forgot to config static routes?)
------------------------------
andrii furdyha
------------------------------
Original Message:
Sent: 04-17-2023 02:53
From: Clive Gwyther
Subject: SRX300 - VLAN not routing
All resolved and working. Layer 3 interfaces for routed traffic across the VPN working and also Layer 2 VLAN working.
------------------------------
Clive Gwyther
Original Message:
Sent: 04-12-2023 09:25
From: Clive Gwyther
Subject: SRX300 - VLAN not routing
I have two SRX300 Firewalls that I am trying to test a site-to-site VPN/VLAN on ... basic format as shown below:
PC-1 (150.150.160.10/24) --> SRX300 (150.150.160.3/24) <--- Site-to-Site IPSEC ---> SRX300 (150.150.160.2) ---> PC-2 (150.150.160.9/24)
The ipsec tunnel is up for both IKE and IPSEC so there is no issue there.
From PC-1 I can ping the gateway 10.10.10.3 and from PC-2 I can ping the gateway 10.10.10.2 so there is no issue there.
I have interface fe-0/0/2.0 as the VLAN entry interface on both SRX's and have the VLAN assigned to the interface.
I have the layer 3 addresses (as shown above) assigned to the VLAN.
Routing to st0.0 is in place.
Config of SRX-1:
set version 12.1X44.5
set system host-name pokemon-1
set system root-authentication encrypted-password <password>
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
set system services dhcp pool 192.168.1.0/24 router 192.168.1.1
set system services dhcp propagate-settings fe-0/0/0.0
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set interfaces fe-0/0/0 unit 0
set interfaces fe-0/0/1 description ipsec-tunnel-phase1-pokemon
set interfaces fe-0/0/1 unit 0 family inet address 150.150.150.2/24
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members pokemon-1
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces pt-1/0/0 unit 0
set interfaces st0 unit 0 family inet address 150.150.151.49/30
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set interfaces vlan unit 247 family inet address 150.150.160.3/24
set routing-options static route 0.0.0.0/0 next-hop st0.0
set routing-options static route 150.150.160.10/32 next-hop st0.0
set protocols stp
set security ike proposal pokemon-ike-proposal authentication-method pre-shared-keys
set security ike proposal pokemon-ike-proposal dh-group group2
set security ike proposal pokemon-ike-proposal authentication-algorithm sha1
set security ike proposal pokemon-ike-proposal encryption-algorithm aes-128-cbc
set security ike proposal pokemon-ike-proposal lifetime-seconds 86400
set security ike policy pokemon-ike-policy mode main
set security ike policy pokemon-ike-policy proposals pokemon-ike-proposal
set security ike policy pokemon-ike-policy pre-shared-key ascii-text <password>
set security ike gateway pokemon-gw ike-policy pokemon-ike-policy
set security ike gateway pokemon-gw address 150.150.150.1
set security ike gateway pokemon-gw dead-peer-detection always-send
set security ike gateway pokemon-gw external-interface fe-0/0/1.0
set security ipsec proposal pokemon-ipsec-proposal protocol esp
set security ipsec proposal pokemon-ipsec-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal pokemon-ipsec-proposal encryption-algorithm aes-128-cbc
set security ipsec proposal pokemon-ipsec-proposal lifetime-seconds 3600
set security ipsec policy pokemon-ipsec-policy perfect-forward-secrecy keys group2
set security ipsec policy pokemon-ipsec-policy proposals pokemon-ipsec-proposal
set security ipsec vpn pokemon-vpn bind-interface st0.0
set security ipsec vpn pokemon-vpn ike gateway pokemon-gw
set security ipsec vpn pokemon-vpn ike ipsec-policy pokemon-ipsec-policy
set security ipsec vpn pokemon-vpn establish-tunnels immediately
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security policies from-zone untrust to-zone trust policy untrust-to-trust match source-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match destination-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match application any
set security policies from-zone untrust to-zone trust policy untrust-to-trust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust interfaces st0.0
set security zones security-zone trust interfaces fe-0/0/1.0
set security zones security-zone trust interfaces vlan.247
set security zones security-zone trust interfaces fe-0/0/2.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services tftp
set security zones security-zone untrust interfaces pt-1/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces pt-1/0/0.0 host-inbound-traffic system-services tftp
set vlans pokemon vlan-id 30
set vlans pokemon-1 vlan-id 247
set vlans pokemon-1 l3-interface vlan.247
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0
Config of SRX-2:
set version 11.4R7.5
set system host-name pokemon-2
set system root-authentication encrypted-password <password>
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
set system services dhcp pool 192.168.1.0/24 router 192.168.1.1
set system services dhcp propagate-settings fe-0/0/0.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 unit 0
set interfaces fe-0/0/1 description ipsec-tunnel-phase1-pokemon
set interfaces fe-0/0/1 unit 0 family inet address 150.150.150.1/24
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members pokemon-1
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces pt-1/0/0 unit 0
set interfaces st0 unit 0 family inet address 150.150.151.50/30
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set interfaces vlan unit 247 family inet address 150.150.160.2/24
set routing-options static route 0.0.0.0/0 next-hop st0.0
set routing-options static route 150.150.160.9/32 next-hop st0.0
set protocols stp
set security ike proposal pokemon-ike-proposal authentication-method pre-shared-keys
set security ike proposal pokemon-ike-proposal dh-group group2
set security ike proposal pokemon-ike-proposal authentication-algorithm sha1
set security ike proposal pokemon-ike-proposal encryption-algorithm aes-128-cbc
set security ike proposal pokemon-ike-proposal lifetime-seconds 86400
set security ike policy pokemon-ike-policy mode main
set security ike policy pokemon-ike-policy proposals pokemon-ike-proposal
set security ike policy pokemon-ike-policy pre-shared-key ascii-text <password>
set security ike gateway pokemon-gw ike-policy pokemon-ike-policy
set security ike gateway pokemon-gw address 150.150.150.2
set security ike gateway pokemon-gw dead-peer-detection always-send
set security ike gateway pokemon-gw external-interface fe-0/0/1.0
set security ipsec proposal pokemon-ipsec-proposal protocol esp
set security ipsec proposal pokemon-ipsec-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal pokemon-ipsec-proposal encryption-algorithm aes-128-cbc
set security ipsec proposal pokemon-ipsec-proposal lifetime-seconds 3600
set security ipsec policy pokemon-ipsec-policy perfect-forward-secrecy keys group2
set security ipsec policy pokemon-ipsec-policy proposals pokemon-ipsec-proposal
set security ipsec vpn pokemon-vpn bind-interface st0.0
set security ipsec vpn pokemon-vpn ike gateway pokemon-gw
set security ipsec vpn pokemon-vpn ike ipsec-policy pokemon-ipsec-policy
set security ipsec vpn pokemon-vpn establish-tunnels immediately
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security policies from-zone untrust to-zone trust policy untrust-to-trust match source-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match destination-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match application any
set security policies from-zone untrust to-zone trust policy untrust-to-trust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust interfaces st0.0
set security zones security-zone trust interfaces fe-0/0/1.0
set security zones security-zone trust interfaces vlan.247
set security zones security-zone trust interfaces fe-0/0/2.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services tftp
set security zones security-zone untrust interfaces pt-1/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces pt-1/0/0.0 host-inbound-traffic system-services tftp
set vlans pokemon-1 vlan-id 247
set vlans pokemon-1 l3-interface vlan.247
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0
Anyone have any idea why I cannot ping from one PC to the other? It must be something to do with the routing or policies, but I cannot work out what. Any help would be great.
Many thanks
------------------------------
Clive Gwyther
------------------------------