SRX

Hi

I am setting policy based VPNs between SRX vs Ns5gt

 

NS5GT----Ping Working ------SRX210

SRX210---Ping Not Working----NS5GT

 

?

 

I apologize very little english

 

http://i.hizliresim.com/j1NP9L.jpg

http://i.hizliresim.com/ZQzg8V.jpg

http://i.hizliresim.com/o8NPb9.jpg

http://i.hizliresim.com/VXz5kv.jpg

http://i.hizliresim.com/nmNVXM.jpg

 

Hi,

In order to troubleshoot this issue we are going to need more information such as :
show route <NS5GT LAN>
policies in both sides ..

SRX210 Configuration

 

## Last changed: 2015-12-09 09:21:15 GMT

}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.111.1/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.110.1/24;
}
}
}
fe-0/0/2 {
fastether-options {
no-auto-negotiation;
}
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members VLAN20;
}
native-vlan-id default;
}
}
}
fe-0/0/6 {
unit 0 {
family inet {
address 212.154.102.29/29;
}
}
}
fe-0/0/7 {
unit 0 {
family inet {
address 212.154.102.26/29;
}
}
}
vlan {
unit 1 {
family inet {
address 192.168.100.1/24;
}
}
unit 20 {
family inet {
address 192.168.120.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 212.154.102.25;
}
}
protocols {
stp;
}
security {
ike {

policy Petrolyag_IKE {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$gM4UH.PQFnC24.5Q3tpevWL7VY2aUi.evJGUjq.p0OIylWLxVs2vMUj";
}

gateway Petrolyag_GW {
ike-policy Petrolyag_IKE;
address 85.99.109.181;
no-nat-traversal;
external-interface fe-0/0/6.0;

}
policy Petrolyag_IPSEC {
perfect-forward-secrecy {
keys group2;
}
proposal-set standard;


}
vpn Petrolyag_VPN {
vpn-monitor {
optimized;
}
ike {
gateway Petrolyag_GW;
ipsec-policy Petrolyag_IPSEC;
}
}


}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set Nete_Cikis {
from zone [ Hart Trust ];
to zone Untrust;
rule Source_Nat {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set Camera_Petrolyag {
from zone Camera;
to zone PetVpnZone;
rule Source_Nat1 {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool ExchangeHTTPS {
address 192.168.110.212/32 port 443;
}
pool TermDMS {
routing-instance {
default;
}
address 192.168.110.210/32 port 4406;
}

}
static {
rule-set Exchange {
from zone Untrust;
rule r1 {
match {
source-address [ 216.104.0.0/19 216.99.128.0/20 150.26.0.0/9 54.219.191.0/25 54.86.63.64/26 150.70.0.0/16 ];
destination-address 212.154.102.26/32;
}
then {
static-nat {
prefix {
192.168.110.212/32;
}
}
}
}
}
}
}
policies {



}
from-zone Camera to-zone PetVpnZone {
policy CamtoPet {
match {
source-address Camera_IP;
destination-address any;
application any;
}
then {
permit;
}
}
policy CamtoPetVPN {
match {
source-address Camera_IP;
destination-address Petrolyag_LAN;
application any;
}
then {
permit {
tunnel {
ipsec-vpn Petrolyag_VPN;
}
}
log {
session-init;
session-close;
}
}
}
}
default-policy {
permit-all;
}
}
zones {
security-zone Camera {
address-book {
address Camera_IP 192.168.111.0/24;
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
http;
https;
ssh;
}
}
}
}
}

}
}
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
http;
https;
ssh;
}
}
}
}
}
security-zone Untrust {
address-book {

}

}
}
screen untrust-screen;
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
fe-0/0/7.0 {
host-inbound-traffic {
system-services {
https;
}
}
}
}
}
security-zone Hart {
address-book {
address Hart_Ipler 192.168.100.0/24;
}
interfaces {
vlan.1 {
host-inbound-traffic {
system-services {
dhcp;
}
}
}
}
}
security-zone Ipad {
address-book {
address Ipad_Ipler 192.168.120.0/24;
}
interfaces {
vlan.20 {
host-inbound-traffic {
system-services {
dhcp;
}
}
}
}
}
security-zone PetVpnZone {
address-book {
address Petrolyag_LAN 192.168.1.0/24;
}
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
fe-0/0/6.0;
}
}
}
}
applications {


}
application-set Terakki_Trust_Portlar {

}
}
ethernet-switching-options {
voip;
}
vlans {
VLAN20 {
vlan-id 20;
l3-interface vlan.20;
}
default {
vlan-id 1;
l3-interface vlan.1;
}
}

 

NS5GT CONF.

