SRX

Hi,

I purchased two SRX100B as I was toold I could follow the article at VPLS over GRE with IPSec to add a remote office to a Win9x network running NetBEUI.  This way I didn't need to reconfigure the network and deal with LMHost files/etc..  However, I doesn't seem to work.  While i was able to enter most commands, (changing ge items to fe of course), the various set security idp idp-policy and set security idp active-policy would not be accepted.  I don't know if this has to do with the version of junos on the units (11.2R4.3) or something else (I was told nothing extra was needed for purchase).  I couldn't update the software because the website won't let me download the 11.4R7.5 update.

I have it setup now on a test configuration with two routers emulating cable/dsl modems with a local network of 192.168.1.x (the SRX's were moved to 192.168.21.x and 192.168.22.x) and the WAN ports at 111.111.111.1 and 111.111.111.2 which route to each other.  I can ping both wan ports from dhcp clients of the SRX devices.    I've attached the current configuration (hash hidden) of each router and also the commands used to set up that config (left the existing defautl config in place, and had to remove dhcp from port 0 and ethernet-switching from port 1.   Could someone check and see if anything is wrong or if it's related to those commands it wouldn't take.

The question I had was on the port 1 with the setup using CCC, does that mean I can't use the port for client computers?  What I want is that they could work as a DHCP sever for the clients attached to the SRX (in case any added that support TCP/IP) but currently can't go out to the Internet, but all the NetBEUI traffic is handled approperatly and effecently.

Attachment(s)

srx100b-vpls-gre-ipsec.zip   6 KB 1 version

you need IDP license to set up IDPs...

root> show system license

you should have one with idp-sig

check here for more about idp and how to get it going:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16489

freakns,

thanks for the reply - however Juniper assured me that a license wasn't needed:

"A license for IDP is not required since we aren’t leveraging any of the IDP signatures, just the IDP engine for reassembly.  The referenced configuration will work without an IDP license installed."

I heve a feeling it's JunOS version?

Hello,

---

@dfatj wrote:

 

I heve a feeling it's JunOS version?

---

No it is not. SRX100B does not support IDP because it does not have enough memory enabled.

This used to be explicilty spelled out in old branch SRX datasheet, but no longer.

Only when You unlock extra memory by applying an SRX100B->SRX100H upgrade license (not IDP license!) , it will allow You to configure IDP policy for GRE reassembly.

You can use VPLS on SRX100 without GRE reassembly, in this case the IPSEC/ESP reassembly (enabled by default, does not require license) does the job.

HTH

Thanks

Alex 

aarseniev,

ah, so you're saying I can do what I need using the SRX100B as it is now?  I'm working on the H upgrade now since the SE said the B would work fine.   It doesn't matter to me, just that it will work and carry the NetBEUI traffic effecently.

Would you mind looking at my configs and telling me what I need to do to get it to work?  Clearly you'r an expert.  Also still wodering if I won't be able to use port 1 on the device for client computers (want clients to use the srx100b as dhcp server if they use tcp/ip).

Thank you!!!

Hello there,

---

@dfatj wrote:

aarseniev,

 

ah, so you're saying I can do what I need using the SRX100B as it is now? 

 

 

---

Yes it will. There may be a decrease in throughput explained by GRE reassembly vs ESP reassembly performance.

---

@dfatj wrote:

aarseniev,

 

I'm working on the H upgrade now since the SE said the B would work fine.   

 

 

---

Your SE is correct.

---

@dfatj wrote:

 

Would you mind looking at my configs and telling me what I need to do to get it to work?  Clearly you'r an expert.  Also still wodering if I won't be able to use port 1 on the device for client computers (want clients to use the srx100b as dhcp server if they use tcp/ip).

 

Thank you!!!

 

 

---

I am flattered but please contact your Juniper account team to get Juniper Professional Services involved since clearly You have quite a few requirements to fulfill.

Many thanks

Alex

Well, it's now an H model.  I purchased the support, but it may take a day or to I don't have ... 

I can enter those commands now, I redid all commands/commit on both sides, but still not coming up.  No tunnel (0 tunnels when using "show security ipsec security-associations" is done) I see that it is setup so you plug your switch in to the port 1 ... I just want to take the existing old L2 switch (I have no L3 switches) and plug in port 1 and everything work. .. for testing will that work if I plug in single computer in port 1 on each side (the two computers will see each other using NetBEUI?).     on the main side I see the lt 0/0/0.0 interface is down, all others up (expect fe ports withing nothing in them), on the remote side everything says up.   could this thing be done step by step - first setup ipsec, then the next thing, etc?

does that article actually work as it is?

Hey - I got it working - I basically took out the two routers that were emulating the DLS/Cable modem firewall routers (hook to dmz). I saw something in the log about sa_cfg port 500 with nat detected.    so i just hooked the two srx devices together and changed their ip to the 111.111.111.1 and 111.111.111.2 address and it worked .. so I'll open another quesiton on how to get VPN to work across DLS/cable modem firewall router (connected to dmz port).