ScreenOS Firewalls (NOT SRX)
Reply
Visitor
ray-b
Posts: 1
Registered: ‎01-26-2010
0

VPN Tunnel comes up but I can't seem to route through it

I've configured an SSG140 to form a VPN tunnel to a Cisco ASA.  It appears as if the tunnel comes up:

 

IKE 1.1.1.1 Phase 2 msg ID 47974d9c: Completed negotiations with SPI 4e088288, tunnel ID 2, and lifetime 3600 seconds/4608000 KB.

 

I cannot ping through the tunnel to hosts on the other side in either direction.  It looks like I have all the routing and policies in place to support this. The ASA on the remote side sees the pings in both directions and is passing them through as expected.

 

I've attached the config file.  Any advice would be appreciated.

 

Ray

Distinguished Expert
spuluka
Posts: 2,659
Registered: ‎03-30-2009
0

Re: VPN Tunnel comes up but I can't seem to route through it

From the configuration I'm guessing you are setting up a policy based VPN.

 

In that case when you create the policy you need to select "tunnel" as action and then the phase 2 name to attach the policy with.  Then you check the box to have matching policies so they are a valid pair.  This binds the policy to your vpn connection.

 

The config would look like this:

 

set policy id 1 name "FromUs" from "Trust" to "Untrust"  "Trust_LAN" "TheirLAN" "ANY" tunnel vpn "Connection" id 0x20 policy-pair 2 
set policy id 1
exit
set policy id 2 name "FromThem" from "Untrust" to "Trust" "TheirLAN" "Trust_LAN" "ANY" tunnel vpn "Connection" id 0x21 policy-pair 1
set policy id 2
exit
Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.