[j-nsp] Help needed with IPSEC VPN on J-Series
Bill Sandiford
bill at telnetcommunications.com
Wed Mar 20 19:18:49 EDT 2013
I tried the deactivate, commit, reactivate, commit method…no such luck :(
On 2013-03-20 2:12 PM, "Gabriel Blanchard" <gabe at teksavvy.ca> wrote:
>Same thing here, that or I had to
>
>deactivate security vpn <name>
>commit
>and reactivate.
>commit
>
>On 13-03-20 02:03 PM, Bjørn Tore wrote:
>> As I mentioned offline - I once had to reboot an SRX 240 after changing
>>IPSEC config, to make things come up. Might not be the case here, but
>>with the code quality these days - who knows..
>>
>> Bjørn Tore @ mobil
>>
>> Den 20. mars 2013 kl. 18:57 skrev Patrick Dickey
>><dickeypjeep at yahoo.com>:
>>
>>> I'd start to suspect the other side of the tunnel. What is your peer
>>>device?
>>>
>>>
>>>
>>> On Mar 20, 2013, at 11:55 AM, Bill Sandiford
>>><bill at telnetcommunications.com> wrote:
>>>
>>>> So I added the following configuration in. The syntax was a little
>>>> different than what you sent, but basically the same thing (I think).
>>>>
>>>>> show configuration security policies
>>>> from-zone trust to-zone trust {
>>>> policy policy1 {
>>>> match {
>>>> source-address any;
>>>> destination-address any;
>>>> application any;
>>>> }
>>>> then {
>>>> permit;
>>>> }
>>>> }
>>>> }
>>>> default-policy {
>>>> permit-all;
>>>> }
>>>>
>>>>
>>>>
>>>> Šbut still not working :(
>>>>
>>>>
>>>>
>>>>
>>>> On 2013-03-20 12:29 PM, "Aaron Dewell" <aaron.dewell at gmail.com> wrote:
>>>>
>>>>>
>>>>> You'll also need a policy which allows traffic from trust to trust,
>>>>>i.e.:
>>>>>
>>>>> set security policies from-zone trust to-zone trust match
>>>>>source-address
>>>>> any
>>>>> set security policies from-zone trust to-zone trust match
>>>>> destination-address any
>>>>> set security policies from-zone trust to-zone trust match protocol
>>>>>any
>>>>> set security policies from-zone trust to-zone trust then permit
>>>>>
>>>>> Cross-interface traffic is not allowed by default even within the
>>>>>same
>>>>> zone.
>>>>>
>>>>> On Mar 20, 2013, at 10:16 AM, Bill Sandiford wrote:
>>>>>> For the most part this J-series has always just acted as a router
>>>>>> without
>>>>>> any tunnels per se. As such, I have always had all interfaces in
>>>>>>the
>>>>>> trust zone, as follows
>>>>>>
>>>>>> zones {
>>>>>> security-zone trust {
>>>>>> tcp-rst;
>>>>>> host-inbound-traffic {
>>>>>> system-services {
>>>>>> any-service;
>>>>>> }
>>>>>> protocols {
>>>>>> all;
>>>>>> }
>>>>>> }
>>>>>> interfaces {
>>>>>> all;
>>>>>> }
>>>>>> }
>>>>>> }
>>>>>>
>>>>>> Will this accomplish what you are suggesting?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 2013-03-20 11:52 AM, "Patrick Dickey" <dickeypjeep at yahoo.com>
>>>>>>wrote:
>>>>>>
>>>>>>> I don't remember if the J series behaves exactly like the SRXs
>>>>>>>when it
>>>>>>> comes
>>>>>>> to IPSec, but if it is make sure to put the st0.x interface into a
>>>>>>> security
>>>>>>> zone and have a security policy allowing the traffic.
>>>>>>>
>>>>>>> I believe that's only a requirement if you're running the enhanced
>>>>>>> services/security code on the J, but I think you have to be to get
>>>>>>> IPSec.
>>>>>>>
>>>>>>> HTH
>>>>>>>
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: juniper-nsp-bounces at puck.nether.net
>>>>>>> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Bill
>>>>>>> Sandiford
>>>>>>> Sent: Wednesday, March 20, 2013 8:47 AM
>>>>>>> To: juniper-nsp at puck.nether.net
>>>>>>> Subject: [j-nsp] Help needed with IPSEC VPN on J-Series
>>>>>>>
>>>>>>> Hi All,
>>>>>>>
>>>>>>> I need some help with an IPSEC tunnel that I just can't seem to get
>>>>>>> working
>>>>>>> on a J-6350. I have been able to get the tunnels to come up, but
>>>>>>>can't
>>>>>>> seem
>>>>>>> to pass traffic over the tunnels
>>>>>>>
>>>>>>> I've done the usual things. I've created an st0.0 interface and
>>>>>>>bound
>>>>>>> it
>>>>>>> to
>>>>>>> the tunnel using the bind-interface command. I've created a static
>>>>>>> route
>>>>>>> and pointed it at the st0.0 interface. I just can't seem to get
>>>>>>> traffic
>>>>>>> to
>>>>>>> pass over the tunnel.
>>>>>>>
>>>>>>> Any help or suggestions would be appreciated. I'm also willing to
>>>>>>>put
>>>>>>> a
>>>>>>> $$$
>>>>>>> bounty on this for anyone that is willing to help me get it
>>>>>>>working via
>>>>>>> teamviewer.
>>>>>>>
>>>>>>> Regards,
>>>>>>> Bill
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>_______________________________________________
>juniper-nsp mailing list juniper-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list