Hello!
ipsec VPN is up, but not passing data KB 10093 but no luck.
Ipsec SA listed on both devices:
no:
run show security ipsec security-associations
Total active tunnels: 2
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:3des/sha1 4b8ee27d 3527/ unlim U root 500 217.12.253.226
>131073 ESP:3des/sha1 9973f3e1 3527/ unlim U root 500 217.12.253.226
tco:
show security ipsec security-associations
Total active tunnels: 3
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131074 ESP:3des/sha1 2f9a9ed 3587/ unlim U root 500 83.234.107.110
>131074 ESP:3des/sha1 26c5a0c0 3587/ unlim U root 500 83.234.107.110
Routes confgured:
no:
show route 172.17.20.28
inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
172.17.20.0/24 *[Static/5] 00:01:44
> via st0.0
tco:
show route 192.168.18.33
inet.0: 100 destinations, 101 routes (100 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
192.168.18.0/24 *[Static/5] 00:00:31
> via st0.1
rt-cifra1-all.inet.0: 21 destinations, 22 routes (21 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/100] 3w3d 04:39:54
> to 213.167.60.117 via fe-0/0/1.0
Tunnel interfaces are in "trust" zone and traffic permitted on both devices
no:
LAN {
address TCO-admin-net 172.17.20.0/24;
address NO-LAN 192.168.18.0/24;
address PBX 172.17.22.0/24;
address-set LAN-set {
address TCO-admin-net;
address PBX;
}
attach {
zone trust;
}
}
and policy:
show security policies from-zone trust to-zone trust
policy from-NO {
match {
source-address NO-LAN;
destination-address LAN-set;
application any;
}
then {
permit;
}
}
policy to-NO {
match {
source-address LAN-set;
destination-address NO-LAN;
application any;
}
then {
permit;
}
}
tco device is pretty the same, but has firewall rule for policy based routing
filter FILTER1 {
term pod-allow {
from {
destination-address {
192.168.0.0/16;
}
}
then accept;
}
term mgmt-allow {
from {
destination-address {
172.16.0.0/12;
}
}
then accept;
}
term TERM-test {
from {
source-address {
172.17.20.28/32;
}
}
then {
routing-instance rt-cifra1-test;
}
}
term default {
then {
routing-instance rt-cifra1-all;
}
}
}
But it shouldn't affect vpn traffic.
I am stuck 😞
#IPSec#vpn