Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Tunnel ID question

    Posted 05-26-2009 07:45

    Should the tunnel ID match the tunnel interface?  I am seeing this statement in my logs:

     

    "IKE x.x.x.x Phase 2 msg ID 6c447826: Completed negotiations with SPI 8a7c6333, tunnel ID 7, and lifetime 3600 seconds/0 KB. "

     

    However this does not match the defined tunnel interface for this particular VPN configuration.  For other IPSec VPNs I have defined the VPN tunnel ID matches the tunnel interface.

     

     



  • 2.  RE: Tunnel ID question
    Best Answer

    Posted 05-26-2009 10:10

    Yes, it should match (meaning that the tunnel ID seen in the "get sa" should be the same as what is seen in the conf). BUT you need to check, its the tunnel ID not the tunnel interface no:

     

    See the tunnel ID in the SA:

     

    Test-> get sa id 0x02 | i tun


    auto key. tunnel if binding node, tunnel mode, policy id in:<-1> out:<-1> vpngrp:<-1>. sa_list_nxt:<-1>.
    tunnel id 2, peer id 0, NSRP Local.     site-to-site. Local interface is ethernetY <X.X.X.X>.

     

    Corresponding config:

     

    set vpn "VPN" id 0x2 bind interface tunnel.1

     

    See the above, the tunnel ID is 2 but the actual tunnel interface is tun.1.

     

    The tunnel ID is automatically set by the firewall or NSM and does not always match the tunnel interface number.

    Message Edited by WL on 05-26-2009 10:11 AM


  • 3.  RE: Tunnel ID question

    Posted 05-26-2009 10:40

    Thanks

     

    That answered it.  I guess I was lucky with a couple VPNs that had matching tunnel IDs and tunnel interface numbers.