As I mentioned offline - I once had to reboot an SRX 240 after changing IPSEC config, to make things come up. Might not be the case here, but with the code quality these days - who knows..
Bjørn Tore @ mobil Den 20. mars 2013 kl. 18:57 skrev Patrick Dickey <[email protected]>: > I'd start to suspect the other side of the tunnel. What is your peer device? > > > > On Mar 20, 2013, at 11:55 AM, Bill Sandiford <[email protected]> > wrote: > >> So I added the following configuration in. The syntax was a little >> different than what you sent, but basically the same thing (I think). >> >>> show configuration security policies >> from-zone trust to-zone trust { >> policy policy1 { >> match { >> source-address any; >> destination-address any; >> application any; >> } >> then { >> permit; >> } >> } >> } >> default-policy { >> permit-all; >> } >> >> >> >> Šbut still not working :( >> >> >> >> >> On 2013-03-20 12:29 PM, "Aaron Dewell" <[email protected]> wrote: >> >>> >>> You'll also need a policy which allows traffic from trust to trust, i.e.: >>> >>> set security policies from-zone trust to-zone trust match source-address >>> any >>> set security policies from-zone trust to-zone trust match >>> destination-address any >>> set security policies from-zone trust to-zone trust match protocol any >>> set security policies from-zone trust to-zone trust then permit >>> >>> Cross-interface traffic is not allowed by default even within the same >>> zone. >>> >>> On Mar 20, 2013, at 10:16 AM, Bill Sandiford wrote: >>>> For the most part this J-series has always just acted as a router >>>> without >>>> any tunnels per se. As such, I have always had all interfaces in the >>>> trust zone, as follows >>>> >>>> zones { >>>> security-zone trust { >>>> tcp-rst; >>>> host-inbound-traffic { >>>> system-services { >>>> any-service; >>>> } >>>> protocols { >>>> all; >>>> } >>>> } >>>> interfaces { >>>> all; >>>> } >>>> } >>>> } >>>> >>>> Will this accomplish what you are suggesting? >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On 2013-03-20 11:52 AM, "Patrick Dickey" <[email protected]> wrote: >>>> >>>>> I don't remember if the J series behaves exactly like the SRXs when it >>>>> comes >>>>> to IPSec, but if it is make sure to put the st0.x interface into a >>>>> security >>>>> zone and have a security policy allowing the traffic. >>>>> >>>>> I believe that's only a requirement if you're running the enhanced >>>>> services/security code on the J, but I think you have to be to get >>>>> IPSec. >>>>> >>>>> HTH >>>>> >>>>> >>>>> -----Original Message----- >>>>> From: [email protected] >>>>> [mailto:[email protected]] On Behalf Of Bill >>>>> Sandiford >>>>> Sent: Wednesday, March 20, 2013 8:47 AM >>>>> To: [email protected] >>>>> Subject: [j-nsp] Help needed with IPSEC VPN on J-Series >>>>> >>>>> Hi All, >>>>> >>>>> I need some help with an IPSEC tunnel that I just can't seem to get >>>>> working >>>>> on a J-6350. I have been able to get the tunnels to come up, but can't >>>>> seem >>>>> to pass traffic over the tunnels >>>>> >>>>> I've done the usual things. I've created an st0.0 interface and bound >>>>> it >>>>> to >>>>> the tunnel using the bind-interface command. I've created a static >>>>> route >>>>> and pointed it at the st0.0 interface. I just can't seem to get >>>>> traffic >>>>> to >>>>> pass over the tunnel. >>>>> >>>>> Any help or suggestions would be appreciated. I'm also willing to put >>>>> a >>>>> $$$ >>>>> bounty on this for anyone that is willing to help me get it working via >>>>> teamviewer. >>>>> >>>>> Regards, >>>>> Bill >>>>> >>>>> >>>>> _______________________________________________ >>>>> juniper-nsp mailing list [email protected] >>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp >>>> >>>> >>>> _______________________________________________ >>>> juniper-nsp mailing list [email protected] >>>> https://puck.nether.net/mailman/listinfo/juniper-nsp > > _______________________________________________ > juniper-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
