[j-nsp] ipsec tunnel with nat through srx - ike esp alg
pkc_mls
pkc_mls at yahoo.fr
Thu Nov 21 05:29:52 EST 2013
Hi,
I'm currently trying to configure my srx cluster to allow an ipsec
tunnel to be established between cisco devices.
Both devices are in the same zone, but connected to different interfaces.
I followed the kb entry
http://kb.juniper.net/InfoCenter/index?page=content&id=KB22178.
Does anyone know if the config works if both interfaces are in the same
zone?
admin at FW-DC-1> show security alg ike-esp-nat
node0:
--------------------------------------------------------------------------
Initiator cookie: b6a9d1aab6b3661c
Responder cookie: ce1511a243884dd3
Session-ID: 131109
node1:
--------------------------------------------------------------------------
Initiator cookie: b6a9d1aab6b3661c
Responder cookie: ce1511a243884dd3
Session-ID: 404275
{primary:node0}
ad at fw> show security flow session session-identifier 131109
Session ID: 131109, Status: Normal, State: Active
Flag: 0x8000002
Policy name: vpn-qosguard/28
Source NAT pool: publicip, Application: junos-ike/81
Dynamic application: junos:UNKNOWN,
Maximum timeout: 60, Current timeout: 46
Session State: Valid
Start time: 2068268, Duration: 4883
In: lan_ip_localgw/500 --> wan_ip_remotegw/500;udp,
Interface: reth2.122,
Session token: 0x600b, Flag: 0x2621
Route: 0x70c3c2, Gateway: x.x.x.x, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 247, Bytes: 72164
Out: wan_ip_remotegw/500 --> nat_ip_localgw/500;udp,
Interface: reth0.130,
Session token: 0x600b, Flag: 0x2620
Route: 0x5453c4, Gateway: y.y.y.y, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 164, Bytes: 20992
Total sessions: 1
I was expecting the application to show "54" instead of 81 as described
in the kb.
I'll try to set up a dedicated zone and see if it works better.
thanks.
More information about the juniper-nsp
mailing list