[j-nsp] Strange J-Series IPSec Issue
Matt Stevens
matt at elevate.org
Tue Jan 29 20:36:21 EST 2008
I'm trying to build a site-to-site IPSec tunnel with two J-4350's, but
I'm running into a strange issue.
The tunnel appears to be up, the two routers see each other as neighbors
in OSPF, I can even ping between the two routers.
In addition a host on one side can ping a host on the other side. The
problem comes when I try to put "real" traffic over the link. Connecting
to port 80 on a remote machine doesn't work. Packet captures show no
traffic coming back from the remote side.
I'm sure I'm missing something simple - but I'm at a loss as to what it is.
If anyone has any suggestions, they'd be much appreciated.
--
matt
Here's my partial config:
root> show ospf neighbor
Address Interface State ID Pri Dead
10.206.32.1 sp-0/0/0.11 Full 218.81.216.253 128 37
root> show route protocol ospf
inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.206.32.0/24 *[OSPF/10] 00:42:47, metric 2
> via sp-0/0/0.11
10.206.32.1/32 *[OSPF/10] 04:24:03, metric 1
> via sp-0/0/0.11
10.206.34.0/24 *[OSPF/10] 00:42:47, metric 2
> via sp-0/0/0.11
10.206.35.0/24 *[OSPF/10] 00:42:47, metric 2
> via sp-0/0/0.11
192.168.1.1/32 [OSPF/10] 05:05:46, metric 2
> via sp-0/0/0.11
218.81.216.0/24 *[OSPF/10] 00:42:47, metric 2
> via sp-0/0/0.11
224.0.0.5/32 *[OSPF/10] 1w0d 01:42:30, metric 1
MultiRecv
__juniper_private1__.inet.0: 2 destinations, 2 routes (2 active, 0
holddown, 0 hidden)
protocols {
ospf {
area 0.0.0.0 {
interface sp-0/0/0.11;
interface ge-0/0/0.0 {
passive;
}
}
}
}
services {
service-set ipsec {
next-hop-service {
inside-service-interface sp-0/0/0.11;
outside-service-interface sp-0/0/0.10;
}
ipsec-vpn-options {
local-gateway 1.1.1.1;
}
ipsec-vpn-rules ipsec-out;
}
ipsec-vpn {
rule ipsec-out {
term 1 {
then {
remote-gateway 2.2.2.2;
dynamic {
ike-policy ike-policy-hq;
ipsec-policy ipsec-policy-hq;
}
clear-dont-fragment-bit;
tunnel-mtu 1440;
}
}
match-direction input;
}
ipsec {
proposal ipsec-proposal-hq {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-192-cbc;
lifetime-seconds 3600;
}
policy ipsec-policy-hq {
proposals ipsec-proposal-hq;
}
}
ike {
proposal site-to-site {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-192-cbc;
lifetime-seconds 86400;
}
policy ike-policy-hq {
mode main;
proposals site-to-site;
pre-shared-key ascii-text "XXX"; ## SECRET-DATA
}
}
establish-tunnels immediately;
}
}
More information about the juniper-nsp
mailing list