SRX

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  [SOLVED] Juniper SRX 100 multiple ipsec vpn tunnels

    Posted 04-14-2014 02:32

    Hi! I am trying to add one more ipsec tunnel and I can't manage to figure out why Juniper didn't initiate SA.

     

    How it is configured and working now:

    linux _box 192.168.70.0/24 ---- L_IP ------------------- Juniper-1 IP ----- 192.168.10.0/24

     

     

    linux_box 192.168.70.0/24 ---- L_IP ------------------- Juniper-2 IP ----- 192.168.11.0/24 

     

    I want to add 1 more tunnel to Juniper-1 and connet it to Juniper-2

    linux_box 192.168.70.0/24 ---- L_IP ------------------- Juniper-1 IP ----- 192.168.10.0/24

     

                                                                                                      |

                                                                                                      |

    linux_box 192.168.70.0/24 ---- L_IP ------------------- Juniper-2 IP ----- 192.168.11.0/24

     

     

    But there is no ike SA at all:

    show security ike security-associations
        Index State Initiator cookie Responder cookie Mode Remote Address
        7890123 UP 00c9d224cf899b9c 76d39d264b3585dc Main Linux_box

    show security ike security-associations inactive
        Total inactive ike SAs: 0

     

    Juniper-1 conf is: http://pastebin.com/G7sCF9m2

    Juniper-2 conf is: http://pastebin.com/JGhrSRbX

     

     

     


    #ipsecsrx100


  • 2.  RE: [SOLVED] Juniper SRX 100 multiple ipsec vpn tunnels
    Best Answer

    Posted 04-14-2014 05:08

    I think you would need to add "ike" as an allowed system-service under your host-inbound-traffic policy on your external interface in your external security zone.  Also, we generally either have the st interface in a different zone than "trust", or create some NAT exclusions so that your trust->untrust NAT statement does not cover your VPN traffic.

     

    Ron



  • 3.  RE: [SOLVED] Juniper SRX 100 multiple ipsec vpn tunnels

    Posted 04-14-2014 05:16

    Aww, thank you! 



  • 4.  RE: [SOLVED] Juniper SRX 100 multiple ipsec vpn tunnels

    Posted 04-14-2014 05:35

    Not a problem at all...  I cannot tell you how many times a missed host-inbound-traffic issue has caused me to spend an inordinate amount of time troubleshooting BGP, OSPF, IKE, etc.

     

    Ron