[j-nsp] Help needed with IPSEC VPN on J-Series

Richard Gross rich at textplusteam.com
Wed Mar 20 12:40:35 EDT 2013


When I had nothing in the proxy-identity the show security ipsec
security-associations showed UP but did not pass traffic.

show configuration security ipsec vpn test-vpn
bind-interface st0.0;
vpn-monitor {
    source-interface lo0.1;
    destination-ip 192.168.199.146;
}
ike {
    gateway test-vpn-gateway;
    proxy-identity {
        local 10.10.55.245/32;
        remote 192.168.199.146/32;
        service any;
    }
    ipsec-policy test-vpn-policy;
}
establish-tunnels immediately;

(IP's changed...)

I had to put in proxy-identity info.   Also check your security nat source
if you are doing any NAT.

If you want to post the config it would probably help.

richg


On Wed, Mar 20, 2013 at 9:29 AM, Aaron Dewell <aaron.dewell at gmail.com>wrote:

>
> You'll also need a policy which allows traffic from trust to trust, i.e.:
>
> set security policies from-zone trust to-zone trust match source-address
> any
> set security policies from-zone trust to-zone trust match
> destination-address any
> set security policies from-zone trust to-zone trust match protocol any
> set security policies from-zone trust to-zone trust then permit
>
> Cross-interface traffic is not allowed by default even within the same
> zone.
>
> On Mar 20, 2013, at 10:16 AM, Bill Sandiford wrote:
> > For the most part this J-series has always just acted as a router without
> > any tunnels per se.  As such, I have always had all interfaces in the
> > trust zone, as follows
> >
> > zones {
> >    security-zone trust {
> >        tcp-rst;
> >        host-inbound-traffic {
> >            system-services {
> >                any-service;
> >            }
> >            protocols {
> >                all;
> >            }
> >        }
> >        interfaces {
> >            all;
> >        }
> >    }
> > }
> >
> > Will this accomplish what you are suggesting?
> >
> >
> >
> >
> >
> >
> >
> > On 2013-03-20 11:52 AM, "Patrick Dickey" <dickeypjeep at yahoo.com> wrote:
> >
> >> I don't remember if the J series behaves exactly like the SRXs when it
> >> comes
> >> to IPSec, but if it is make sure to put the st0.x interface into a
> >> security
> >> zone and have a security policy allowing the traffic.
> >>
> >> I believe that's only a requirement if you're running the enhanced
> >> services/security code on the J, but I think you have to be to get
> IPSec.
> >>
> >> HTH
> >>
> >>
> >> -----Original Message-----
> >> From: juniper-nsp-bounces at puck.nether.net
> >> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Bill
> Sandiford
> >> Sent: Wednesday, March 20, 2013 8:47 AM
> >> To: juniper-nsp at puck.nether.net
> >> Subject: [j-nsp] Help needed with IPSEC VPN on J-Series
> >>
> >> Hi All,
> >>
> >> I need some help with an IPSEC tunnel that I just can't seem to get
> >> working
> >> on a J-6350.  I have been able to get the tunnels to come up, but can't
> >> seem
> >> to pass traffic over the tunnels
> >>
> >> I've done the usual things.  I've created an st0.0 interface and bound
> it
> >> to
> >> the tunnel using the bind-interface command.  I've created a static
> route
> >> and pointed it at the st0.0 interface.  I just can't seem to get traffic
> >> to
> >> pass over the tunnel.
> >>
> >> Any help or suggestions would be appreciated.  I'm also willing to put a
> >> $$$
> >> bounty on this for anyone that is willing to help me get it working via
> >> teamviewer.
> >>
> >> Regards,
> >> Bill
> >>
> >>
> >> _______________________________________________
> >> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>
> >
> >
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list