Bill, Maybe i missed it, but i havent seen your full ipsec vpn config, would you mind sending it through?
Our company is switching from netscreen ssg's to junos srx's, so im going to apologize that these are generic and in the full set command syntax, but this is what i sent to my colleagues as a guideline. set interfaces fe-0/0/0 description Outside set interfaces fe-0/0/0 unit 0 family inet address X.X.X.X/XX set interfaces fe-0/0/1 description Inside set interfaces fe-0/0/1 vlan-tagging set interfaces fe-0/0/1 unit 215 description VLAN-Name_215 set interfaces fe-0/0/1 unit 215 vlan-id 215 set interfaces fe-0/0/1 unit 215 family inet address 172.31.215.5/24 set interfaces fe-0/0/1 unit 219 description VLAN-Name_219 set interfaces fe-0/0/1 unit 219 vlan-id 219 set interfaces fe-0/0/1 unit 219 family inet address 172.31.219.5/24 set interfaces st0 unit 0 set interfaces st0 unit 1 set routing-options static route 0/0 next-hop X.X.X.X/XX set routing-options static route 172.31.215.0/24 next-hop 172.31.215.1/24 set routing-options static route 172.31.219.0/24 next-hop 172.31.219.1/24 set routing-options static route 10.8.0.0/16 next-hop st0.0 set routing-options static route 10.25.0.0/16 next-hop st0.1 set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys set security ike proposal ike-phase1-proposal dh-group group5 set security ike proposal ike-phase1-proposal authentication-algorithm sha1 set security ike proposal ike-phase1-proposal encryption-algorithm 3des-cbc set security ike policy ike-phase1-policy mode main set security ike policy ike-phase1-policy proposals ike-phase1-proposal set security ike policy ike-phase1-policy pre-shared-key ascii-text some_psk_text_here set security ike gateway DSG_Wloo ike-policy ike-phase1-policy set security ike gateway DSG_Wloo address X.X.X.X/XX set security ike gateway DSG_Wloo external-interface fe-0/0/0 set security ike gateway DSG_Q9 ike-policy ike-phase1-policy set security ike gateway DSG_Q9 address X.X.X.X/XX set security ike gateway DSG_Q9 external-interface fe-0/0/0 set security ipsec proposal ipsec-phase2-proposal protocol esp set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-md5-96 set security ipsec proposal ipsec-phase2-proposal encryption-algorithm 3des-cbc set security ipsec proposal ipsec-phase2-proposal lifetime-seconds 3600 set security ipsec proposal ipsec-phase2-proposal lifetime-kilobytes 2147483647 set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group5 set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal set security ipsec vpn DSG_Wloo_P2-0 bind-interface st0.0 set security ipsec vpn DSG_Wloo_P2-0 ike gateway DSG_Wloo set security ipsec vpn DSG_Wloo_P2-0 ike proxy-identity local 172.31.0.0/16 set security ipsec vpn DSG_Wloo_P2-0 ike proxy-identity remote 10.8.0.0/16 set security ipsec vpn DSG_Wloo_P2-0 ike ipsec-policy ipsec-phase2-policy set security ipsec vpn DSG_Q9_P2-0 bind-interface st0.1 set security ipsec vpn DSG_Q9_P2-0 ike gateway DSG_Q9 set security ipsec vpn DSG_Q9_P2-0 ike proxy-identity local 172.31.0.0/16 set security ipsec vpn DSG_Q9_P2-0 ike proxy-identity remote 10.25.0.0/16 set security ipsec vpn DSG_Q9_P2-0 ike ipsec-policy ipsec-phase2-policy set security zones security-zone outside host-inbound-traffic system-services ike set security zones security-zone outside host-inbound-traffic system-services ping set security zones security-zone outside interfaces fe-0/0/0.0 set security zones security-zone ipsec-dsg-wloo address-book address DSG_WLOO-01 10.8.0.0/16 set security zones security-zone ipsec-dsg-wloo address-book address-set DSG_WLOO_Net address DSG_WLOO-01 set security zones security-zone ipsec-dsg-wloo interfaces st0.0 set security zones security-zone ipsec-dsg-q9 address-book address DSG_Q9-01 10.25.0.0/16 set security zones security-zone ipsec-dsg-q9 address-book address-set DSG_Q9_Net address DSG_Q9-01 set security zones security-zone ipsec-dsg-q9 interfaces st0.1 set security zones security-zone inside address-book address Office-Name-01 172.31.215.0/24 set security zones security-zone inside address-book address Office-Name-02 172.31.219.0/24 set security zones security-zone