[j-nsp] Help needed with IPSEC VPN on J-Series

Bjørn Tore bt at paulen.net
Wed Mar 20 14:03:53 EDT 2013 

As I mentioned offline - I once had to reboot an SRX 240 after changing IPSEC config, to make things come up. Might not be the case here, but with the code quality these days - who knows..

Bjørn Tore @ mobil

Den 20. mars 2013 kl. 18:57 skrev Patrick Dickey <dickeypjeep at yahoo.com>:

> I'd start to suspect the other side of the tunnel. What is your peer device?
> 
> 
> 
> On Mar 20, 2013, at 11:55 AM, Bill Sandiford <bill at telnetcommunications.com> wrote:
> 
>> So I added the following configuration in.  The syntax was a little
>> different than what you sent, but basically the same thing (I think).
>> 
>>> show configuration security policies
>> from-zone trust to-zone trust {
>>   policy policy1 {
>>       match {
>>           source-address any;
>>           destination-address any;
>>           application any;
>>       }
>>       then {
>>           permit;
>>       }
>>   }
>> }
>> default-policy {
>>   permit-all;
>> }
>> 
>> 
>> 
>> Šbut still not working :(
>> 
>> 
>> 
>> 
>> On 2013-03-20 12:29 PM, "Aaron Dewell" <aaron.dewell at gmail.com> wrote:
>> 
>>> 
>>> You'll also need a policy which allows traffic from trust to trust, i.e.:
>>> 
>>> set security policies from-zone trust to-zone trust match source-address
>>> any
>>> set security policies from-zone trust to-zone trust match
>>> destination-address any
>>> set security policies from-zone trust to-zone trust match protocol any
>>> set security policies from-zone trust to-zone trust then permit
>>> 
>>> Cross-interface traffic is not allowed by default even within the same
>>> zone.
>>> 
>>> On Mar 20, 2013, at 10:16 AM, Bill Sandiford wrote:
>>>> For the most part this J-series has always just acted as a router
>>>> without
>>>> any tunnels per se.  As such, I have always had all interfaces in the
>>>> trust zone, as follows
>>>> 
>>>> zones {
>>>>  security-zone trust {
>>>>      tcp-rst;
>>>>      host-inbound-traffic {
>>>>          system-services {
>>>>              any-service;
>>>>          }
>>>>          protocols {
>>>>              all;
>>>>          }
>>>>      }
>>>>      interfaces {
>>>>          all;
>>>>      }
>>>>  }
>>>> }
>>>> 
>>>> Will this accomplish what you are suggesting?
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> On 2013-03-20 11:52 AM, "Patrick Dickey" <dickeypjeep at yahoo.com> wrote:
>>>> 
>>>>> I don't remember if the J series behaves exactly like the SRXs when it
>>>>> comes
>>>>> to IPSec, but if it is make sure to put the st0.x interface into a
>>>>> security
>>>>> zone and have a security policy allowing the traffic.
>>>>> 
>>>>> I believe that's only a requirement if you're running the enhanced
>>>>> services/security code on the J, but I think you have to be to get
>>>>> IPSec.
>>>>> 
>>>>> HTH
>>>>> 
>>>>> 
>>>>> -----Original Message-----
>>>>> From: juniper-nsp-bounces at puck.nether.net
>>>>> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Bill
>>>>> Sandiford
>>>>> Sent: Wednesday, March 20, 2013 8:47 AM
>>>>> To: juniper-nsp at puck.nether.net
>>>>> Subject: [j-nsp] Help needed with IPSEC VPN on J-Series
>>>>> 
>>>>> Hi All,
>>>>> 
>>>>> I need some help with an IPSEC tunnel that I just can't seem to get
>>>>> working
>>>>> on a J-6350.  I have been able to get the tunnels to come up, but can't
>>>>> seem
>>>>> to pass traffic over the tunnels
>>>>> 
>>>>> I've done the usual things.  I've created an st0.0 interface and bound
>>>>> it
>>>>> to
>>>>> the tunnel using the bind-interface command.  I've created a static
>>>>> route
>>>>> and pointed it at the st0.0 interface.  I just can't seem to get
>>>>> traffic
>>>>> to
>>>>> pass over the tunnel.
>>>>> 
>>>>> Any help or suggestions would be appreciated.  I'm also willing to put
>>>>> a
>>>>> $$$
>>>>> bounty on this for anyone that is willing to help me get it working via
>>>>> teamviewer.
>>>>> 
>>>>> Regards,
>>>>> Bill
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>> 
>>>> 
>>>> _______________________________________________
>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list