SRX

Hello,

I am trying to setup a dynamic-vpn on a clustered srx240h-setup (JUNOS 11.4R4.4). Everytime I initiate the vpn with pulse, the SRX complains abt. "IKE Phase-2: Failed to match the peer proxy IDs [p2_remote_proxy_id=ipv4_subnet(any:0,[0..7]=10.100.0.0/16), p2_local_proxy_id=ipv4(any:0,[0..3]=10.0.8.15)] for local ip: 1.2.3.4, remote peer ip:5.6.7.8".

I used the wizard to setup the dynamic vpn and it did not configure proxy-ids, so the error message is correct. But I cannot just add the proxy-ids since p2_local_proxy_id is expected to be an address without netmask. Neither the commandline nor the webinterface accept this, so I'm kind of stuck.

The funny thing is, that a similiar config on a single srx240 with the same version of JUNOS works just fine. The only obvious difference in the config besides the IPs is that the public interface of the clustered setup is reth0.0 instead of ge-0/0/3.0 for the single SRX. Is there a known problem in 11.4R4.4?

best regards

Joachim

Hi

I'm not aware of the bug of this kind, but can you post your config? Especially, your security policies as proxy-id is taken from the policy that is doing VPN tunneling.

Hi Peter,

thank you for taking the time to consider my problem. I have reduced the config to the relevant parts and attached it below.

best regards

Joachim

Attachment(s)

config.txt   2 KB 1 version

Hi

Can you try to modify tour policy in the following way:

source-address any;
destination-address any;

In fact this is the way Juniper recommends to write dynamic VPN policy.

Hi Peter,

thank you very much, this really solved my problem. Without your hint, I would never have thought of trying this, since I come from a Netscreen background and always limited source and destination addresses.

best regards

Joachim