[j-nsp] Juniper Policy based VPN

George gmburu at cellulant.com
Tue Feb 16 07:08:22 EST 2010 

How about get sa cmd

All my other working tunnels are in A/U except this one in A/U and I/U
as shown below. Why would be my outgoing SA be Inactive, due to this I
cannot tunnel traffic to the specific host.

0000008d< 192.168.8.8   500 esp:a256/md5  35153af8  3533 unlim A/U   159
0
0000008d> 192.168.8.8   500 esp:a256/md5  ea070377  3533 unlim I/U   160
0

0000008f< 192.168.8.8   500 esp:a256/md5  35153af9  3543 unlim A/U   161
0
0000008f> 192.168.8.8   500 esp:a256/md5  3e0376fe  3543 unlim I/U   162
0


Regards
George


On Mon, 2010-02-15 at 17:20 +0000, Humair Ali wrote:

> Proxy id is just a value created by the source/destination and service
> 
> what do you see in the event logs, what does the other end see ?
> 
> post the logs related to the vpn in here 
> 
> 
> On 15 February 2010 16:16, George <gmburu at cellulant.com> wrote:
> 
>         Hello Ali
>         
>         I got no output in get ike cookie cmd for the remote peer,
>         below is the output of get sa (with IP replace).
>         
>         0000008c< 192.168.8.8   500 esp:a256/md5  00000000 expir unlim
>         I/I   163 0
>         0000008c> 192.168.8.8   500 esp:a256/md5  00000000 expir unlim
>         I/I   164 0
>         
>         I was reading this 
>         http://forums.juniper.net/t5/Firewalls/Strange-behaviour-on-proxy-id-in-relation-to-policy-based-VPN-s/td-p/17227;jsessionid=D03859B6C630C41327CB0AE8063DC5E5
>         
>         there is something about multiple IP's in the destination,
>         what is proxyID about specifically.
>         
>         Regards
>         George
>         
>         
>         
>         
>         
>         On Mon, 2010-02-15 at 14:03 +0000, Humair Ali wrote:
>         
>         > Hi George
>         > 
>         > well First thing first,
>         > 
>         > if it was working and all of sudden it became intermittent,
>         > then what has changed in your network ?
>         > 
>         > Does the remote end changed anything in terms of set up ?
>         > 
>         > when you try to re-establish , you say it is not passing
>         > through the VPN , what do you see in your events logs ?
>         > 
>         > if you do get ike cookie and get SA , what do you see ?
>         > 
>         > Only route based vpn is bind to a Tunnel IF, policy basaed
>         > vpn is bind, well, to a policy with action "tunnel" (in the
>         > policy)
>         > 
>         > 
>         > On 15 February 2010 12:52, George <gmburu at cellulant.com>
>         > wrote:
>         > 
>         >         Hello
>         >         
>         >         We had a Juniper policy based VPN which was
>         >         initially working, all of a
>         >         sudden it became intermittent and we decided to
>         >         re-do it. Now after
>         >         redoing it, it refused to come up even as of now.
>         >         How do i sort it, and can a policy based VPN be
>         >         binded to a tunnel. For
>         >         the policy im using the Mapped IP to tunnel the
>         >         traffic to the remote
>         >         host bust incidentally it is not passing through the
>         >         VPN when I do a
>         >         trace.
>         >         
>         >         Regards
>         >         -    ----
>         >         George Mburu N.
>         >         Networks and Infrastructure
>         >         Cellulant Group
>         >         
>         >         Life, is mobile....
>         >         -    ----
>         >         _______________________________________________
>         >         juniper-nsp mailing list juniper-nsp at puck.nether.net
>         >         https://puck.nether.net/mailman/listinfo/juniper-nsp 
>         > 
>         > 
>         
>         
>         
> 
>

More information about the juniper-nsp mailing list