[j-nsp] Help needed with IPSEC VPN on J-Series

Bill Sandiford bill at telnetcommunications.com
Wed Mar 20 14:12:11 EDT 2013


Thanks for the tip…If I can't get this working today I will reboot in our
maintenance window tonight.






On 2013-03-20 2:03 PM, "Bjørn Tore" <bt at paulen.net> wrote:

>As I mentioned offline - I once had to reboot an SRX 240 after changing
>IPSEC config, to make things come up. Might not be the case here, but
>with the code quality these days - who knows..
>
>Bjørn Tore @ mobil
>
>Den 20. mars 2013 kl. 18:57 skrev Patrick Dickey <dickeypjeep at yahoo.com>:
>
>> I'd start to suspect the other side of the tunnel. What is your peer
>>device?
>> 
>> 
>> 
>> On Mar 20, 2013, at 11:55 AM, Bill Sandiford
>><bill at telnetcommunications.com> wrote:
>> 
>>> So I added the following configuration in.  The syntax was a little
>>> different than what you sent, but basically the same thing (I think).
>>> 
>>>> show configuration security policies
>>> from-zone trust to-zone trust {
>>>   policy policy1 {
>>>       match {
>>>           source-address any;
>>>           destination-address any;
>>>           application any;
>>>       }
>>>       then {
>>>           permit;
>>>       }
>>>   }
>>> }
>>> default-policy {
>>>   permit-all;
>>> }
>>> 
>>> 
>>> 
>>> Šbut still not working :(
>>> 
>>> 
>>> 
>>> 
>>> On 2013-03-20 12:29 PM, "Aaron Dewell" <aaron.dewell at gmail.com> wrote:
>>> 
>>>> 
>>>> You'll also need a policy which allows traffic from trust to trust,
>>>>i.e.:
>>>> 
>>>> set security policies from-zone trust to-zone trust match
>>>>source-address
>>>> any
>>>> set security policies from-zone trust to-zone trust match
>>>> destination-address any
>>>> set security policies from-zone trust to-zone trust match protocol any
>>>> set security policies from-zone trust to-zone trust then permit
>>>> 
>>>> Cross-interface traffic is not allowed by default even within the same
>>>> zone.
>>>> 
>>>> On Mar 20, 2013, at 10:16 AM, Bill Sandiford wrote:
>>>>> For the most part this J-series has always just acted as a router
>>>>> without
>>>>> any tunnels per se.  As such, I have always had all interfaces in the
>>>>> trust zone, as follows
>>>>> 
>>>>> zones {
>>>>>  security-zone trust {
>>>>>      tcp-rst;
>>>>>      host-inbound-traffic {
>>>>>          system-services {
>>>>>              any-service;
>>>>>          }
>>>>>          protocols {
>>>>>              all;
>>>>>          }
>>>>>      }
>>>>>      interfaces {
>>>>>          all;
>>>>>      }
>>>>>  }
>>>>> }
>>>>> 
>>>>> Will this accomplish what you are suggesting?
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> On 2013-03-20 11:52 AM, "Patrick Dickey" <dickeypjeep at yahoo.com>
>>>>>wrote:
>>>>> 
>>>>>> I don't remember if the J series behaves exactly like the SRXs when
>>>>>>it
>>>>>> comes
>>>>>> to IPSec, but if it is make sure to put the st0.x interface into a
>>>>>> security
>>>>>> zone and have a security policy allowing the traffic.
>>>>>> 
>>>>>> I believe that's only a requirement if you're running the enhanced
>>>>>> services/security code on the J, but I think you have to be to get
>>>>>> IPSec.
>>>>>> 
>>>>>> HTH
>>>>>> 
>>>>>> 
>>>>>> -----Original Message-----
>>>>>> From: juniper-nsp-bounces at puck.nether.net
>>>>>> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Bill
>>>>>> Sandiford
>>>>>> Sent: Wednesday, March 20, 2013 8:47 AM
>>>>>> To: juniper-nsp at puck.nether.net
>>>>>> Subject: [j-nsp] Help needed with IPSEC VPN on J-Series
>>>>>> 
>>>>>> Hi All,
>>>>>> 
>>>>>> I need some help with an IPSEC tunnel that I just can't seem to get
>>>>>> working
>>>>>> on a J-6350.  I have been able to get the tunnels to come up, but
>>>>>>can't
>>>>>> seem
>>>>>> to pass traffic over the tunnels
>>>>>> 
>>>>>> I've done the usual things.  I've created an st0.0 interface and
>>>>>>bound
>>>>>> it
>>>>>> to
>>>>>> the tunnel using the bind-interface command.  I've created a static
>>>>>> route
>>>>>> and pointed it at the st0.0 interface.  I just can't seem to get
>>>>>> traffic
>>>>>> to
>>>>>> pass over the tunnel.
>>>>>> 
>>>>>> Any help or suggestions would be appreciated.  I'm also willing to
>>>>>>put
>>>>>> a
>>>>>> $$$
>>>>>> bounty on this for anyone that is willing to help me get it working
>>>>>>via
>>>>>> teamviewer.
>>>>>> 
>>>>>> Regards,
>>>>>> Bill
>>>>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> 
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp




More information about the juniper-nsp mailing list