Hi,
I'm currently trying to configure my srx cluster to allow an ipsec
tunnel to be established between cisco devices.
Both devices are in the same zone, but connected to different interfaces.
I followed the kb entry
http://kb.juniper.net/InfoCenter/index?page=content&id=KB22178.
Does anyone know if the config works if both interfaces are in the same
zone?
admin@FW-DC-1> show security alg ike-esp-nat
node0:
--------------------------------------------------------------------------
Initiator cookie: b6a9d1aab6b3661c
Responder cookie: ce1511a243884dd3
Session-ID: 131109
node1:
--------------------------------------------------------------------------
Initiator cookie: b6a9d1aab6b3661c
Responder cookie: ce1511a243884dd3
Session-ID: 404275
{primary:node0}
ad@fw> show security flow session session-identifier 131109
Session ID: 131109, Status: Normal, State: Active
Flag: 0x8000002
Policy name: vpn-qosguard/28
Source NAT pool: publicip, Application: junos-ike/81
Dynamic application: junos:UNKNOWN,
Maximum timeout: 60, Current timeout: 46
Session State: Valid
Start time: 2068268, Duration: 4883
In: lan_ip_localgw/500 --> wan_ip_remotegw/500;udp,
Interface: reth2.122,
Session token: 0x600b, Flag: 0x2621
Route: 0x70c3c2, Gateway: x.x.x.x, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 247, Bytes: 72164
Out: wan_ip_remotegw/500 --> nat_ip_localgw/500;udp,
Interface: reth0.130,
Session token: 0x600b, Flag: 0x2620
Route: 0x5453c4, Gateway: y.y.y.y, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 164, Bytes: 20992
Total sessions: 1
I was expecting the application to show "54" instead of 81 as described
in the kb.
I'll try to set up a dedicated zone and see if it works better.
thanks.
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
