[j-nsp] Strange J-Series IPSec Issue

Matt Stevens matt at elevate.org
Tue Jan 29 20:36:21 EST 2008


I'm trying to build a site-to-site IPSec tunnel with two J-4350's, but 
I'm running into a strange issue.

The tunnel appears to be up, the two routers see each other as neighbors 
in OSPF, I can even ping between the two routers.

In addition a host on one side can ping a host on the other side. The 
problem comes when I try to put "real" traffic over the link. Connecting 
   to port 80 on a remote machine doesn't work. Packet captures show no 
traffic coming back from the remote side.

I'm sure I'm missing something simple - but I'm at a loss as to what it is.

If anyone has any suggestions, they'd be much appreciated.
-- 
matt


Here's my partial config:

root> show ospf neighbor
Address          Interface              State     ID               Pri  Dead
10.206.32.1      sp-0/0/0.11            Full      218.81.216.253   128    37

root> show route protocol ospf

inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.206.32.0/24     *[OSPF/10] 00:42:47, metric 2
                     > via sp-0/0/0.11
10.206.32.1/32     *[OSPF/10] 04:24:03, metric 1
                     > via sp-0/0/0.11
10.206.34.0/24     *[OSPF/10] 00:42:47, metric 2
                     > via sp-0/0/0.11
10.206.35.0/24     *[OSPF/10] 00:42:47, metric 2
                     > via sp-0/0/0.11
192.168.1.1/32      [OSPF/10] 05:05:46, metric 2
                     > via sp-0/0/0.11
218.81.216.0/24    *[OSPF/10] 00:42:47, metric 2
                     > via sp-0/0/0.11
224.0.0.5/32       *[OSPF/10] 1w0d 01:42:30, metric 1
                       MultiRecv

__juniper_private1__.inet.0: 2 destinations, 2 routes (2 active, 0 
holddown, 0 hidden)

protocols {
     ospf {
         area 0.0.0.0 {
             interface sp-0/0/0.11;
             interface ge-0/0/0.0 {
                 passive;
             }
         }
     }
}
services {
     service-set ipsec {
         next-hop-service {
             inside-service-interface sp-0/0/0.11;
             outside-service-interface sp-0/0/0.10;
         }
         ipsec-vpn-options {
             local-gateway 1.1.1.1;
         }
         ipsec-vpn-rules ipsec-out;
     }
     ipsec-vpn {
         rule ipsec-out {
             term 1 {
                 then {
                     remote-gateway 2.2.2.2;
                     dynamic {
                         ike-policy ike-policy-hq;
                         ipsec-policy ipsec-policy-hq;
                     }
                     clear-dont-fragment-bit;
                     tunnel-mtu 1440;
                 }
             }
             match-direction input;
         }
         ipsec {
             proposal ipsec-proposal-hq {
                 protocol esp;
                 authentication-algorithm hmac-sha1-96;
                 encryption-algorithm aes-192-cbc;
                 lifetime-seconds 3600;
             }
             policy ipsec-policy-hq {
                 proposals ipsec-proposal-hq;
             }
         }
         ike {
             proposal site-to-site {
                 authentication-method pre-shared-keys;
                 dh-group group2;
                 authentication-algorithm sha1;
                 encryption-algorithm aes-192-cbc;
                 lifetime-seconds 86400;
             }
             policy ike-policy-hq {
                 mode main;
                 proposals site-to-site;
                 pre-shared-key ascii-text "XXX"; ## SECRET-DATA
             }
         }
         establish-tunnels immediately;
     }
}


More information about the juniper-nsp mailing list