Management
Reply
Visitor
trondvh
Posts: 4
Registered: ‎02-23-2011
0

SRX connecting over IPSEC to NSM

I got two sites with one SRX in each, connected over an IPSEC tunnel.

 

I've installed our NSM(xpress) in site1, but the SRX in site 2 can't access the NSM in site1 over IPSEC. Anyone know how to do this?

Recognized Expert
aweck
Posts: 255
Registered: ‎07-24-2009
0

Re: SRX connecting over IPSEC to NSM

With Netscreens there used to be an option to specify the 'src-interface' to a tunnel interface.  SRX's seem a bit more flexible as to how self-generated traffic is routed out the device.  Are you using a route-based VPN on the SRX's?  If so, do you have a route for the NSM server pointing over the ST interface?

Juniper Elite Partner
JNCIE-ENT #63, JNCIE-SP #705, JNCIE-SEC #17, JNCIS-FWV, JNCIS-SSL
Contributor
schnee
Posts: 10
Registered: ‎09-09-2010
0

Re: SRX connecting over IPSEC to NSM

I were facing the same problem (routing set, else I would not even be able to remotly connect to srx).

In short: I had to change the primary IP of the managed srx.

 

I actually had this configuration:

 

Remote Site:

Vlan0

- Subnet1 (LAN)

- Subnet2 (Secondary LAN)

 

Management Site:

- Subnet3 (NSM)

 

Ipsec SA was Subnet2/Subnet3.

 

I connected the nsm to the srx at the secondary IP. But the device did not report back.

 

With packet dump I could see that the device tried to connect to the remote site with the wrong ip adress: subnet1.

When I saw this, I changed the vlan0 to the second subnet as primary, then the device connected just fine.

Super Contributor
cryptochrome
Posts: 496
Registered: ‎03-29-2008
0

Re: SRX connecting over IPSEC to NSM


trondvh wrote:

I got two sites with one SRX in each, connected over an IPSEC tunnel.

 

I've installed our NSM(xpress) in site1, but the SRX in site 2 can't access the NSM in site1 over IPSEC. Anyone know how to do this?


Really hard to help you with this little information. Can you give us some more details?

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.