SRX

last person joined: 13 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  st0.0 Interface won't come up - ipsec VPN issue

    Posted 07-26-2014 01:44

    Hi,

     

    Trying to set up a very simple , route-based ipsec VPN, between two SRX, which are separated by 'internet'. Lab environment.... No NAT is configured at all.

    The traffic between vr201 and vr202 should be the interesting traffic (that goes via tunnel). I should say, I can ping and telnet between these two vr's but, its like the traffic is not going through the tunnel.

     

    SRXA=========INTERNET==========SRX2

     

    So, after re-checking my ike and ipsec config on both sides, I still am not able to bring the tunnel Up.

     

    > show interfaces st0.0 terse

     

    admin@srxA-1> show interfaces st0.0 terse
Interface               Admin Link Proto    Local                 Remote
st0.0                   up    down inet     192.168.100.1       --> 0/0

     > show security ike security-associations

    admin@srxA-1> show security ike security-associations

     >show security ipsec security-associations

    admin@srxA-1> show security ipsec security-associations
  Total active tunnels: 0

     

    Find attached, the topolgy and config I have for both SRX. What could I be missing?

    Attachment(s)

    txt
    srxA-2 Config.txt   8 KB 1 version
    txt
    vr-Device Config.txt   5 KB 1 version
    txt
    srxA-1 Config.txt   11 KB 1 version


  • 2.  RE: st0.0 Interface won't come up - ipsec VPN issue
    Best Answer

     
    Posted 07-26-2014 01:53

    Hello wendow

     

    In srxA-1 under ike configuration, you have below:

     

    external-interface ge-0/0/3.0;

     


    However, under zone configuration of untrust, you have:

     

     

    interfaces {
                fe-0/0/3.0;

     

    Regards,

    Raveen



  • 3.  RE: st0.0 Interface won't come up - ipsec VPN issue

    Posted 07-26-2014 02:51

    Hi Raveen and mhariry,

     

    Thanks for pointing out that interface naming issue. I spent three hours and couldn't see it at all. Wonder how you guys pick such stuff. Many thanks. The tunnels is now up. Smiley Very Happy

     

    @mhariry,

     

    I actually tried the st0 interface with both /32 and /30.... both worked. Quite shocking. These st0.0 interfaces must be /30 ?  Both /30 and /32 worked for me... but I have left it at /30 



  • 4.  RE: st0.0 Interface won't come up - ipsec VPN issue

     
    Posted 07-26-2014 02:54

    Tunnel interface IP is not really used unless you run NAT/routing-protocols on top of st0 interface.

    Hence /30 or /32 did not make any difference for you.

     

    Regards,

    Raveen



  • 5.  RE: st0.0 Interface won't come up - ipsec VPN issue

    Posted 07-26-2014 05:59

    Thanks Raveen,

     

    Why is the counter for Input Packets on the st0.0 interface still 0? Looks like some packets are being dropped. 

     

    admin@srxA-1> show interfaces st0.0 statistics
  Logical interface st0.0 (Index 69) (SNMP ifIndex 535)
    Flags: Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel
    Input packets : 0
    Output packets: 11
    Security: Zone: untrust
    Allowed host-inbound traffic : ike
    Protocol inet, MTU: 9192
      Flags: Sendbcast-pkt-to-re
      Addresses, Flags: Is-Preferred Is-Primary
        Destination: 192.168.100.0/30, Local: 192.168.100.1

     

     

     



  • 6.  RE: st0.0 Interface won't come up - ipsec VPN issue

    Posted 07-26-2014 02:05

    Hi,

     

    st0 interface IP address is /32. If you modified to /30 it will come up. Also external interface ge-0/0/3 however you have fe-0/0/3