I'd start to suspect the other side of the tunnel. What is your peer device?
On Mar 20, 2013, at 11:55 AM, Bill Sandiford <[email protected]> wrote: > So I added the following configuration in. The syntax was a little > different than what you sent, but basically the same thing (I think). > >> show configuration security policies > from-zone trust to-zone trust { > policy policy1 { > match { > source-address any; > destination-address any; > application any; > } > then { > permit; > } > } > } > default-policy { > permit-all; > } > > > > Šbut still not working :( > > > > > On 2013-03-20 12:29 PM, "Aaron Dewell" <[email protected]> wrote: > >> >> You'll also need a policy which allows traffic from trust to trust, i.e.: >> >> set security policies from-zone trust to-zone trust match source-address >> any >> set security policies from-zone trust to-zone trust match >> destination-address any >> set security policies from-zone trust to-zone trust match protocol any >> set security policies from-zone trust to-zone trust then permit >> >> Cross-interface traffic is not allowed by default even within the same >> zone. >> >> On Mar 20, 2013, at 10:16 AM, Bill Sandiford wrote: >>> For the most part this J-series has always just acted as a router >>> without >>> any tunnels per se. As such, I have always had all interfaces in the >>> trust zone, as follows >>> >>> zones { >>> security-zone trust { >>> tcp-rst; >>> host-inbound-traffic { >>> system-services { >>> any-service; >>> } >>> protocols { >>> all; >>> } >>> } >>> interfaces { >>> all; >>> } >>> } >>> } >>> >>> Will this accomplish what you are suggesting? >>> >>> >>> >>> >>> >>> >>> >>> On 2013-03-20 11:52 AM, "Patrick Dickey" <[email protected]> wrote: >>> >>>> I don't remember if the J series behaves exactly like the SRXs when it >>>> comes >>>> to IPSec, but if it is make sure to put the st0.x interface into a >>>> security >>>> zone and have a security policy allowing the traffic. >>>> >>>> I believe that's only a requirement if you're running the enhanced >>>> services/security code on the J, but I think you have to be to get >>>> IPSec. >>>> >>>> HTH >>>> >>>> >>>> -----Original Message----- >>>> From: [email protected] >>>> [mailto:[email protected]] On Behalf Of Bill >>>> Sandiford >>>> Sent: Wednesday, March 20, 2013 8:47 AM >>>> To: [email protected] >>>> Subject: [j-nsp] Help needed with IPSEC VPN on J-Series >>>> >>>> Hi All, >>>> >>>> I need some help with an IPSEC tunnel that I just can't seem to get >>>> working >>>> on a J-6350. I have been able to get the tunnels to come up, but can't >>>> seem >>>> to pass traffic over the tunnels >>>> >>>> I've done the usual things. I've created an st0.0 interface and bound >>>> it >>>> to >>>> the tunnel using the bind-interface command. I've created a static >>>> route >>>> and pointed it at the st0.0 interface. I just can't seem to get >>>> traffic >>>> to >>>> pass over the tunnel. >>>> >>>> Any help or suggestions would be appreciated. I'm also willing to put >>>> a >>>> $$$ >>>> bounty on this for anyone that is willing to help me get it working via >>>> teamviewer. >>>> >>>> Regards, >>>> Bill >>>> >>>> >>>> _______________________________________________ >>>> juniper-nsp mailing list [email protected] >>>> https://puck.nether.net/mailman/listinfo/juniper-nsp >>>> >>> >>> >>> _______________________________________________ >>> juniper-nsp mailing list [email protected] >>> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
