[j-nsp] Help needed with IPSEC VPN on J-Series
Bill Sandiford
bill at telnetcommunications.com
Wed Mar 20 13:55:43 EDT 2013
So I added the following configuration in. The syntax was a little
different than what you sent, but basically the same thing (I think).
> show configuration security policies
from-zone trust to-zone trust {
policy policy1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
default-policy {
permit-all;
}
Šbut still not working :(
On 2013-03-20 12:29 PM, "Aaron Dewell" <aaron.dewell at gmail.com> wrote:
>
>You'll also need a policy which allows traffic from trust to trust, i.e.:
>
>set security policies from-zone trust to-zone trust match source-address
>any
>set security policies from-zone trust to-zone trust match
>destination-address any
>set security policies from-zone trust to-zone trust match protocol any
>set security policies from-zone trust to-zone trust then permit
>
>Cross-interface traffic is not allowed by default even within the same
>zone.
>
>On Mar 20, 2013, at 10:16 AM, Bill Sandiford wrote:
>> For the most part this J-series has always just acted as a router
>>without
>> any tunnels per se. As such, I have always had all interfaces in the
>> trust zone, as follows
>>
>> zones {
>> security-zone trust {
>> tcp-rst;
>> host-inbound-traffic {
>> system-services {
>> any-service;
>> }
>> protocols {
>> all;
>> }
>> }
>> interfaces {
>> all;
>> }
>> }
>> }
>>
>> Will this accomplish what you are suggesting?
>>
>>
>>
>>
>>
>>
>>
>> On 2013-03-20 11:52 AM, "Patrick Dickey" <dickeypjeep at yahoo.com> wrote:
>>
>>> I don't remember if the J series behaves exactly like the SRXs when it
>>> comes
>>> to IPSec, but if it is make sure to put the st0.x interface into a
>>> security
>>> zone and have a security policy allowing the traffic.
>>>
>>> I believe that's only a requirement if you're running the enhanced
>>> services/security code on the J, but I think you have to be to get
>>>IPSec.
>>>
>>> HTH
>>>
>>>
>>> -----Original Message-----
>>> From: juniper-nsp-bounces at puck.nether.net
>>> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Bill
>>>Sandiford
>>> Sent: Wednesday, March 20, 2013 8:47 AM
>>> To: juniper-nsp at puck.nether.net
>>> Subject: [j-nsp] Help needed with IPSEC VPN on J-Series
>>>
>>> Hi All,
>>>
>>> I need some help with an IPSEC tunnel that I just can't seem to get
>>> working
>>> on a J-6350. I have been able to get the tunnels to come up, but can't
>>> seem
>>> to pass traffic over the tunnels
>>>
>>> I've done the usual things. I've created an st0.0 interface and bound
>>>it
>>> to
>>> the tunnel using the bind-interface command. I've created a static
>>>route
>>> and pointed it at the st0.0 interface. I just can't seem to get
>>>traffic
>>> to
>>> pass over the tunnel.
>>>
>>> Any help or suggestions would be appreciated. I'm also willing to put
>>>a
>>> $$$
>>> bounty on this for anyone that is willing to help me get it working via
>>> teamviewer.
>>>
>>> Regards,
>>> Bill
>>>
>>>
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list