I tried the deactivate, commit, reactivate, commit method…no such luck :(
On 2013-03-20 2:12 PM, "Gabriel Blanchard" <[email protected]> wrote: >Same thing here, that or I had to > >deactivate security vpn <name> >commit >and reactivate. >commit > >On 13-03-20 02:03 PM, Bjørn Tore wrote: >> As I mentioned offline - I once had to reboot an SRX 240 after changing >>IPSEC config, to make things come up. Might not be the case here, but >>with the code quality these days - who knows.. >> >> Bjørn Tore @ mobil >> >> Den 20. mars 2013 kl. 18:57 skrev Patrick Dickey >><[email protected]>: >> >>> I'd start to suspect the other side of the tunnel. What is your peer >>>device? >>> >>> >>> >>> On Mar 20, 2013, at 11:55 AM, Bill Sandiford >>><[email protected]> wrote: >>> >>>> So I added the following configuration in. The syntax was a little >>>> different than what you sent, but basically the same thing (I think). >>>> >>>>> show configuration security policies >>>> from-zone trust to-zone trust { >>>> policy policy1 { >>>> match { >>>> source-address any; >>>> destination-address any; >>>> application any; >>>> } >>>> then { >>>> permit; >>>> } >>>> } >>>> } >>>> default-policy { >>>> permit-all; >>>> } >>>> >>>> >>>> >>>> Šbut still not working :( >>>> >>>> >>>> >>>> >>>> On 2013-03-20 12:29 PM, "Aaron Dewell" <[email protected]> wrote: >>>> >>>>> >>>>> You'll also need a policy which allows traffic from trust to trust, >>>>>i.e.: >>>>> >>>>> set security policies from-zone trust to-zone trust match >>>>>source-address >>>>> any >>>>> set security policies from-zone trust to-zone trust match >>>>> destination-address any >>>>> set security policies from-zone trust to-zone trust match protocol >>>>>any >>>>> set security policies from-zone trust to-zone trust then permit >>>>> >>>>> Cross-interface traffic is not allowed by default even within the >>>>>same >>>>> zone. >>>>> >>>>> On Mar 20, 2013, at 10:16 AM, Bill Sandiford wrote: >>>>>> For the most part this J-series has always just acted as a router >>>>>> without >>>>>> any tunnels per se. As such, I have always had all interfaces in >>>>>>the >>>>>> trust zone, as follows >>>>>> >>>>>> zones { >>>>>> security-zone trust { >>>>>> tcp-rst; >>>>>> host-inbound-traffic { >>>>>> system-services { >>>>>> any-service; >>>>>> } >>>>>> protocols { >>>>>> all; >>>>>> } >>>>>> } >>>>>> interfaces { >>>>>> all; >>>>>> } >>>>>> } >>>>>> } >>>>>> >>>>>> Will this accomplish what you are suggesting? >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On 2013-03-20 11:52 AM, "Patrick Dickey" <[email protected]> >>>>>>wrote: >>>>>> >>>>>>> I don't remember if the J series behaves exactly like the SRXs >>>>>>>when it >>>>>>> comes >>>>>>> to IPSec, but if it is make sure to put the st0.x interface into a >>>>>>> security >>>>>>> zone and have a security policy allowing the traffic. >>>>>>> >>>>>>> I believe that's only a requirement if you're running the enhanced >>>>>>> services/security code on the J, but I think you have to be to get >>>>>>> IPSec. >>>>>>> >>>>>>> HTH >>>>>>> >>>>>>> >>>>>>> -----Original Message----- >>>>>>> From: [email protected] >>>>>>> [mailto:[email protected]] On Behalf Of Bill >>>>>>> Sandiford >>>>>>> Sent: Wednesday, March 20, 2013 8:47 AM >>>>>>> To: [email protected] >>>>>>> Subject: [j-nsp] Help needed with IPSEC VPN on J-Series >>>>>>> >>>>>>> Hi All, >>>>>>> >>>>>>> I need some help with an IPSEC tunnel that I just can't seem to get >>>>>>> working >>>>>>> on a J-6350. I have been able to get the tunnels to come up, but >>>>>>>can't >>>>>>> seem >>>>>>> to pass traffic over the tunnels >>>>>>> >>>>>>> I've done the usual things. I've created an st0.0 interface and >>>>>>>bound >>>>>>> it >>>>>>> to >>>>>>> the tunnel using the bind-interface command. I've created a static >>>>>>> route >>>>>>> and pointed it at the st0.0 interface. I just can't seem to get >>>>>>> traffic >>>>>>> to >>>>>>> pass over the tunnel. >>>>>>> >>>>>>> Any help or suggestions would be appreciated. I'm also willing to >>>>>>>put >>>>>>> a >>>>>>> $$$ >>>>>>> bounty on this for anyone that is willing to help me get it >>>>>>>working via >>>>>>> teamviewer. >>>>>>> >>>>>>> Regards, >>>>>>> Bill >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> juniper-nsp mailing list [email protected] >>>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> juniper-nsp mailing list [email protected] >>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp >>> >>> _______________________________________________ >>> juniper-nsp mailing list [email protected] >>> https://puck.nether.net/mailman/listinfo/juniper-nsp >> >> _______________________________________________ >> juniper-nsp mailing list [email protected] >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> >_______________________________________________ >juniper-nsp mailing list [email protected] >https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
