[j-nsp] Site-To-Site VPN woes again

Mattias Gyllenvarg mattias at gyllenvarg.se
Tue May 6 08:56:53 EDT 2014


A little vague question but I will try.

The Hub is dynamic (PKI + Distinguished names).
Spokes connect to the external IF of the HUB.

Jeff, regarding Loopbacks. Would you configure an IP from the extrenal
scope (have a /29) as Loopback to run the VPN via?

Never though of having a loopback in the untrusted side.  :)

//Mattias


On Tue, May 6, 2014 at 2:35 PM, Mike Devlin <mikecdevlin at gmail.com> wrote:

> are  using local-address config line under edit security ike gateway blah?
>
>
> On Tue, May 6, 2014 at 8:24 AM, Mattias Gyllenvarg <mattias at gyllenvarg.se>wrote:
>
>> Turns out the HUB node can not be on use a "secondary" IP as the Gateway
>> IP for the IPsec termination.
>> This workes on SRX240 in a very similar installation. But not on the
>> SRX210HE2 in this installation.
>>
>> //Mattias Gyllenvarg
>>
>>
>> On Fri, May 2, 2014 at 5:07 PM, Mike Devlin <mikecdevlin at gmail.com>wrote:
>>
>>> config please
>>>
>>>
>>> On Fri, May 2, 2014 at 9:33 AM, Mattias Gyllenvarg <
>>> mattias at gyllenvarg.se> wrote:
>>>
>>>> Hi All
>>>>
>>>> I have been cracking my skull on this one for a while now and I am not
>>>> getting anywhere I want to go. So, here is a nut for anyone proficient
>>>> in
>>>> Site-To-Site VPN with PKI and Distinguished names on SRX.
>>>>
>>>> TLDR; New installation of a setup I already have working on a global
>>>> scale.
>>>> Only difference in HW is a SRX210HE2 as HUB compared to a 240 in the
>>>> working installation.
>>>> Error is NO proposal chosen. I get this even if I try it with static IPs
>>>> and PSK.
>>>> Junos is  [12.1X44-D20.3]
>>>> Waiting to try [12.1X44-D30.4] but I dont have it yet.
>>>>
>>>> So, I have double checked the proposals (they come from a template) many
>>>> times.
>>>> Removed and reapplied all security config. Reloaded and so on.
>>>> st0.0 is in trusted and all policies are in place.
>>>>
>>>> Can't find a known bug or deeper troubleshooting help then check your
>>>> proposals, for this error.
>>>>
>>>> --
>>>> *Best Regards*
>>>> *Mattias Gyllenvarg*
>>>> _______________________________________________
>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>>
>>>
>>>
>>
>>
>> --
>> *Med Vänliga Hälsningar / Best Regards*
>> *Mattias Gyllenvarg*
>>
>
>


-- 
*Med Vänliga Hälsningar / Best Regards*
*Mattias Gyllenvarg*


More information about the juniper-nsp mailing list