Hi,
SRX-to-Zyxel scenario.
cannot get the traffic flow working over policy based vpn
vpn is up both IKE and IPSEC.
policy and reverse policy are configured.
when viewing statistics for ipsec ID, it shows "Encrypted" but no "Decrypted":
ESP Statistics:
Encrypted bytes: 52740
Decrypted bytes: 0
Encrypted packets: 423
Decrypted packets: 0
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
When pinging server on other side we can see "encrypted" incrementing
we were troubleshooting this and tried to trace the traffic towards the server across the vpn but it went to the internet
we created source nat rule with "source nat off" and now it simply dies at firewall meaning it goes into the tunnel?!
anyway no ping response from the other side, which should be allowed.
checking the matching policy while pinging from srx side to Zyxel side.
run show security flow session destination-prefix 192.168.75.5/32
Session ID: 10408, Policy name: vpn-1/32, Timeout: 52, Valid
In: 192.168.1.190/476 --> 192.168.75.5/1;icmp, If: vlan.103, Pkts: 1, Bytes: 60
Out: 192.168.75.5/1 --> 192.168.1.190/476;icmp, If: ge-0/0/0.0, Pkts: 0, Bytes: 0
Session ID: 16269, Policy name: vpn-1/32, Timeout: 38, Valid
In: 192.168.1.190/473 --> 192.168.75.5/1;icmp, If: vlan.103, Pkts: 1, Bytes: 60
Out: 192.168.75.5/1 --> 192.168.1.190/473;icmp, If: ge-0/0/0.0, Pkts: 0, Bytes: 0
Session ID: 35130, Policy name: vpn-1/32, Timeout: 58, Valid
In: 192.168.1.190/477 --> 192.168.75.5/1;icmp, If: vlan.103, Pkts: 1, Bytes: 60
Out: 192.168.75.5/1 --> 192.168.1.190/477;icmp, If: ge-0/0/0.0, Pkts: 0, Bytes: 0
Dont really know what to check next guys,
any help would be appreciated.
PS:
forgot to mention version
Model: srx240h2
JUNOS Software Release [12.1X46-D25.7]