SRX

Hello!

ipsec VPN is up, but not passing data KB 10093 but no luck.

Ipsec SA listed on both devices:

no:

run show security ipsec security-associations 
  Total active tunnels: 2
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <131073 ESP:3des/sha1 4b8ee27d 3527/ unlim   U   root 500   217.12.253.226  
  >131073 ESP:3des/sha1 9973f3e1 3527/ unlim   U   root 500   217.12.253.226

tco:

show security ipsec security-associations  
 Total active tunnels: 3 
 ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway        
 <131074 ESP:3des/sha1 2f9a9ed  3587/ unlim   U   root 500   83.234.107.110   
 >131074 ESP:3des/sha1 26c5a0c0 3587/ unlim   U   root 500   83.234.107.110

Routes confgured:

no:

show route 172.17.20.28                                                             

inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.17.20.0/24     *[Static/5] 00:01:44
                    > via st0.0

tco: 

show route 192.168.18.33                                                                  

inet.0: 100 destinations, 101 routes (100 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.18.0/24    *[Static/5] 00:00:31
                    > via st0.1

rt-cifra1-all.inet.0: 21 destinations, 22 routes (21 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/100] 3w3d 04:39:54
                    > to 213.167.60.117 via fe-0/0/1.0

Tunnel interfaces are in "trust" zone and traffic permitted on both devices

no:

LAN {
    address TCO-admin-net 172.17.20.0/24;
    address NO-LAN 192.168.18.0/24;
    address PBX 172.17.22.0/24;
    address-set LAN-set {
        address TCO-admin-net;
        address PBX;
    }
    attach {
        zone trust;
    }
}

and policy:

show security policies from-zone trust to-zone trust 
policy from-NO {
    match {
        source-address NO-LAN;
        destination-address LAN-set;
        application any;
    }
    then {
        permit;
    }
}
policy to-NO {
    match {
        source-address LAN-set;
        destination-address NO-LAN;
        application any;
    }
    then {
        permit;
    }
}

tco device is pretty the same, but has firewall rule for policy based routing

filter FILTER1 {
    term pod-allow {
        from {
            destination-address {
                192.168.0.0/16;
            }
        }
        then accept;
    }
    term mgmt-allow {
        from {
            destination-address {
                172.16.0.0/12;
            }
        }
        then accept;
    }
    term TERM-test {
        from {
            source-address {
                172.17.20.28/32;
            }
        }                               
        then {                          
            routing-instance rt-cifra1-test;
        }                               
    }                                   
    term default {                      
        then {                          
            routing-instance rt-cifra1-all;
        }                               
    }                                   
}

But it shouldn't affect vpn traffic.

I am stuck 😞

Hello ,

Your configuration seems to be correct . Can you try to configure a flow traceoptions :

https://kb.juniper.net/InfoCenter/index?page=content&id=kb16233

And check where the packet is getting dropped .  Try configuring in one device  ( filter it based on source and destination ) and lets see if there is any drop . Then we will check the other device .

So if the source is near your TCO device then configure first on TCO device  to see if the tarffic is taking the tunnel route . If so then we will configure trace on NO device to see if the packet is getting decrypted on that device .

on tco site, is the external interface and st0 in different routing instance?

If so you may need to add a route for 192.168.18.0/24 on the routing instance pointing to the inet table.

Note: If the external interface is in custom routing instance at only one site and the traffic is initiated from the other site, we need to make use of rib-groups to make the internal network available in custom routing instance. Otherwise, the default route in the custom routing instance will match the traffic and incoming interface itself will be chosen as outgoing interface. Security policy lookup will be done within the same zone context and packets will be dropped.

If both of the site's external interfaces are in custom routing instances, then we need to apply rib-groups at both sites, when we need bidirectional communication (traffic initiation from either site). If we need traffic to be initiated from only one site, then rib-group should be applied at the other site.

Ref: https://kb.juniper.net/InfoCenter/index?page=content&id=KB21487&actp=search

Tnank you for your replys.

It started to work by itself somehow.

May be isp blocked some traffic? Dunno.

always use: 

> restart ipsec-key-management

solves most issues, jsut note all tunlles on box will bounce lol 

i have found that ISP are really bad about blocking ESP traffic somtimes, the tunnles come but no traffic can pass....... very annoying 

usally a reboot of the cable/dsl router fixes it 

 Hi.

>>always use: 

>>> restart ipsec-key-management

It first thing i've done + cleared SA's

Seems to be it was ISP blocking esp traffic, thank you for your reply.