Screen OS

I have asked this before, but since I completely rebuilt the configuration, this represents a new questions.

I think this should be easy to solve, but I can't seem to get it.

The Route-based tunnel is between an SRX100 and an SSG20.

hosts behind the SRX100 CAN ping host behind SSG20, but not vice versa.

on SSG20, event log shows:

2014-01-02 14:28:37 system info  00536 IKE 195.3.164.122 Phase 2 msg ID
                                       48cbcdf8: Completed negotiations with
                                       SPI 7d0636c9, tunnel ID 1, and
                                       lifetime 3600 seconds/0 KB.
2014-01-02 14:28:37 system info  00536 IKE 195.3.164.122 phase 2:The
                                       symmetric crypto key has been
                                       generated successfully.
2014-01-02 14:28:37 system info  00536 IKE 195.3.164.122: Received a
                                       notification message for DOI 1 40001
                                       NOTIFY_NS_NHTB_INFORM.
2014-01-02 14:28:37 system info  00536 IKE 195.3.164.122 Phase 2 msg ID
                                       48cbcdf8: Responded to the peer's
                                       first message.

Both sides show the tunnel as up. When I send traffic through the tunnel from the SRX side, the security ipsec statistics increment correctly.

The host behind the SSG20 can ping the gateway of 10.10.11.1, and the tunnel interfaces show in both routing tables for the desired subnets.

I thought this was a policy issue, but my policies seem good.

The routing table

Check your routes. You're mixing static and OSPF routes, which may give you unintended results.

Also, post full configs please (sanitised if necessary). Help us to help you.

Attached is the config of the ssg20.

There are only two static routes, one that points traffic to the tunnel, and the other that sends a route to the host plugged into eth0/1:

set route 10.10.11.10/24 gateway 10.10.11.1 (now deleted as of this post), with no change.
set route 192.168.0.10/24 interface tunnel.1
exit
set interface ethernet0/0 protocol ospf area 0.0.0.0
set interface ethernet0/0 protocol ospf enable
set interface ethernet0/1 protocol ospf area 0.0.0.0
set interface ethernet0/1 protocol ospf enable

My host PC can ping its gateway 10.10.11.1, but not the interface eth0/0 that goes out to the internet. Since I deleted the static route, now, I cannot ping loopbacks of other devices past the gateway, nor the loopback of the SSG20 gateway device. Also, other devices can ping the host at 10.10.11.10, but not sourced from the loopbacks.

Not sure where to go on this, now.

Attachment(s)

netscreen.txt   6 KB 1 version

Hi , 

Did you check the policies of SRX100 , is the traffic comming from VPN permitted to your host ?

can u post the policies of the SRX?

did u enable traceoptions under [security flow]  to check what happen to the icmp packets comming from the SSG20 site 

Regards

Here are the policies on the SRX100 dealing with the VPN:

    policy vpn-tunnel {
        match {
            source-address local-lan;
            destination-address remote-lan;
            application any;
        }
        then {
            permit;
        }
    }
}
    policy vpn-tunnel-return {
        match {
            source-address remote-lan;
            destination-address local-lan;
            application any;
        }
        then {
            permit;
        }
    }
}

That seems to cover everthing for those two hosts, since remote-lan and local-lan are the only two hosts in question. 

I did try some basic traceoptions, and the odd thing is that when I lauched the ping from both sides, then it worked! Once I did that for the first time, then pinging worked from both directions from then on.

,, you mean your problem is resolved now  ? if so , did u change anything ?

Regards

Red1

I see, I had created an additional static route 10.10.11.10/24 gateway 10.10.11.1. I think that was it. I deleted that in my current config, and it all works.

Happy to hear that , good luck