unset key protection enable
set clock timezone 2
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth-server "Local" timeout 0
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "exortis"
set admin password "nB+7N7rLBqBAcUqG5sbLaGFt+hK6Gn"
set admin port 8888
set admin auth web timeout 60
set admin auth server "Local"
set admin format dos
set zone "Work" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "Home" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
unset zone "Work" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "Home" tcp-rst
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
unset zone "VLAN" tcp-rst
set zone "Untrust" screen alarm-without-drop
set zone "Untrust" screen on-tunnel
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood
set zone "Untrust" screen winnuke
set zone "Untrust" screen port-scan
set zone "Untrust" screen ip-sweep
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ip-spoofing
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "Untrust" screen syn-frag
set zone "Untrust" screen tcp-no-flag
set zone "Untrust" screen unknown-protocol
set zone "Untrust" screen ip-bad-option
set zone "Untrust" screen ip-record-route
set zone "Untrust" screen ip-timestamp-opt
set zone "Untrust" screen ip-security-opt
set zone "Untrust" screen ip-loose-src-route
set zone "Untrust" screen ip-strict-src-route
set zone "Untrust" screen ip-stream-opt
set zone "Untrust" screen icmp-fragment
set zone "Untrust" screen syn-fin
set zone "Untrust" screen fin-no-ack
set zone "Untrust" screen syn-ack-ack-proxy
set zone "Untrust" screen icmp-id
set zone "Untrust" screen tcp-sweep
set zone "Untrust" screen udp-sweep
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet1" zone "Work"
set interface "ethernet2" zone "Home"
set interface "ethernet3" zone "Untrust"
set interface ethernet1 ip 192.168.1.1/24
set interface ethernet1 nat
set interface ethernet2 ip 172.16.16.1/24
set interface ethernet2 nat
set interface ethernet3 ip 85.99.109.175/32
set interface ethernet3 route
unset interface vlan1 ip
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet1 ip manageable
set interface ethernet2 ip manageable
set interface ethernet3 ip manageable
set interface ethernet1 manage mtrace
set interface ethernet3 manage ssl
set interface ethernet3 manage web
set interface ethernet2 dhcp server service
set interface ethernet2 dhcp server enable
set interface ethernet2 dhcp server option lease 2880
set interface ethernet2 dhcp server option gateway 172.16.16.1
set interface ethernet2 dhcp server option netmask 255.255.255.0
set interface ethernet2 dhcp server option dns1 208.67.220.220
set interface ethernet2 dhcp server option dns2 8.8.8.8
set interface ethernet2 dhcp server option dns3 195.175.39.39
set interface ethernet2 dhcp server ip 172.16.16.4 to 172.16.16.240
unset interface ethernet2 dhcp server config next-server-ip
set flow tcp-mss
set flow all-tcp-mss 1304
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set hostname Petrolyag
set dbuf usb filesize 0
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 208.67.222.222
set dns host dns2 208.67.220.220
set dns host dns3 195.175.39.39

set address "Work" "Petrolyag_Ipler" 192.168.1.1 255.255.255.0
set address "Untrust" "Terakki_Test_Lan" 192.168.111.1 255.255.255.0
set address "Home" "Wifi_Ipler" 172.16.16.0 255.255.255.0
set crypto-policy
exit
set ike gateway "TerakkiGW" address 212.154.102.29 Main outgoing-interface "ethernet3" preshare "HbyMZcoUNVExIbs7vTCsF0RiQHnuO3N2T0GRI7Vu5+7Gu29EErELlyg=" sec-level standard
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log

set vpn "Terakki_Test" gateway "TerakkiGW" no-replay tunnel idletime 0 sec-level standard
set vpn "Terakki_Test" monitor optimized
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set policy id 13 name "Teat_Terakki" from "Work" to "Untrust" "Petrolyag_Ipler" "Terakki_Test_Lan" "Any" tunnel vpn "Terakki_Test" id 0x3 pair-policy 12 log
set policy id 13
set log session-init
exit
set policy id 5 name "Petrolyag_Nete_Cilik" from "Work" to "Untrust" "Petrolyag_Ipler" "Any" "ANY" permit log
set policy id 5
exit
set policy id 1 from "Work" to "Untrust" "Any" "Any" "ANY" deny log
set policy id 1
exit
set policy id 6 name "Wifi_Nete_Cikis" from "Home" to "Untrust" "Wifi_Ipler" "Any" "ANY" permit log
set policy id 6
exit
set policy id 3 from "Home" to "Untrust" "Any" "Any" "ANY" deny log
set policy id 3
exit
set policy id 4 from "Home" to "Work" "Any" "Any" "ANY" deny

set policy id 12 name "Teat_Terakki" from "Untrust" to "Work" "Terakki_Test_Lan" "Petrolyag_Ipler" "Pet_Ter_Vpn_Port" tunnel vpn "Terakki_Test" id 0x3 pair-policy 13 log
set policy id 12
set log session-init
exit
set policy id 9 name "Natlanan" from "Untrust" to "Work" "Any" "VIP(ethernet3)" "Pet_Untrust_Portlar" permit log
set policy id 9
exit
set policy id 10 name "Radmin_Nat" from "Untrust" to "Work" "Any" "VIP(ethernet3)" "Radmin_Serverlar" permit log
set policy id 10 disable
set policy id 10
exit
set policy id 11 name "Blocklar" from "Untrust" to "Work" "Any" "Any" "ANY" deny log
set policy id 11
exit
set pppoe name "eth3"
set pppoe name "eth3" username "petro" password "7X4w+BbkNt4CSrsLmBCH3dtWmLnJdyFGtQ=="
set pppoe name "eth3" static-ip
set pppoe name "eth3" interface ethernet3
set syslog config "192.168.1.253"
set syslog config "192.168.1.253" facilities local0 local0
set syslog config "192.168.1.253" log traffic
set syslog config "192.168.1.253" transport tcp
set syslog src-interface ethernet2
set syslog enable
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

Hi,

Please enable ping , https , ike and ssh under fe-0/0/7 host-inbound-traffic .

And in order to reach both LANs in both sites you'll need to apply policies .

more that this you haven't applied static route in SRX to st interface and in the other site .

 

I attached the following link that will help you to configure the site to site .

http://forums.juniper.net/t5/Day-One-Tips/Site-to-Site-between-SRX210-and-SSG5/td-p/285211

 

HTH

host-inbound-traffic all fe-0/0/7

i tried

It did not work

current route based VPN works