[j-nsp] Site-To-Site VPN woes again

Mike Devlin mikecdevlin at gmail.com
Tue May 6 09:23:59 EDT 2014


also extremely helpful in high traffic profile tunnels on higher end srx's
with multiple SPCs

combined with the shell command "kmd -T source_add:dest_add" you can load
balance your ipsec traffic against lower usage SPCs and improve overall
performance and throughput :)


On Tue, May 6, 2014 at 9:10 AM, Per Westerlund <p1 at westerlund.se> wrote:

> I think Mike was hinting at the hidden property  ’local-address’ to help
> select source address from an interface that has more than on address
> configured.
>
> You won’t see it in the help, but if you enter this:
>
> set security ike gateway GATE local-address x.y.z.w
>
> it will work.
>
> This way you can use several addresses with one interface. (Extremely
> helpful if you migrate IPsec VPNs to an existing setup.)
>
> /Per
>
> 6 maj 2014 kl. 14:56 skrev Mattias Gyllenvarg <mattias at gyllenvarg.se>:
>
> A little vague question but I will try.
>
> The Hub is dynamic (PKI + Distinguished names).
> Spokes connect to the external IF of the HUB.
>
> Jeff, regarding Loopbacks. Would you configure an IP from the extrenal
> scope (have a /29) as Loopback to run the VPN via?
>
> Never though of having a loopback in the untrusted side.  :)
>
> //Mattias
>
>
> On Tue, May 6, 2014 at 2:35 PM, Mike Devlin <mikecdevlin at gmail.com> wrote:
>
> are  using local-address config line under edit security ike gateway blah?
>
>
> On Tue, May 6, 2014 at 8:24 AM, Mattias Gyllenvarg <mattias at gyllenvarg.se
> >wrote:
>
> Turns out the HUB node can not be on use a "secondary" IP as the Gateway
> IP for the IPsec termination.
> This workes on SRX240 in a very similar installation. But not on the
> SRX210HE2 in this installation.
>
> //Mattias Gyllenvarg
>
>
> On Fri, May 2, 2014 at 5:07 PM, Mike Devlin <mikecdevlin at gmail.com>wrote:
>
> config please
>
>
> On Fri, May 2, 2014 at 9:33 AM, Mattias Gyllenvarg <
> mattias at gyllenvarg.se> wrote:
>
> Hi All
>
> I have been cracking my skull on this one for a while now and I am not
> getting anywhere I want to go. So, here is a nut for anyone proficient
> in
> Site-To-Site VPN with PKI and Distinguished names on SRX.
>
> TLDR; New installation of a setup I already have working on a global
> scale.
> Only difference in HW is a SRX210HE2 as HUB compared to a 240 in the
> working installation.
> Error is NO proposal chosen. I get this even if I try it with static IPs
> and PSK.
> Junos is  [12.1X44-D20.3]
> Waiting to try [12.1X44-D30.4] but I dont have it yet.
>
> So, I have double checked the proposals (they come from a template) many
> times.
> Removed and reapplied all security config. Reloaded and so on.
> st0.0 is in trusted and all policies are in place.
>
> Can't find a known bug or deeper troubleshooting help then check your
> proposals, for this error.
>
> --
> *Best Regards*
> *Mattias Gyllenvarg*
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
>
>
> --
> *Med Vänliga Hälsningar / Best Regards*
> *Mattias Gyllenvarg*
>
>
>
>
>
> --
> *Med Vänliga Hälsningar / Best Regards*
>
> *Mattias Gyllenvarg*
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>


More information about the juniper-nsp mailing list