[j-nsp] Site-To-Site VPN woes again

Mattias Gyllenvarg mattias at gyllenvarg.se
Tue May 6 08:24:11 EDT 2014


Turns out the HUB node can not be on use a "secondary" IP as the Gateway IP
for the IPsec termination.
This workes on SRX240 in a very similar installation. But not on the
SRX210HE2 in this installation.

//Mattias Gyllenvarg


On Fri, May 2, 2014 at 5:07 PM, Mike Devlin <mikecdevlin at gmail.com> wrote:

> config please
>
>
> On Fri, May 2, 2014 at 9:33 AM, Mattias Gyllenvarg <mattias at gyllenvarg.se>wrote:
>
>> Hi All
>>
>> I have been cracking my skull on this one for a while now and I am not
>> getting anywhere I want to go. So, here is a nut for anyone proficient in
>> Site-To-Site VPN with PKI and Distinguished names on SRX.
>>
>> TLDR; New installation of a setup I already have working on a global
>> scale.
>> Only difference in HW is a SRX210HE2 as HUB compared to a 240 in the
>> working installation.
>> Error is NO proposal chosen. I get this even if I try it with static IPs
>> and PSK.
>> Junos is  [12.1X44-D20.3]
>> Waiting to try [12.1X44-D30.4] but I dont have it yet.
>>
>> So, I have double checked the proposals (they come from a template) many
>> times.
>> Removed and reapplied all security config. Reloaded and so on.
>> st0.0 is in trusted and all policies are in place.
>>
>> Can't find a known bug or deeper troubleshooting help then check your
>> proposals, for this error.
>>
>> --
>> *Best Regards*
>> *Mattias Gyllenvarg*
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>


-- 
*Med Vänliga Hälsningar / Best Regards*
*Mattias Gyllenvarg*


More information about the juniper-nsp mailing list