[j-nsp] Help needed with IPSEC VPN on J-Series
Gabriel Blanchard
gabe at teksavvy.ca
Wed Mar 20 14:12:19 EDT 2013
Same thing here, that or I had to
deactivate security vpn <name>
commit
and reactivate.
commit
On 13-03-20 02:03 PM, Bjørn Tore wrote:
> As I mentioned offline - I once had to reboot an SRX 240 after changing IPSEC config, to make things come up. Might not be the case here, but with the code quality these days - who knows..
>
> Bjørn Tore @ mobil
>
> Den 20. mars 2013 kl. 18:57 skrev Patrick Dickey <dickeypjeep at yahoo.com>:
>
>> I'd start to suspect the other side of the tunnel. What is your peer device?
>>
>>
>>
>> On Mar 20, 2013, at 11:55 AM, Bill Sandiford <bill at telnetcommunications.com> wrote:
>>
>>> So I added the following configuration in. The syntax was a little
>>> different than what you sent, but basically the same thing (I think).
>>>
>>>> show configuration security policies
>>> from-zone trust to-zone trust {
>>> policy policy1 {
>>> match {
>>> source-address any;
>>> destination-address any;
>>> application any;
>>> }
>>> then {
>>> permit;
>>> }
>>> }
>>> }
>>> default-policy {
>>> permit-all;
>>> }
>>>
>>>
>>>
>>> Šbut still not working :(
>>>
>>>
>>>
>>>
>>> On 2013-03-20 12:29 PM, "Aaron Dewell" <aaron.dewell at gmail.com> wrote:
>>>
>>>>
>>>> You'll also need a policy which allows traffic from trust to trust, i.e.:
>>>>
>>>> set security policies from-zone trust to-zone trust match source-address
>>>> any
>>>> set security policies from-zone trust to-zone trust match
>>>> destination-address any
>>>> set security policies from-zone trust to-zone trust match protocol any
>>>> set security policies from-zone trust to-zone trust then permit
>>>>
>>>> Cross-interface traffic is not allowed by default even within the same
>>>> zone.
>>>>
>>>> On Mar 20, 2013, at 10:16 AM, Bill Sandiford wrote:
>>>>> For the most part this J-series has always just acted as a router
>>>>> without
>>>>> any tunnels per se. As such, I have always had all interfaces in the
>>>>> trust zone, as follows
>>>>>
>>>>> zones {
>>>>> security-zone trust {
>>>>> tcp-rst;
>>>>> host-inbound-traffic {
>>>>> system-services {
>>>>> any-service;
>>>>> }
>>>>> protocols {
>>>>> all;
>>>>> }
>>>>> }
>>>>> interfaces {
>>>>> all;
>>>>> }
>>>>> }
>>>>> }
>>>>>
>>>>> Will this accomplish what you are suggesting?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 2013-03-20 11:52 AM, "Patrick Dickey" <dickeypjeep at yahoo.com> wrote:
>>>>>
>>>>>> I don't remember if the J series behaves exactly like the SRXs when it
>>>>>> comes
>>>>>> to IPSec, but if it is make sure to put the st0.x interface into a
>>>>>> security
>>>>>> zone and have a security policy allowing the traffic.
>>>>>>
>>>>>> I believe that's only a requirement if you're running the enhanced
>>>>>> services/security code on the J, but I think you have to be to get
>>>>>> IPSec.
>>>>>>
>>>>>> HTH
>>>>>>
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: juniper-nsp-bounces at puck.nether.net
>>>>>> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Bill
>>>>>> Sandiford
>>>>>> Sent: Wednesday, March 20, 2013 8:47 AM
>>>>>> To: juniper-nsp at puck.nether.net
>>>>>> Subject: [j-nsp] Help needed with IPSEC VPN on J-Series
>>>>>>
>>>>>> Hi All,
>>>>>>
>>>>>> I need some help with an IPSEC tunnel that I just can't seem to get
>>>>>> working
>>>>>> on a J-6350. I have been able to get the tunnels to come up, but can't
>>>>>> seem
>>>>>> to pass traffic over the tunnels
>>>>>>
>>>>>> I've done the usual things. I've created an st0.0 interface and bound
>>>>>> it
>>>>>> to
>>>>>> the tunnel using the bind-interface command. I've created a static
>>>>>> route
>>>>>> and pointed it at the st0.0 interface. I just can't seem to get
>>>>>> traffic
>>>>>> to
>>>>>> pass over the tunnel.
>>>>>>
>>>>>> Any help or suggestions would be appreciated. I'm also willing to put
>>>>>> a
>>>>>> $$$
>>>>>> bounty on this for anyone that is willing to help me get it working via
>>>>>> teamviewer.
>>>>>>
>>>>>> Regards,
>>>>>> Bill
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list