[j-nsp] Help needed with IPSEC VPN on J-Series
Patrick Dickey
dickeypjeep at yahoo.com
Wed Mar 20 13:57:47 EDT 2013
I'd start to suspect the other side of the tunnel. What is your peer device?
On Mar 20, 2013, at 11:55 AM, Bill Sandiford <bill at telnetcommunications.com> wrote:
> So I added the following configuration in. The syntax was a little
> different than what you sent, but basically the same thing (I think).
>
>> show configuration security policies
> from-zone trust to-zone trust {
> policy policy1 {
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> permit;
> }
> }
> }
> default-policy {
> permit-all;
> }
>
>
>
> Šbut still not working :(
>
>
>
>
> On 2013-03-20 12:29 PM, "Aaron Dewell" <aaron.dewell at gmail.com> wrote:
>
>>
>> You'll also need a policy which allows traffic from trust to trust, i.e.:
>>
>> set security policies from-zone trust to-zone trust match source-address
>> any
>> set security policies from-zone trust to-zone trust match
>> destination-address any
>> set security policies from-zone trust to-zone trust match protocol any
>> set security policies from-zone trust to-zone trust then permit
>>
>> Cross-interface traffic is not allowed by default even within the same
>> zone.
>>
>> On Mar 20, 2013, at 10:16 AM, Bill Sandiford wrote:
>>> For the most part this J-series has always just acted as a router
>>> without
>>> any tunnels per se. As such, I have always had all interfaces in the
>>> trust zone, as follows
>>>
>>> zones {
>>> security-zone trust {
>>> tcp-rst;
>>> host-inbound-traffic {
>>> system-services {
>>> any-service;
>>> }
>>> protocols {
>>> all;
>>> }
>>> }
>>> interfaces {
>>> all;
>>> }
>>> }
>>> }
>>>
>>> Will this accomplish what you are suggesting?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On 2013-03-20 11:52 AM, "Patrick Dickey" <dickeypjeep at yahoo.com> wrote:
>>>
>>>> I don't remember if the J series behaves exactly like the SRXs when it
>>>> comes
>>>> to IPSec, but if it is make sure to put the st0.x interface into a
>>>> security
>>>> zone and have a security policy allowing the traffic.
>>>>
>>>> I believe that's only a requirement if you're running the enhanced
>>>> services/security code on the J, but I think you have to be to get
>>>> IPSec.
>>>>
>>>> HTH
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: juniper-nsp-bounces at puck.nether.net
>>>> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Bill
>>>> Sandiford
>>>> Sent: Wednesday, March 20, 2013 8:47 AM
>>>> To: juniper-nsp at puck.nether.net
>>>> Subject: [j-nsp] Help needed with IPSEC VPN on J-Series
>>>>
>>>> Hi All,
>>>>
>>>> I need some help with an IPSEC tunnel that I just can't seem to get
>>>> working
>>>> on a J-6350. I have been able to get the tunnels to come up, but can't
>>>> seem
>>>> to pass traffic over the tunnels
>>>>
>>>> I've done the usual things. I've created an st0.0 interface and bound
>>>> it
>>>> to
>>>> the tunnel using the bind-interface command. I've created a static
>>>> route
>>>> and pointed it at the st0.0 interface. I just can't seem to get
>>>> traffic
>>>> to
>>>> pass over the tunnel.
>>>>
>>>> Any help or suggestions would be appreciated. I'm also willing to put
>>>> a
>>>> $$$
>>>> bounty on this for anyone that is willing to help me get it working via
>>>> teamviewer.
>>>>
>>>> Regards,
>>>> Bill
>>>>
>>>>
>>>> _______________________________________________
>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>>
>>>
>>>
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
More information about the juniper-nsp
mailing list