Hi srx experts,
I have the following error but can't find why I have an issue:
adm@srx# commit
error: Failed to build dop for policy 102
error: configuration check-out failed
The same configuration used to work in 11.4R4.4 but is not valid in 12.1X44-D25.5.
If I change the application to (let's say) junos-ping or any, commit succeed (but this is not an option, I need to use the self-defined application).
Here is the complete configuration:
set security zones security-zone trust address-book address LAN_A 192.168.1.0/24
set security zones security-zone untrust address-book address LAN_B 192.168.2.0/24
set interfaces ae1 unit 4001 vlan-id 4001
set interfaces ae1 unit 4001 family inet address 172.16.0.1/30
set security zones security-zone untrust interface ae1.4001
set security ipsec proposal IPSec_Proposal1 protocol esp
set security ipsec proposal IPSec_Proposal1 authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSec_Proposal1 encryption-algorithm aes-256-cbc
set security ipsec proposal IPSec_Proposal1 lifetime-seconds 3600
set applications application APP_TCP5800 protocol tcp
set applications application APP_TCP5800 destination-port 5008
set security ipsec policy IPSec_PolicyA perfect-forward-secrecy keys group5
set security ipsec policy IPSec_PolicyA proposals IPSec_Proposal1
set security ipsec vpn IPSec_VPN_A ike gateway IKE_GwCust1
set security ipsec vpn IPSec_VPN_A ike ipsec-policy IPSec_PolicyA
set security ipsec vpn IPSec_VPN_A establish-tunnels immediately
set security ike gateway IKE_GwCust1 ike-policy IKE_PolicyA
set security ike gateway IKE_GwCust1 address 172.16.0.1
set security ike gateway IKE_GwCust1 local-identity inet 172.16.0.2
set security ike gateway IKE_GwCust1 external-interface ae1.4001
set security ike policy IKE_PolicyA mode main
set security ike policy IKE_PolicyA proposals pre-g5-aes256-sha
set security ike policy IKE_PolicyA pre-shared-key ascii-text MyPSK
set security ike proposal pre-g5-aes256-sha authentication-method pre-shared-keys
set security ike proposal pre-g5-aes256-sha dh-group group5
set security ike proposal pre-g5-aes256-sha authentication-algorithm sha-256
set security ike proposal pre-g5-aes256-sha encryption-algorithm aes-256-cbc
set security ike proposal pre-g5-aes256-sha lifetime-seconds 28800
set security policies from-zone trust to-zone untrust policy 102 match source-address LAN_A
set security policies from-zone trust to-zone untrust policy 102 match destination-address LAN_B
set security policies from-zone trust to-zone untrust policy 102 match application APP_TCP5800
set security policies from-zone trust to-zone untrust policy 102 then permit tunnel ipsec-vpn IPSec_VPN_A
set security policies from-zone trust to-zone untrust policy 102 then permit tunnel pair-policy 201
set security policies from-zone untrust to-zone trust policy 201 match source-address LAN_B
set security policies from-zone untrust to-zone trust policy 201 match destination-address LAN_A
set security policies from-zone untrust to-zone trust policy 201 match application APP_TCP5800
set security policies from-zone untrust to-zone trust policy 201 then permit tunnel ipsec-vpn IPSec_VPN_A
set security policies from-zone untrust to-zone trust policy 201 then permit tunnel pair-policy 102
Any idea ?