SRX Services Gateway
Highlighted
SRX Services Gateway

SRX Site to Site VPN Query

‎04-17-2014 01:06 AM

Hi,

 

Apologies if this has been asked and answered earlier.

 

I am configuring site to site route based VPN on SRX240H2 with Junos 12.1X44D20.3.

 

We have a public ip /24 range available for our network and another public ip assigned by ISP for routing the internet traffic.

 

So the configuration is

 

ge-0/0/2.0 - A.B.C.D  - public ip provided by ISP

ge-0/0/4.0 - E.F.G.1 - public ip from /24 range we own

 

E.F.G.1 is the default gateway for all machines in that range.

A.B.C.D is the default next-hop route from this SRX.

 

When setting up the VPN tunnel, I am binding it to ge-0/0/4.0. Though the tunnel does get setup, no traffic flows through. I could see the encrypted packet counts increasing on my side, but counters on other side remains 0.

 

When we changed the tunnel binding to ge-0/0/2.0, traffic started flowing through the tunnel.

 

My question is - is what I was trying in first place (use E.F.G.1 as tunnel end point) a valid scenario? And how do I debug where are the packets going when the encrypted count is increasing. I tried turning traceoptions on for ipsec but not sure which file contains the log. kmd file is blank.

 

I would like to avoid using A.B.C.D as tunnel end point due to dependency on ISP.

 

Let me know if I can provide any further information to help address this query.

 

Regards

Samir

 

3 REPLIES 3
SRX Services Gateway
Solution
Accepted by topic author bbureau
‎08-26-2015 01:27 AM

Re: SRX Site to Site VPN Query

‎04-18-2014 07:26 PM

Hi,

 

The issue you must be facing is due to interface specified for VPN and outgoing interface belonging to separate zones.

 

Please review the following KB, which describes topology similar to you are working on :

 

http://kb.juniper.net/KB22129

 

Regards

Sarab

 

------------------------------------------------------------------------------------

[If it helped please mark it as "Accepted Solution". Kudos will be appreciated too.]

Highlighted
SRX Services Gateway

Re: SRX Site to Site VPN Query

‎04-23-2014 03:59 PM

Hi Sarab,

 

Many thanks for the suggestion.

 

I have just one more follow up query. From the can I assign an IP, from our public IP range, to a loop back interface to setup the VPN tunnel or do I have to have it on a physical interface?

 

Also, can I assign that ip to unit 1 on another physical interface and then put that into the same security zone as the external interface?

 

Regards

Samir

Highlighted
SRX Services Gateway

Re: SRX Site to Site VPN Query

‎05-03-2014 05:30 AM
You can assign an IP to loopback and configure a VPN.

However I did not understand the other question.

Do you want to assign an IP from same subnet to another physical IP ?

Regards,
Sarab
Feedback