[j-nsp] Help needed with IPSEC VPN on J-Series

Bill Sandiford bill at telnetcommunications.com
Wed Mar 20 19:18:49 EDT 2013


I tried the deactivate, commit, reactivate, commit method…no such luck :(







On 2013-03-20 2:12 PM, "Gabriel Blanchard" <gabe at teksavvy.ca> wrote:

>Same thing here, that or I had to
>
>deactivate security vpn <name>
>commit
>and reactivate.
>commit
>
>On 13-03-20 02:03 PM, Bjørn Tore wrote:
>> As I mentioned offline - I once had to reboot an SRX 240 after changing
>>IPSEC config, to make things come up. Might not be the case here, but
>>with the code quality these days - who knows..
>> 
>> Bjørn Tore @ mobil
>> 
>> Den 20. mars 2013 kl. 18:57 skrev Patrick Dickey
>><dickeypjeep at yahoo.com>:
>> 
>>> I'd start to suspect the other side of the tunnel. What is your peer
>>>device?
>>>
>>>
>>>
>>> On Mar 20, 2013, at 11:55 AM, Bill Sandiford
>>><bill at telnetcommunications.com> wrote:
>>>
>>>> So I added the following configuration in.  The syntax was a little
>>>> different than what you sent, but basically the same thing (I think).
>>>>
>>>>> show configuration security policies
>>>> from-zone trust to-zone trust {
>>>>   policy policy1 {
>>>>       match {
>>>>           source-address any;
>>>>           destination-address any;
>>>>           application any;
>>>>       }
>>>>       then {
>>>>           permit;
>>>>       }
>>>>   }
>>>> }
>>>> default-policy {
>>>>   permit-all;
>>>> }
>>>>
>>>>
>>>>
>>>> Šbut still not working :(
>>>>
>>>>
>>>>
>>>>
>>>> On 2013-03-20 12:29 PM, "Aaron Dewell" <aaron.dewell at gmail.com> wrote:
>>>>
>>>>>
>>>>> You'll also need a policy which allows traffic from trust to trust,
>>>>>i.e.:
>>>>>
>>>>> set security policies from-zone trust to-zone trust match
>>>>>source-address
>>>>> any
>>>>> set security policies from-zone trust to-zone trust match
>>>>> destination-address any
>>>>> set security policies from-zone trust to-zone trust match protocol
>>>>>any
>>>>> set security policies from-zone trust to-zone trust then permit
>>>>>
>>>>> Cross-interface traffic is not allowed by default even within the
>>>>>same
>>>>> zone.
>>>>>
>>>>> On Mar 20, 2013, at 10:16 AM, Bill Sandiford wrote:
>>>>>> For the most part this J-series has always just acted as a router
>>>>>> without
>>>>>> any tunnels per se.  As such, I have always had all interfaces in
>>>>>>the
>>>>>> trust zone, as follows
>>>>>>
>>>>>> zones {
>>>>>>  security-zone trust {
>>>>>>      tcp-rst;
>>>>>>      host-inbound-traffic {
>>>>>>          system-services {
>>>>>>              any-service;
>>>>>>          }
>>>>>>          protocols {
>>>>>>              all;
>>>>>>          }
>>>>>>      }
>>>>>>      interfaces {
>>>>>>          all;
>>>>>>      }
>>>>>>  }
>>>>>> }
>>>>>>
>>>>>> Will this accomplish what you are suggesting?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 2013-03-20 11:52 AM, "Patrick Dickey" <dickeypjeep at yahoo.com>
>>>>>>wrote:
>>>>>>
>>>>>>> I don't remember if the J series behaves exactly like the SRXs
>>>>>>>when it
>>>>>>> comes
>>>>>>> to IPSec, but if it is make sure to put the st0.x interface into a
>>>>>>> security
>>>>>>> zone and have a security policy allowing the traffic.
>>>>>>>
>>>>>>> I believe that's only a requirement if you're running the enhanced
>>>>>>> services/security code on the J, but I think you have to be to get
>>>>>>> IPSec.
>>>>>>>
>>>>>>> HTH
>>>>>>>
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: juniper-nsp-bounces at puck.nether.net
>>>>>>> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Bill
>>>>>>> Sandiford
>>>>>>> Sent: Wednesday, March 20, 2013 8:47 AM
>>>>>>> To: juniper-nsp at puck.nether.net
>>>>>>> Subject: [j-nsp] Help needed with IPSEC VPN on J-Series
>>>>>>>
>>>>>>> Hi All,
>>>>>>>
>>>>>>> I need some help with an IPSEC tunnel that I just can't seem to get
>>>>>>> working
>>>>>>> on a J-6350.  I have been able to get the tunnels to come up, but
>>>>>>>can't
>>>>>>> seem
>>>>>>> to pass traffic over the tunnels
>>>>>>>
>>>>>>> I've done the usual things.  I've created an st0.0 interface and
>>>>>>>bound
>>>>>>> it
>>>>>>> to
>>>>>>> the tunnel using the bind-interface command.  I've created a static
>>>>>>> route
>>>>>>> and pointed it at the st0.0 interface.  I just can't seem to get
>>>>>>> traffic
>>>>>>> to
>>>>>>> pass over the tunnel.
>>>>>>>
>>>>>>> Any help or suggestions would be appreciated.  I'm also willing to
>>>>>>>put
>>>>>>> a
>>>>>>> $$$
>>>>>>> bounty on this for anyone that is willing to help me get it
>>>>>>>working via
>>>>>>> teamviewer.
>>>>>>>
>>>>>>> Regards,
>>>>>>> Bill
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> 
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> 
>_______________________________________________
>juniper-nsp mailing list juniper-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/juniper-nsp




More information about the juniper-nsp mailing list