SRX Services Gateway
SRX Services Gateway

SRX300 won't do Site-to-Site Dynamic IPSec VPN (but worked on SRX210)

‎09-22-2016 02:08 AM

I had a working IPSec tunnel where both ends are NATted and one end is a Dynamic IP. This was built with an SRX210 at the static IP end and an SRX100 with a dynamic IP at the other end. Now I have tried to upgrade the SRX210 (12.1X46-D30.2) to an SRX300 (15.1X49-D60.7) and the tunnel no longer comes up.

 

Before I attempt to gather and post config and IKE logs etc, does anyone know if this should work?

 

I realise "Dynamic VPN" has been reinstated on 15.1X49-D60.7 but maybe this is only for those using a client like Pulse Secure rather than an SRX-to-SRX dynamic VPN.

 

[Aside: My old IPSec tunnel only ever worked with IKE v1. Not sure why v2-only wouldn't work. I notice also there's now a "re-auth" function in Junos 15.1X49-D60.7 VPN config. Hopefully this feature isn't mandatory because it only works with IKE v2.]

 

 

 

 

3 REPLIES 3
SRX Services Gateway

Re: SRX300 won't do Site-to-Site Dynamic IPSec VPN (but worked on SRX210)

‎09-22-2016 09:29 AM

There is an issue if you are trying to terminate the VPN on IRB interfaces.  Can you provide the config and ike logs?

SRX Services Gateway

Re: SRX300 won't do Site-to-Site Dynamic IPSec VPN (but worked on SRX210)

‎09-22-2016 08:17 PM

Thanks for offering to help. I'm trying to get the IKE log. I just cleared it to generate some clean log but now nothing is being generated which is odd. Anyway, three configs attached:

 

1. SRX210 working config (static end. The box is in front of me)

2. SRX100 working config (dynamic end. The box is 7000 miles away)

3. SRX300 failed VPN config (meant to replace the SRX210)

 

IKE log to follow when I can get one. Cheers

 

P.S. I'm afraid I am a Junos novice if that's not already obvious Smiley Sad

Attachments

Highlighted
SRX Services Gateway
Solution
Accepted by topic author Kancheong
‎09-22-2016 08:29 PM

Re: SRX300 won't do Site-to-Site Dynamic IPSec VPN (but worked on SRX210)

[ Edited ]
‎09-22-2016 08:29 PM

Fixed!

 

Apologies if I've wasted some time here. I've just found a problem with the SP gateway northbound of the SRX300. A reboot and the VPN tunnel is now up.

 

What's the appropriate action for a JNET thread that resolves itself like this? Do I somehow delete it to avoid irrelevant content?