[j-nsp] Help needed with IPSEC VPN on J-Series

Bill Sandiford bill at telnetcommunications.com
Wed Mar 20 14:02:36 EDT 2013 

The other side is a Cisco device that is in place at a major carrier.  I
have checked and double checked with them and they are "100% certain" that
we are configured the same as all of their other functioning customers.
They sent us some of the debug statistics from their side and from what I
can see it leads me to believe to the problem is on our side...for example
their interface counters on the tunnel show packets being sent but nothing
being received.






On 2013-03-20 1:57 PM, "Patrick Dickey" <dickeypjeep at yahoo.com> wrote:

>I'd start to suspect the other side of the tunnel. What is your peer
>device?
>
>
>
>On Mar 20, 2013, at 11:55 AM, Bill Sandiford
><bill at telnetcommunications.com> wrote:
>
>> So I added the following configuration in.  The syntax was a little
>> different than what you sent, but basically the same thing (I think).
>> 
>>> show configuration security policies
>> from-zone trust to-zone trust {
>>    policy policy1 {
>>        match {
>>            source-address any;
>>            destination-address any;
>>            application any;
>>        }
>>        then {
>>            permit;
>>        }
>>    }
>> }
>> default-policy {
>>    permit-all;
>> }
>> 
>> 
>> 
>> Šbut still not working :(
>> 
>> 
>> 
>> 
>> On 2013-03-20 12:29 PM, "Aaron Dewell" <aaron.dewell at gmail.com> wrote:
>> 
>>> 
>>> You'll also need a policy which allows traffic from trust to trust,
>>>i.e.:
>>> 
>>> set security policies from-zone trust to-zone trust match
>>>source-address
>>> any
>>> set security policies from-zone trust to-zone trust match
>>> destination-address any
>>> set security policies from-zone trust to-zone trust match protocol any
>>> set security policies from-zone trust to-zone trust then permit
>>> 
>>> Cross-interface traffic is not allowed by default even within the same
>>> zone.
>>> 
>>> On Mar 20, 2013, at 10:16 AM, Bill Sandiford wrote:
>>>> For the most part this J-series has always just acted as a router
>>>> without
>>>> any tunnels per se.  As such, I have always had all interfaces in the
>>>> trust zone, as follows
>>>> 
>>>> zones {
>>>>   security-zone trust {
>>>>       tcp-rst;
>>>>       host-inbound-traffic {
>>>>           system-services {
>>>>               any-service;
>>>>           }
>>>>           protocols {
>>>>               all;
>>>>           }
>>>>       }
>>>>       interfaces {
>>>>           all;
>>>>       }
>>>>   }
>>>> }
>>>> 
>>>> Will this accomplish what you are suggesting?
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> On 2013-03-20 11:52 AM, "Patrick Dickey" <dickeypjeep at yahoo.com>
>>>>wrote:
>>>> 
>>>>> I don't remember if the J series behaves exactly like the SRXs when
>>>>>it
>>>>> comes
>>>>> to IPSec, but if it is make sure to put the st0.x interface into a
>>>>> security
>>>>> zone and have a security policy allowing the traffic.
>>>>> 
>>>>> I believe that's only a requirement if you're running the enhanced
>>>>> services/security code on the J, but I think you have to be to get
>>>>> IPSec.
>>>>> 
>>>>> HTH
>>>>> 
>>>>> 
>>>>> -----Original Message-----
>>>>> From: juniper-nsp-bounces at puck.nether.net
>>>>> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Bill
>>>>> Sandiford
>>>>> Sent: Wednesday, March 20, 2013 8:47 AM
>>>>> To: juniper-nsp at puck.nether.net
>>>>> Subject: [j-nsp] Help needed with IPSEC VPN on J-Series
>>>>> 
>>>>> Hi All,
>>>>> 
>>>>> I need some help with an IPSEC tunnel that I just can't seem to get
>>>>> working
>>>>> on a J-6350.  I have been able to get the tunnels to come up, but
>>>>>can't
>>>>> seem
>>>>> to pass traffic over the tunnels
>>>>> 
>>>>> I've done the usual things.  I've created an st0.0 interface and
>>>>>bound
>>>>> it
>>>>> to
>>>>> the tunnel using the bind-interface command.  I've created a static
>>>>> route
>>>>> and pointed it at the st0.0 interface.  I just can't seem to get
>>>>> traffic
>>>>> to
>>>>> pass over the tunnel.
>>>>> 
>>>>> Any help or suggestions would be appreciated.  I'm also willing to
>>>>>put
>>>>> a
>>>>> $$$
>>>>> bounty on this for anyone that is willing to help me get it working
>>>>>via
>>>>> teamviewer.
>>>>> 
>>>>> Regards,
>>>>> Bill
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>> 
>>

More information about the juniper-nsp mailing list