I work for University Campus Suffolk and we have got a fairly geographically large campus with route based IPSec VPN's between end site SSG20's and the head end SSG520. All devices are running ScreenOS 6.2.0r6.0. We are migrating the head end VPN from the current 520M to a pair of SSG550 firewalls as part of a consolidation and I am testing the VPN configuration on a test SSG20.
The VPN is up on both devices but for what ever reason traffic is not routing correctly over the tunnel.
The VPN's are pretty much set up as in the KB with preshared keys, the same P1/P2 proposals, Proxy-ID with local and remote subnets.
The only difference that I can make out is that the LAN side of the SSG550 is not the standard Trust zone (this is applied to a DMZ for some reason - don't ask!). I wouldn't have thought this would make much difference? On the policies that I have set up I can see traffic hitting the policy but I never see it on the remote SSG20 firewall policy.
I haven't dealt with Juniper firewall before this job so am not exactly a pro but have set up some of the current remote sites to the SSG520 so am not a complete beginner.
I have intentionally not included the config though would be only more than happy to include this if required.
Any help would be appreciated.
Paul Woolnough - CCNP, CCDP ICT Infrastructure Engineer - Networks University Campus Suffolk Tel 01473 338380 Mob 07540 672841