SRX

last person joined: 14 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Problem with ipsec tunnel between SRX3600 to SRX100

    Posted 05-06-2013 07:14

    Hi all,

     

    I have configured ipsec tunnel between SRX3600 to SRX100, but show interfaces terse shows:

     

    root# run show interfaces terse | match st0.100
    st0.100 up down inet 172.31.50.2/30

     

    This is configuration on SRX100 (same configuration is on SRX3600 with appropriate IPs):

     

    set security ike proposal AES_SHA authentication-method pre-shared-keys
    set security ike proposal AES_SHA dh-group group2
    set security ike proposal AES_SHA authentication-algorithm sha1
    set security ike proposal AES_SHA encryption-algorithm aes-256-cbc

    set security ipsec proposal ESP_AES256_HMAC_SHA protocol esp
    set security ipsec proposal ESP_AES256_HMAC_SHA authentication-algorithm hmac-sha1-96
    set security ipsec proposal ESP_AES256_HMAC_SHA encryption-algorithm aes-256-cbc

    set security ike policy AES_SHA_TO_TEST_SRX_GNC mode main
    set security ike policy AES_SHA_TO_TEST_SRX_GNC proposals AES_SHA
    set security ike policy AES_SHA_TO_TEST_SRX_GNC pre-shared-key ascii-text XXX

    set security ike gateway AES_SHA_TO_TEST_SRX_GNC ike-policy AES_SHA_TO_TEST_SRX_GNC
    set security ike gateway AES_SHA_TO_TEST_SRX_GNC address 172.16.200.100
    set security ike gateway AES_SHA_TO_TEST_SRX_GNC external-interface fe-0/0/1.0

    set security ipsec vpn VPN_TO_TEST_SRX_GNC bind-interface st0.100
    set security ipsec vpn VPN_TO_TEST_SRX_GNC ike gateway AES_SHA_TO_TEST_SRX_GNC
    set security ipsec vpn VPN_TO_TEST_SRX_GNC ike ipsec-policy ESP_AES256_HMAC_SHA
    set security ipsec vpn VPN_TO_TEST_SRX_GNC establish-tunnels immediately

    set security ipsec proposal ESP_AES256_HMAC_SHA
    set security ipsec policy ESP_AES256_HMAC_SHA

    set protocols ospf area 0.0.0.0 interface st0.100 interface-type p2p
    set protocols ospf area 0.0.0.0 interface st0.100 metric 1

    set interfaces st0 unit 100 description TO-->TEST_SRX_GNC
    set interfaces st0 unit 100 point-to-point
    set interfaces st0 unit 100 family inet mtu 1400
    set interfaces st0 unit 100 family inet address 172.31.50.2/30

    set security zones security-zone trust interfaces fe-0/0/1.0

    set security zones security-zone trust interfaces st0.100

    set security zones security-zone trust interfaces st0.100 host-inbound-traffic system-services all
    set security zones security-zone trust interfaces st0.100 host-inbound-traffic protocols all

     

     

    So what is misconfigured or wrong in this config?

     

    Thanks



  • 2.  RE: Problem with ipsec tunnel between SRX3600 to SRX100

     
    Posted 05-06-2013 07:25

    My guess is

     

    set security zones security-zone trust interfaces fe-0/0/1.0 host-inbound-traffic system-services ike

     



  • 3.  RE: Problem with ipsec tunnel between SRX3600 to SRX100
    Best Answer

     
    Posted 05-06-2013 11:04

    I agree with smicker.  I would rather put the vpn's in a different security zone then in the trust zone.



  • 4.  RE: Problem with ipsec tunnel between SRX3600 to SRX100

    Posted 05-06-2013 23:28

    Thanks smicker and MarcTB,

     

    I put tunnel interface into different zone and created policy between zones. After that tuneel changed state to up-up.