SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX Site to Site VPN Query

    Posted 04-17-2014 01:07

    Hi,

     

    Apologies if this has been asked and answered earlier.

     

    I am configuring site to site route based VPN on SRX240H2 with Junos 12.1X44D20.3.

     

    We have a public ip /24 range available for our network and another public ip assigned by ISP for routing the internet traffic.

     

    So the configuration is

     

    ge-0/0/2.0 - A.B.C.D  - public ip provided by ISP

    ge-0/0/4.0 - E.F.G.1 - public ip from /24 range we own

     

    E.F.G.1 is the default gateway for all machines in that range.

    A.B.C.D is the default next-hop route from this SRX.

     

    When setting up the VPN tunnel, I am binding it to ge-0/0/4.0. Though the tunnel does get setup, no traffic flows through. I could see the encrypted packet counts increasing on my side, but counters on other side remains 0.

     

    When we changed the tunnel binding to ge-0/0/2.0, traffic started flowing through the tunnel.

     

    My question is - is what I was trying in first place (use E.F.G.1 as tunnel end point) a valid scenario? And how do I debug where are the packets going when the encrypted count is increasing. I tried turning traceoptions on for ipsec but not sure which file contains the log. kmd file is blank.

     

    I would like to avoid using A.B.C.D as tunnel end point due to dependency on ISP.

     

    Let me know if I can provide any further information to help address this query.

     

    Regards

    Samir

     



  • 2.  RE: SRX Site to Site VPN Query
    Best Answer

     
    Posted 04-18-2014 19:27

    Hi,

     

    The issue you must be facing is due to interface specified for VPN and outgoing interface belonging to separate zones.

     

    Please review the following KB, which describes topology similar to you are working on :

     

    http://kb.juniper.net/KB22129

     

    Regards

    Sarab

     

    ------------------------------------------------------------------------------------

    [If it helped please mark it as "Accepted Solution". Kudos will be appreciated too.]



  • 3.  RE: SRX Site to Site VPN Query

    Posted 04-23-2014 15:59

    Hi Sarab,

     

    Many thanks for the suggestion.

     

    I have just one more follow up query. From the can I assign an IP, from our public IP range, to a loop back interface to setup the VPN tunnel or do I have to have it on a physical interface?

     

    Also, can I assign that ip to unit 1 on another physical interface and then put that into the same security zone as the external interface?

     

    Regards

    Samir



  • 4.  RE: SRX Site to Site VPN Query

     
    Posted 05-03-2014 05:30
    You can assign an IP to loopback and configure a VPN.

    However I did not understand the other question.

    Do you want to assign an IP from same subnet to another physical IP ?

    Regards,
    Sarab