Thanks for the tip…If I can't get this working today I will reboot in our maintenance window tonight.
On 2013-03-20 2:03 PM, "Bjørn Tore" <[email protected]> wrote: >As I mentioned offline - I once had to reboot an SRX 240 after changing >IPSEC config, to make things come up. Might not be the case here, but >with the code quality these days - who knows.. > >Bjørn Tore @ mobil > >Den 20. mars 2013 kl. 18:57 skrev Patrick Dickey <[email protected]>: > >> I'd start to suspect the other side of the tunnel. What is your peer >>device? >> >> >> >> On Mar 20, 2013, at 11:55 AM, Bill Sandiford >><[email protected]> wrote: >> >>> So I added the following configuration in. The syntax was a little >>> different than what you sent, but basically the same thing (I think). >>> >>>> show configuration security policies >>> from-zone trust to-zone trust { >>> policy policy1 { >>> match { >>> source-address any; >>> destination-address any; >>> application any; >>> } >>> then { >>> permit; >>> } >>> } >>> } >>> default-policy { >>> permit-all; >>> } >>> >>> >>> >>> Šbut still not working :( >>> >>> >>> >>> >>> On 2013-03-20 12:29 PM, "Aaron Dewell" <[email protected]> wrote: >>> >>>> >>>> You'll also need a policy which allows traffic from trust to trust, >>>>i.e.: >>>> >>>> set security policies from-zone trust to-zone trust match >>>>source-address >>>> any >>>> set security policies from-zone trust to-zone trust match >>>> destination-address any >>>> set security policies from-zone trust to-zone trust match protocol any >>>> set security policies from-zone trust to-zone trust then permit >>>> >>>> Cross-interface traffic is not allowed by default even within the same >>>> zone. >>>> >>>> On Mar 20, 2013, at 10:16 AM, Bill Sandiford wrote: >>>>> For the most part this J-series has always just acted as a router >>>>> without >>>>> any tunnels per se. As such, I have always had all interfaces in the >>>>> trust zone, as follows >>>>> >>>>> zones { >>>>> security-zone trust { >>>>> tcp-rst; >>>>> host-inbound-traffic { >>>>> system-services { >>>>> any-service; >>>>> } >>>>> protocols { >>>>> all; >>>>> } >>>>> } >>>>> interfaces { >>>>> all; >>>>> } >>>>> } >>>>> } >>>>> >>>>> Will this accomplish what you are suggesting? >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On 2013-03-20 11:52 AM, "Patrick Dickey" <[email protected]> >>>>>wrote: >>>>> >>>>>> I don't remember if the J series behaves exactly like the SRXs when >>>>>>it >>>>>> comes >>>>>> to IPSec, but if it is make sure to put the st0.x interface into a >>>>>> security >>>>>> zone and have a security policy allowing the traffic. >>>>>> >>>>>> I believe that's only a requirement if you're running the enhanced >>>>>> services/security code on the J, but I think you have to be to get >>>>>> IPSec. >>>>>> >>>>>> HTH >>>>>> >>>>>> >>>>>> -----Original Message----- >>>>>> From: [email protected] >>>>>> [mailto:[email protected]] On Behalf Of Bill >>>>>> Sandiford >>>>>> Sent: Wednesday, March 20, 2013 8:47 AM >>>>>> To: [email protected] >>>>>> Subject: [j-nsp] Help needed with IPSEC VPN on J-Series >>>>>> >>>>>> Hi All, >>>>>> >>>>>> I need some help with an IPSEC tunnel that I just can't seem to get >>>>>> working >>>>>> on a J-6350. I have been able to get the tunnels to come up, but >>>>>>can't >>>>>> seem >>>>>> to pass traffic over the tunnels >>>>>> >>>>>> I've done the usual things. I've created an st0.0 interface and >>>>>>bound >>>>>> it >>>>>> to >>>>>> the tunnel using the bind-interface command. I've created a static >>>>>> route >>>>>> and pointed it at the st0.0 interface. I just can't seem to get >>>>>> traffic >>>>>> to >>>>>> pass over the tunnel. >>>>>> >>>>>> Any help or suggestions would be appreciated. I'm also willing to >>>>>>put >>>>>> a >>>>>> $$$ >>>>>> bounty on this for anyone that is willing to help me get it working >>>>>>via >>>>>> teamviewer. >>>>>> >>>>>> Regards, >>>>>> Bill >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> juniper-nsp mailing list [email protected] >>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp >>>>> >>>>> >>>>> _______________________________________________ >>>>> juniper-nsp mailing list [email protected] >>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp >> >> _______________________________________________ >> juniper-nsp mailing list [email protected] >> https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
