[j-nsp] Site-To-Site VPN woes again

Jeff McAdams jeffm at iglou.com
Tue May 6 08:33:26 EDT 2014


You might consider (at least as a workaround) using lt- interfaces as "additional loopbacks". I've had success using lt- ints as holders of a gateway IP when, for reasons like what you mentioned, I didn't want them on a physical interface and couldn't make it work on a loopback (not being able to use multiple addresses on a loopback)

-- 
Jeff

On May 6, 2014 8:24 AM, Mattias Gyllenvarg <mattias at gyllenvarg.se> wrote:
>
> Turns out the HUB node can not be on use a "secondary" IP as the Gateway IP
> for the IPsec termination.
> This workes on SRX240 in a very similar installation. But not on the
> SRX210HE2 in this installation.
>
> //Mattias Gyllenvarg
>
> On Fri, May 2, 2014 at 5:07 PM, Mike Devlin <mikecdevlin at gmail.com> wrote:
>
> > config please
> >
> >
> > On Fri, May 2, 2014 at 9:33 AM, Mattias Gyllenvarg <mattias at gyllenvarg.se>wrote:
> >
> >> Hi All
> >>
> >> I have been cracking my skull on this one for a while now and I am not
> >> getting anywhere I want to go. So, here is a nut for anyone proficient in
> >> Site-To-Site VPN with PKI and Distinguished names on SRX.
> >>
> >> TLDR; New installation of a setup I already have working on a global
> >> scale.
> >> Only difference in HW is a SRX210HE2 as HUB compared to a 240 in the
> >> working installation.
> >> Error is NO proposal chosen. I get this even if I try it with static IPs
> >> and PSK.
> >> Junos is  [12.1X44-D20.3]
> >> Waiting to try [12.1X44-D30.4] but I dont have it yet.
> >>
> >> So, I have double checked the proposals (they come from a template) many
> >> times.
> >> Removed and reapplied all security config. Reloaded and so on.
> >> st0.0 is in trusted and all policies are in place.
> >>
> >> Can't find a known bug or deeper troubleshooting help then check your
> >> proposals, for this error.
> >>
> >> --
> >> *Best Regards*
> >> *Mattias Gyllenvarg*
> >> _______________________________________________
> >> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>
> >
> >
>
> -- 
> *Med Vänliga Hälsningar / Best Regards*
> *Mattias Gyllenvarg*
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list