SRX

last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX Site to Site VPN Address book error

    Posted 10-11-2015 11:25

     

    Hi 

    I am configuring site to site vpn based on Juniper DOC and all looks fine but can't commit.

    It shows distination address not found. But when i do "show security address-book", it is configured.

     

    http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/example/ipsec-route-based-vpn-configuring.html

     

    root@FW_SUNNYVALE# commit check
    [edit security policies from-zone trust to-zone vpn-chicago]
    'policy vpn-tr-chi'
    Destination address or a

    ddress_set (chicago) not found.
    error: configuration check-out failed

    [edit]

    root@FW_SUNNYVALE# show security address-book
    book1 {
    address sunnyvale 10.10.10.0/24;
    attach {
    zone trust;
    }
    }
    book2 {
    address chicago 20.20.20.0/24;
    attach {
    zone untrust;
    }

     

    And this is what I configured. (

    set interfaces lo0 unit 0 family inet address 10.10.10.1/24

    set interfaces fe-0/0/3 unit 0 family inet address 1.1.1.2/24

    set interfaces st0 unit 0 family inet address 10.11.11.10/24

    set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1

    set routing-options static route 20.20.20.0/24 next-hop st0.0

    set security zones security-zone untrust interfaces fe-0/0/3.0

    set security zones security-zone untrust host-inbound-traffic system-services ike

    set security zones security-zone trust interfaces lo0

    set security zones security-zone trust host-inbound-traffic system-services all

    set security zones security-zone vpn-chicago interfaces st0.0

    set security address-book book1 address sunnyvale 10.10.10.0/24

    set security address-book book1 attach zone trust

    set security address-book book2 address chicago 20.20.20.0/24

    set security address-book book2 attach zone untrust

     

    Thanks

     



  • 2.  RE: SRX Site to Site VPN Address book error
    Best Answer

    Posted 10-11-2015 12:51

    Hi, 

     

    Book2 is attached to untrust zone but your policy is to-zone vpn-chicago. Attach book2 to this zone. 



  • 3.  RE: SRX Site to Site VPN Address book error

    Posted 10-11-2015 15:03

    Thank you MMcD.

     

    I simply followed Juniper's sample config and juniper's website is not 100% correct:)

    Here is the link that I followed anyway.

    http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/example/ipsec-route-based-vpn-configuring.html

     

     

     

     



  • 4.  RE: SRX Site to Site VPN Address book error

    Posted 10-12-2015 01:17

    Hi there,

     

    That article indeed looks incorrect as the static route for st0.0 routes traffic to the vpn-chicago zone.

     

    Have a look at the global address book also, defining entries here means they can be associated with any policy.  Also it can be copied to all SRX's in your extended network and you wont have to worry about associating the entries with a specific zone on each device.

     

    You can define these entires under:

     

    user@srx#edit security address-book global