View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Policy-based VPN between srx210 and Checkpoint R70.1

    Posted 08-01-2013 03:38



    I've setup a Policy-based VPN between my SRX210 and a provider's Checkpoint R70. I have no control on it. 
    The VPN connections are good, the VPN is establish. 
    My problem is that the traffic does't go trought it. The checkpoint sees in is log that we are sending packet, but it sees our encrypted-domains at, it should be the remote network.


    here the ipsec security-associations details :


    rancid@oyz-fw-01.hq> show security ipsec security-associations detail index 2
    Virtual-system: root
    Local Gateway: x.x.x.x, Remote Gateway: y.y.y.y
    Local Identity: ipv4_subnet(any:0,[0..7]=
    Remote Identity: ipv4_subnet(any:0,[0..7]=


    Why my Remote Identity is ??


    I followed the Juniper tech docs to configure the VPN.


    I tried to set the network in the proxy-identity, but, when I enable the proxy-identity, my local identy is set to too..


    Thanks for you help.. 


  • 2.  RE: Policy-based VPN between srx210 and Checkpoint R70.1
    Best Answer

    Posted 08-01-2013 07:30

    If multiple objects are configured in a policy for source address, destination address, or application, then the resulting proxy ID will be changed to zeroes.


    For example say local address is subnet and remote address is and then resulting proxy-id is for remote.


    So you need to create multiple proxy-id for each of the different subnets by creating single object in a policy for source address/destination address.




  • 3.  RE: Policy-based VPN between srx210 and Checkpoint R70.1

    Posted 08-01-2013 09:02



    I did something like that and it worked.

    I also change the global address book to address-sets.


    Thanks for your help.