Hi,
I'm used to ScreenOS and new to SRX. Today i tried to setup a VPN between a SSG firewall and a SRX firewall, and for some reason it traffic is only beeing passed in one direction.
I used these instructions to set up a VPN on the SRX:
http://kb.juniper.net/resources/sites/CUSTOMERSERVICE/content/live/TECHNOTES/0/TN266/en_US/jweb_config_example_policy_based_vpn.pdf
I see the VPN coming up, but it only works in one direction. I already checked the policy order but that seems to be find.
Is there anyone that is willing to help me out?
Configuration of my SRX can be found here:
## Last changed: 2014-10-27 09:48:57 GMT+1
version 12.1X44-D35.5;
system {
host-name gw;
time-zone GMT+1;
root-authentication {
encrypted-password "$1$4AeYxVrQ$FAePNlrAgC9tQI67BmyUq0"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
name-resolution {
no-resolve-on-input;
}
services {
ssh;
telnet;
web-management {
http {
interface vlan.1;
}
https {
system-generated-certificate;
interface vlan.1;
}
session {
idle-timeout 60;
}
}
dhcp {
pool 172.16.1.0/24 {
address-range low 172.16.1.50 high 172.16.1.254;
domain-name lindebaan73.local;
name-server {
8.8.8.8;
}
router {
172.16.1.1;
}
}
propagate-settings ge-0/0/0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 0.nl.pool.ntp.org;
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan1;
}
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan1;
}
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan1;
}
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan1;
}
}
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan1;
}
}
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan1;
}
}
}
}
fe-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan1;
}
}
}
}
vlan {
unit 1 {
family inet {
address 172.16.1.1/24;
}
}
}
}
protocols {
stp;
}
security {
ike {
proposal 3des-sha1 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
}
policy p1pol {
mode main;
proposals 3des-sha1;
pre-shared-key ascii-text "$9$3ckln/Ap0BSrv36pBEhvM8XxN-V"; ## SECRET-DATA
}
gateway Rivium {
ike-policy p1pol;
address 1.1.1.1;
external-interface ge-0/0/0.0;
}
}
ipsec {
proposal 3des-sha1 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
}
policy p2pol {
proposals 3des-sha1;
}
vpn Rivium {
ike {
gateway Rivium;
ipsec-policy p2pol;
}
establish-tunnels on-traffic;
}
}
address-book {
Rivium_beheer {
address RiviumBeheer 192.168.2.0/24;
attach {
zone Internet;
}
}
LAN {
address LAN 172.16.1.0/24;
attach {
zone Internal;
}
}
}
alg {
sip disable;
ike-esp-nat {
enable;
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set nsw_srcnat {
from zone Internal;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone Internal to-zone Internet {
policy LAN_RivBeheer {
match {
source-address LAN;
destination-address RiviumBeheer;
application any;
}
then {
permit {
tunnel {
ipsec-vpn Rivium;
pair-policy RivBeheer_LAN;
}
}
log {
session-init;
session-close;
}
count;
}
}
policy All_Internal_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}
}
from-zone Internet to-zone Internal {
policy RivBeheer_LAN {
match {
source-address RiviumBeheer;
destination-address LAN;
application any;
}
then {
permit {
tunnel {
ipsec-vpn Rivium;
pair-policy LAN_RivBeheer;
}
}
log {
session-init;
session-close;
}
count;
}
}
}
}
zones {
security-zone Internal {
interfaces {
vlan.1 {
host-inbound-traffic {
system-services {
all;
http;
https;
ssh;
telnet;
}
protocols {
all;
}
}
}
}
}
security-zone Internet {
screen untrust-screen;
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
tftp;
dhcp;
ike;
}
}
}
}
}
}
}
vlans {
vlan1 {
vlan-id 3;
l3-interface vlan.1;
}
}