inside address-book address-set Office_Net address Office-Name-01 set security zones security-zone inside address-book address-set Office_Net address Office-Name-02 set security zones security-zone inside interfaces fe-0/0/1.215 set security zones security-zone inside interfaces fe-0/0/1.219 set security zones security-zone inside host-inbound-traffic system-services all set security policies from-zone inside to-zone ipsec-dsg-wloo policy inside-dsg_wloo match source-address Office_Net set security policies from-zone inside to-zone ipsec-dsg-wloo policy inside-dsg_wloo match destination-address DSG_WLOO_Net set security policies from-zone inside to-zone ipsec-dsg-wloo policy inside-dsg_wloo match application any set security policies from-zone inside to-zone ipsec-dsg-wloo policy inside-dsg_wloo match application junos-icmp-all set security policies from-zone inside to-zone ipsec-dsg-wloo policy inside-dsg_wloo then permit set security policies from-zone ipsec-dsg-wloo to-zone inside policy dsg_wloo-inside match source-address DSG_WLOO_Net set security policies from-zone ipsec-dsg-wloo to-zone inside policy dsg_wloo-inside match destination-address Office_Net set security policies from-zone ipsec-dsg-wloo to-zone inside policy dsg_wloo-inside match application any set security policies from-zone ipsec-dsg-wloo to-zone inside policy dsg_wloo-inside match application junos-icmp-all set security policies from-zone ipsec-dsg-wloo to-zone inside policy dsg_wloo-inside then permit set security policies from-zone inside to-zone ipsec-dsg-q9 policy inside-dsg_q9 match source-address Office_Net set security policies from-zone inside to-zone ipsec-dsg-q9 policy inside-dsg_q9 match destination-address DSG_Q9_Net set security policies from-zone inside to-zone ipsec-dsg-q9 policy inside-dsg_q9 match application any set security policies from-zone inside to-zone ipsec-dsg-q9 policy inside-dsg_q9 match application junos-icmp-all set security policies from-zone inside to-zone ipsec-dsg-q9 policy inside-dsg_q9 then permit set security policies from-zone ipsec-dsg-q9 to-zone inside policy dsg_q9-inside match source-address DSG_Q9_Net set security policies from-zone ipsec-dsg-q9 to-zone inside policy dsg_q9-inside match destination-address Office_Net set security policies from-zone ipsec-dsg-q9 to-zone inside policy dsg_q9-inside match application any set security policies from-zone ipsec-dsg-q9 to-zone inside policy dsg_q9-inside match application junos-icmp-all set security policies from-zone ipsec-dsg-q9 to-zone inside policy dsg_q9-inside then permit On Thu, Mar 21, 2013 at 2:34 AM, ashish verma <[email protected]> wrote: > Commit full? > > Also do you a have static route for the peer gateway IP? > I tried the deactivate, commit, reactivate, commit method…no such luck :( > > > > > > > > On 2013-03-20 2:12 PM, "Gabriel Blanchard" <[email protected]> wrote: > > >Same thing here, that or I had to > > > >deactivate security vpn <name> > >commit > >and reactivate. > >commit > > > >On 13-03-20 02:03 PM, Bjørn Tore wrote: > >> As I mentioned offline - I once had to reboot an SRX 240 after changing > >>IPSEC config, to make things come up. Might not be the case here, but > >>with the code quality these days - who knows.. > >> > >> Bjørn Tore @ mobil > >> > >> Den 20. mars 2013 kl. 18:57 skrev Patrick Dickey > >><[email protected]>: > >> > >>> I'd start to suspect the other side of the tunnel. What is your peer > >>>device? > >>> > >>> > >>> > >>> On Mar 20, 2013, at 11:55 AM, Bill Sandiford > >>><[email protected]> wrote: > >>> > >>>> So I added the following configuration in. The syntax was a little > >>>> different than what you sent, but basically the same thing (I think). > >>>> > >>>>> show configuration security policies > >>>> from-zone trust to-zone trust { > >>>> policy policy1 { > >>>> match { > >>>> source-address any; > >>>> destination-address any; > >>>> application any; > >>>> } > >>>> then { > >>>> permit; > >>>> } > >>>> } > >>>> } > >>>> default-policy { > >>>> permit-all; > >>>> } > >>>> > >>>> > >>>> > >>>> Šbut still not working :( > >>>> > >>>> > >>>> > >>>> > >>>> On 2013-03-20 