SRX

last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Back to discussions
Expand all | Collapse all

Is it mandatory to allow system-services ike ( security zone) for site to site ipsec tunnel

  • 1.  Is it mandatory to allow system-services ike ( security zone) for site to site ipsec tunnel

    Posted 11-13-2015 04:06

     

    Is it mandatory to allow ike ( security zone untrust int ge-0/0/1 host-inbound-traffic system-services ike)

     

    , I am trying configure Cluster with two new SRX 240H2, the  old/current  SRX 240h does not have configuration for the Ike on the interface , but still we have ipsec tunnel established , So I want to double check whether it is needed or if it is needed how is the present configuration working 

     

    ** The present configuration does not have Ike on  the interface g 0/0/3 (Untrust-connecting to ISP) ,neither their is a configuration for security zone security zone untrust host-inbound-traffic system-services ike

     



  • 2.  RE: Is it mandatory to allow system-services ike ( security zone) for site to site ipsec tunnel
    Best Answer

    Posted 11-13-2015 04:48

    Hello,

    The IKE initiator does not have to have "host-INBOUND-traffic. . . ike".

    If it is always an IKE initiator (has "establish-tunnels-imediately") and peer is always a responder then You can leave it as is.

    HTH

    Thx

    Alex