 4500
Sep 12 11:08:23 Group/Shared IKE ID VPN configured: 0
Sep 12 11:08:24 Obsolete parameter length_of_local_secret is not set to zero in ssh_ike_init
Sep 12 11:08:24 Obsolete parameter token_hash_type is not set to zero in ssh_ike_init
Sep 12 11:08:24 KMD_INTERNAL_ERROR: VPN monitor ping send via tunnel 131073 failed, err 65
Sep 12 11:08:25 KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received
Does anyone know wether this should be working?
Jozef Klacko
#IPSec#VirtualRouter#packet#lt#selectivepacketservices#flow