[j-nsp] Site-To-Site VPN woes again

Mike Devlin mikecdevlin at gmail.com
Tue May 6 09:21:32 EDT 2014


In the IKE gateway configuration there is a hidden command "local-address",

so assuming your hub is using 3 addresses and you want to use the 2nd
address for ipsec termination

edit interface ge-0/0/0.0 family inet
set address 1.1.1.1/29
set address 1.1.1.2/29
set address 1.1.1.3/29
top

in your security configuration you manually tell the srx which IP address
to use.

edit security ike gateway gw
set local-address 1.1.1.2
top
commit

Seeing a copy of your config would potentially help me a little, as
requested 4 days ago, dont need it all, just he relevant stuff



On Tue, May 6, 2014 at 8:56 AM, Mattias Gyllenvarg <mattias at gyllenvarg.se>wrote:

> A little vague question but I will try.
>
> The Hub is dynamic (PKI + Distinguished names).
> Spokes connect to the external IF of the HUB.
>
> Jeff, regarding Loopbacks. Would you configure an IP from the extrenal
> scope (have a /29) as Loopback to run the VPN via?
>
> Never though of having a loopback in the untrusted side.  :)
>
> //Mattias
>
>
> On Tue, May 6, 2014 at 2:35 PM, Mike Devlin <mikecdevlin at gmail.com> wrote:
>
>> are  using local-address config line under edit security ike gateway blah?
>>
>>
>> On Tue, May 6, 2014 at 8:24 AM, Mattias Gyllenvarg <mattias at gyllenvarg.se
>> > wrote:
>>
>>> Turns out the HUB node can not be on use a "secondary" IP as the Gateway
>>> IP for the IPsec termination.
>>> This workes on SRX240 in a very similar installation. But not on the
>>> SRX210HE2 in this installation.
>>>
>>> //Mattias Gyllenvarg
>>>
>>>
>>> On Fri, May 2, 2014 at 5:07 PM, Mike Devlin <mikecdevlin at gmail.com>wrote:
>>>
>>>> config please
>>>>
>>>>
>>>> On Fri, May 2, 2014 at 9:33 AM, Mattias Gyllenvarg <
>>>> mattias at gyllenvarg.se> wrote:
>>>>
>>>>> Hi All
>>>>>
>>>>> I have been cracking my skull on this one for a while now and I am not
>>>>> getting anywhere I want to go. So, here is a nut for anyone proficient
>>>>> in
>>>>> Site-To-Site VPN with PKI and Distinguished names on SRX.
>>>>>
>>>>> TLDR; New installation of a setup I already have working on a global
>>>>> scale.
>>>>> Only difference in HW is a SRX210HE2 as HUB compared to a 240 in the
>>>>> working installation.
>>>>> Error is NO proposal chosen. I get this even if I try it with static
>>>>> IPs
>>>>> and PSK.
>>>>> Junos is  [12.1X44-D20.3]
>>>>> Waiting to try [12.1X44-D30.4] but I dont have it yet.
>>>>>
>>>>> So, I have double checked the proposals (they come from a template)
>>>>> many
>>>>> times.
>>>>> Removed and reapplied all security config. Reloaded and so on.
>>>>> st0.0 is in trusted and all policies are in place.
>>>>>
>>>>> Can't find a known bug or deeper troubleshooting help then check your
>>>>> proposals, for this error.
>>>>>
>>>>> --
>>>>> *Best Regards*
>>>>> *Mattias Gyllenvarg*
>>>>> _______________________________________________
>>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> *Med Vänliga Hälsningar / Best Regards*
>>> *Mattias Gyllenvarg*
>>>
>>
>>
>
>
> --
> *Med Vänliga Hälsningar / Best Regards*
> *Mattias Gyllenvarg*
>


More information about the juniper-nsp mailing list