SRX Services Gateway
Reply
Recognized Expert
JunOS_Fan
Posts: 241
Registered: ‎02-13-2012
0

Traceroute through Site-to Site IPSec VPN for overlapping subnets

Hi ,

 

In the attached setup (Site-to-Site IPSec VPN for Overlapping Subnets at one Branch and HO site ) , traffic is passing between branches and HO with out any issues. But while I do traceroute , I don't see t the  ip addresses of st0 units at these two sites ,for these two I get "request timed out"  .  SRX Flow trace shows that SRX sending ICMP Type 11,Code 0 (TTL expiry) message, but that is not seen back at the initiating PC.  

 

Between non-overlapping branch site and HO , traceroute works fine . I have similar configuration with respect to host-inbound-traffic and suspected security policy issue ( to allow the ICMP error message ) at the intermediate SRXs and for testing purpose,I have enabled default-policy permit-all ,but of no use.

 

Any ideas ?  Thanks in advance .

Best regards
Pradeep (JNCIP-SEC,ENT,SP)
www.networker.co.in
Visitor
venu
Posts: 7
Registered: ‎01-24-2011
0

Re: Traceroute through Site-to Site IPSec VPN for overlapping subnets

Hi, I don't see any issue while doing traceroute on overlapping subnets through the tunnel on my testbed. Can you try traceroute from  Branch1 to the 10.10.10.2 with source as branch lan conected interface which is trust and see.

Recognized Expert
JunOS_Fan
Posts: 241
Registered: ‎02-13-2012
0

Re: Traceroute through Site-to Site IPSec VPN for overlapping subnets

Thank you Venu for testing  this and replying .  Actually , in my set up st0.0 on the HO site is in a virtual-router . is it the same in your case also ?

 

  I have attached my complete configuration (of all 3 sites - Branch 1, Branch 2 and HO) .  Could you please check ?

 

thanks once again .

Best regards
Pradeep (JNCIP-SEC,ENT,SP)
www.networker.co.in
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.