12:29 PM, "Aaron Dewell" <[email protected]> > wrote: > >>>> > >>>>> > >>>>> You'll also need a policy which allows traffic from trust to trust, > >>>>>i.e.: > >>>>> > >>>>> set security policies from-zone trust to-zone trust match > >>>>>source-address > >>>>> any > >>>>> set security policies from-zone trust to-zone trust match > >>>>> destination-address any > >>>>> set security policies from-zone trust to-zone trust match protocol > >>>>>any > >>>>> set security policies from-zone trust to-zone trust then permit > >>>>> > >>>>> Cross-interface traffic is not allowed by default even within the > >>>>>same > >>>>> zone. > >>>>> > >>>>> On Mar 20, 2013, at 10:16 AM, Bill Sandiford wrote: > >>>>>> For the most part this J-series has always just acted as a router > >>>>>> without > >>>>>> any tunnels per se. As such, I have always had all interfaces in > >>>>>>the > >>>>>> trust zone, as follows > >>>>>> > >>>>>> zones { > >>>>>> security-zone trust { > >>>>>> tcp-rst; > >>>>>> host-inbound-traffic { > >>>>>> system-services { > >>>>>> any-service; > >>>>>> } > >>>>>> protocols { > >>>>>> all; > >>>>>> } > >>>>>> } > >>>>>> interfaces { > >>>>>> all; > >>>>>> } > >>>>>> } > >>>>>> } > >>>>>> > >>>>>> Will this accomplish what you are suggesting? > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> On 2013-03-20 11:52 AM, "Patrick Dickey" <[email protected]> > >>>>>>wrote: > >>>>>> > >>>>>>> I don't remember if the J series behaves exactly like the SRXs > >>>>>>>when it > >>>>>>> comes > >>>>>>> to IPSec, but if it is make sure to put the st0.x interface into a > >>>>>>> security > >>>>>>> zone and have a security policy allowing the traffic. > >>>>>>> > >>>>>>> I believe that's only a requirement if you're running the enhanced > >>>>>>> services/security code on the J, but I think you have to be to get > >>>>>>> IPSec. > >>>>>>> > >>>>>>> HTH > >>>>>>> > >>>>>>> > >>>>>>> -----Original Message----- > >>>>>>> From: [email protected] > >>>>>>> [mailto:[email protected]] On Behalf Of Bill > >>>>>>> Sandiford > >>>>>>> Sent: Wednesday, March 20, 2013 8:47 AM > >>>>>>> To: [email protected] > >>>>>>> Subject: [j-nsp] Help needed with IPSEC VPN on J-Series > >>>>>>> > >>>>>>> Hi All, > >>>>>>> > >>>>>>> I need some help with an IPSEC tunnel that I just can't seem to get > >>>>>>> working > >>>>>>> on a J-6350. I have been able to get the tunnels to come up, but > >>>>>>>can't > >>>>>>> seem > >>>>>>> to pass traffic over the tunnels > >>>>>>> > >>>>>>> I've done the usual things. I've created an st0.0 interface and > >>>>>>>bound > >>>>>>> it > >>>>>>> to > >>>>>>> the tunnel using the bind-interface command. I've created a static > >>>>>>> route > >>>>>>> and pointed it at the st0.0 interface. I just can't seem to get > >>>>>>> traffic > >>>>>>> to > >>>>>>> pass over the tunnel. > >>>>>>> > >>>>>>> Any help or suggestions would be appreciated. I'm also willing to > >>>>>>>put > >>>>>>> a > >>>>>>> $$$ > >>>>>>> bounty on this for anyone that is willing to help me get it > >>>>>>>working via > >>>>>>> teamviewer. > >>>>>>> > >>>>>>> Regards, > >>>>>>> Bill > >>>>>>> > >>>>>>> > >>>>>>> _______________________________________________ > >>>>>>> juniper-nsp mailing list [email protected] > >>>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp > >>>>>> > >>>>>> > >>>>>> _______________________________________________ > >>>>>> juniper-nsp mailing list [email protected] > >>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp > >>> > >>> _______________________________________________ > >>> juniper-nsp mailing list [email protected] > >>> https://puck.nether.net/mailman/listinfo/juniper-nsp > >> > >> _______________________________________________ > >> juniper-nsp mailing list [email protected] > >> https://puck.nether.net/mailman/listinfo/juniper-nsp > >> > >_______________________________________________ > >juniper-nsp mailing list [email protected] > >https://puck.nether.net/mailman/listinfo/juniper-nsp > > > _______________________________________________ > juniper-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ > juniper-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
