[j-nsp] Site to Site VPN issues with Cluster
Aaron Dewell
aaron.dewell at gmail.com
Fri May 9 00:01:38 EDT 2014
90% sure it's nested tunnels (GRE over IPSec). You cannot do them in a cluster.
If you can get the Cisco side to remove the GRE layer and route directly over the secure tunnel (have not tried it so I don't know if they can or not), then it will work (using st0 on the SRX). If you can't, your only workaround is to terminate that tunnel on something else (standalone SRX separate from the cluster, or something).
http://www.juniper.net/techpubs/en_US/junos12.1/information-products/topic-collections/release-notes/12.1/topic-64979.html
Buried in there (search for nested) is what you're looking for.
On May 8, 2014, at 10:53 PM, Morgan McLean wrote:
> Do you have an external zone to external zone allow rule? Obviously ike
> allowed for host inbound services as well for external.
>
> Thanks,
> Morgan
>
>
> On Thu, May 8, 2014 at 1:04 PM, Levi Pederson <
> levipederson at mankatonetworks.net> wrote:
>
>> Greetings,
>>
>> I've created several VPNs with little or no trouble in the past. Between
>> both Cisco and Juniper devices. But I am a little stumped by I cannot
>> connect a simple (Static IP) IPSec Tunnel between an SRX240 Cluster and a
>> single srx210. I've checked the policies and the proposals and they are
>> spot on identical. I've put the external interface on the cluster (lo0.0)
>> on the right external zone. I'm also running OS 12.1.X44.D30 which
>> supports. I've been reading several diatribes on how to place the loopback
>> into the redundancy and I have done that as well. I'm still gathering the
>> configurations for perusal as they need to be secured. First question
>> would be, does anything instantly pop out to anyone? I'll have the configs
>> loaded as soon as I can.
>>
>> Thank you,
>> *Levi Pederson*
>> Mankato Networks LLC
>> cell | 612.481.0769
>> work | 612.787.7392
>> levipederson at mankatonetworks.net
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list