SRX Services Gateway
SRX Services Gateway

VPN Traffic selector issue multiple subnets

[ Edited ]
‎01-15-2018 08:05 AM

Hi,

 

I had a VPN up between 2 sites all working fine, I now need for another subnet on each of my SRX's to communicate via the VPN. I have adde traffic selectors for all options but when I apply, only the original networks communicate.

Site A  192.168.30.0/24 192.168.13.0/24
Site B 192.168.20.0/24 192.168.12.0/24

As example 192.168.30.10 can communicate with 192.168.20.10 without issue.
But 192.168.30.10 fails to communicate with 192.168.12.10.

Any combination site to site involving 192.168.13.0/24 & 192.168.12.0/24 do not work.

 

Below is example of config from  one of the sites, the other side is identical but reserving of IP's.

 

vpn site-to-site{
            bind-interface st0.1;
            ike {
                gateway site_to_site;
				ipsec-policy site_to_site;
			}
                               traffic-selector t1 {
                    local-ip 192.168.30.0/24;
                    remote-ip 192.168.20.0/24;
            }
				traffic-selector t2 {
                    local-ip 192.168.30.0/24;
                    remote-ip 192.168.12.0/24;
            }
				traffic-selector t3 {
                    local-ip 192.168.13.0/24;
                    remote-ip 192.168.20.0/24;
            }
				traffic-selector t4 {
                    local-ip 192.168.13.0/24;
                    remote-ip 192.168.12.0/24;
            }
        }

 

5 REPLIES 5
SRX Services Gateway

Re: VPN Traffic selector issue multiple subnets

‎01-16-2018 03:01 AM

Did you add the static route for 192.168.12.0/24  pointing to the st0.1 interface?

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: VPN Traffic selector issue multiple subnets

‎01-16-2018 03:36 AM

No, I didnt add any static routes due to "auto route insertion".

SRX Services Gateway

Re: VPN Traffic selector issue multiple subnets

‎01-16-2018 08:47 AM

In that case, I would recommend running flow traceoptions on both sides for problematic IP address pairs.

 

VPN with traffic selector do not allow traffic out-side traffic selector. so flow is dropping this traffic for any such reasons, we should see it in there.

regards,
Avd
JNCIE-SEC #320

Please Mark My Solution Accepted if you think it helped!
SRX Services Gateway

Re: VPN Traffic selector issue multiple subnets

‎01-17-2018 03:12 AM

Is this a policy or route based VPN?

 

These will be the steps to verify the VPN is up and all the policies and routes are in place for the traffic to pass.

Let us know which step fails and what data you get from these collections.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB10093

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway
Solution
Accepted by topic author VOIPBunny
‎01-17-2018 03:13 AM

Re: VPN Traffic selector issue multiple subnets

‎01-17-2018 03:12 AM

Thanks all but I found the issue now, my vpn policy did not have the correct to-zone and source-address! Corrected and all works as expected..