I have asked this before, but since I completely rebuilt the configuration, this represents a new questions.
I think this should be easy to solve, but I can't seem to get it.
The Route-based tunnel is between an SRX100 and an SSG20.
hosts behind the SRX100 CAN ping host behind SSG20, but not vice versa.
on SSG20, event log shows:
2014-01-02 14:28:37 system info 00536 IKE 195.3.164.122 Phase 2 msg ID
48cbcdf8: Completed negotiations with
SPI 7d0636c9, tunnel ID 1, and
lifetime 3600 seconds/0 KB.
2014-01-02 14:28:37 system info 00536 IKE 195.3.164.122 phase 2:The
symmetric crypto key has been
generated successfully.
2014-01-02 14:28:37 system info 00536 IKE 195.3.164.122: Received a
notification message for DOI 1 40001
NOTIFY_NS_NHTB_INFORM.
2014-01-02 14:28:37 system info 00536 IKE 195.3.164.122 Phase 2 msg ID
48cbcdf8: Responded to the peer's
first message.
Both sides show the tunnel as up. When I send traffic through the tunnel from the SRX side, the security ipsec statistics increment correctly.
The host behind the SSG20 can ping the gateway of 10.10.11.1, and the tunnel interfaces show in both routing tables for the desired subnets.
I thought this was a policy issue, but my policies seem good.
The routing table