SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  VPN Stumped

    Posted 06-24-2011 18:47

    Used the VPN config wizard to setup vpn between two SRX100s. The web interface indicates that phase one and two have come up but I cannot ping between the locations from either side.

     

    Here is an excerpt from the kmd log:

     

    Jun 25 01:26:57 KMD_VPN_UP_ALARM_USER: VPN ipsec-vpn-cfgr from ***.***.***.*** is up.

    Jun 25 01:26:57 KMD_VPN_UP_ALARM_USER: VPN ipsec-vpn-cfgr from ***.***.***.*** is up.

    Jun 25 01:26:57 KMD_PM_SA_ESTABLISHED: Local gateway: 10.0.0.8, Remote gateway: ***.***.***.***, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 7cedd4a1, AUX-SPI: 0, Mode: tunnel, Type: dynamic

    Jun 25 01:26:57 KMD_PM_SA_ESTABLISHED: Local gateway: 10.0.0.8, Remote gateway: ***.***.***.***, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 7cedd4a1, AUX-SPI: 0, Mode: tunnel, Type: dynamic

    Jun 25 01:26:57 KMD_PM_SA_ESTABLISHED: Local gateway: 10.0.0.8, Remote gateway: ***.***.***.***, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 3fa63b99, AUX-SPI: 0, Mode: tunnel, Type: dynamic

    Jun 25 01:26:57 KMD_PM_SA_ESTABLISHED: Local gateway: 10.0.0.8, Remote gateway: ***.***.***.***, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 3fa63b99, AUX-SPI: 0, Mode: tunnel, Type: dynamic

    Jun 25 01:28:43 KMD_INTERNAL_ERROR: Peer entry not found for peer: 324c1ef9, port:500 while deleting peer entry

    Jun 25 01:28:43 KMD_INTERNAL_ERROR: Peer entry not found for peer: 324c1ef9, port:500 while deleting peer entry

    Jun 25 01:28:43 KMD_VPN_DOWN_ALARM_USER: VPN ipsec-vpn-cfgr from ***.***.***.*** is down.

    Jun 25 01:28:43 KMD_VPN_DOWN_ALARM_USER: VPN ipsec-vpn-cfgr from ***.***.***.*** is down.

    Jun 25 01:28:58 KMD_INTERNAL_ERROR: Not able to create eer entry for peer: 324c1ef9, port:500

    Jun 25 01:28:58 KMD_INTERNAL_ERROR: Not able to create eer entry for peer: 324c1ef9, port:500

    Jun 25 01:28:58 KMD_VPN_UP_ALARM_USER: VPN ipsec-vpn-cfgr from ***.***.***.*** is up.

    Jun 25 01:28:58 KMD_VPN_UP_ALARM_USER: VPN ipsec-vpn-cfgr from ***.***.***.*** is up.

    Jun 25 01:28:58 KMD_PM_SA_ESTABLISHED: Local gateway: 10.0.0.8, Remote gateway: ***.***.***.***, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 775ce8e7, AUX-SPI: 0, Mode: tunnel, Type: dynamic

    Jun 25 01:28:58 KMD_PM_SA_ESTABLISHED: Local gateway: 10.0.0.8, Remote gateway: ***.***.***.***, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 775ce8e7, AUX-SPI: 0, Mode: tunnel, Type: dynamic

    Jun 25 01:28:58 KMD_PM_SA_ESTABLISHED: Local gateway: 10.0.0.8, Remote gateway: ***.***.***.***, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 57458cd9, AUX-SPI: 0, Mode: tunnel, Type: dynamic

    Jun 25 01:28:58 KMD_PM_SA_ESTABLISHED: Local gateway: 10.0.0.8, Remote gateway: ***.***.***.***, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 57458cd9, AUX-SPI: 0, Mode: tunnel, Type: dynamic

     

    I'm not seeing what is "expected" from the KB articles I've read, but the web interface indicates thr link is up. Any insights would be great.

     

    Luke



  • 2.  RE: VPN Stumped

    Posted 06-25-2011 15:55
    Please post your configuration and software version from both devices.

    Dustin


  • 3.  RE: VPN Stumped

    Posted 06-25-2011 16:45
      |   view attached

    Attached is the config from the remote device. I will post the config fom the main device on monday.

     

    Attachment(s)

    txt
    config1.txt   6 KB 1 version


  • 4.  RE: VPN Stumped

    Posted 06-27-2011 04:25
      |   view attached

    Here is the second config file

    Attachment(s)

    txt
    config2.txt   7 KB 1 version


  • 5.  RE: VPN Stumped

    Posted 06-27-2011 05:13

    When you say you can't ping between locations - are you trying to ping from the subnets behind the SRX, or from the SRXs themselves? 

     

    The security policy in your configuration will only allow traffic from the local subnets at each site to pass.



  • 6.  RE: VPN Stumped

    Posted 06-27-2011 07:18

    I was trying to ping a known machine on either end of the tunnel.

     

    i.e. 192.168.2.3 from 192.168.1.17 or the other way around.



  • 7.  RE: VPN Stumped

    Posted 06-28-2011 04:12

    While you're running the ping, show the output of "show security flow session" - that will give you a hint as to where the traffic is going.



  • 8.  RE: VPN Stumped
    Best Answer

    Posted 06-29-2011 06:09

    I was able to solve the issue and the VPN seems to be up and working perfectly.

     

    I had offsite device behind another router and thought I has passed the static ip through but apparently had not. Once I put the SRX on the outside and had it direct to the modem it worked.

     

    Live and learn I suppose. Thank everyone for their help.