vSRX
vSRX

vsrx Junos 15.1X49-D130.6 - Unable to use traffic selectos.

‎06-12-2018 01:15 PM

HI there,

 

I have setup a dynamic VPN and everything works fine when I use proxy-id. When I try to use a traffic-selector, everything looks fine until I go to commit the config then I get 

 

p2mp bind interface is not supported with traffic-selector

 

Looking at other configs the following should work:

 

davew@vsrxtest-1# show security ike
traceoptions {
    file ikedebug;
    flag all;
}
proposal g14-aes256-sha256 {
    authentication-method rsa-signatures;
    dh-group group14;
    authentication-algorithm sha-256;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 28800;
}
policy ike_pol_vpn {
    mode aggressive;
    proposals g14-aes256-sha256;
    certificate {
        local-certificate juno;
        peer-certificate-type x509-signature;
    }
}
gateway gw_vpn {
    ike-policy ike_pol_vpn;
    dynamic {
        hostname .example.net;
        ike-user-type group-ike-id;
    }
    local-identity hostname vpn.example.net;
    external-interface ge-0/0/1.0;
    aaa {
        access-profile docker-aaa;
    }
    version v2-only;
}

davew@vsrxtest-1# show security ipsec
traceoptions {
    flag all;
}
proposal ipsec-phase2-proposal {
    protocol esp;
    authentication-algorithm hmac-sha-256-128;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 28800;
}
proposal 3des-md5 {
    authentication-algorithm hmac-md5-96;
    encryption-algorithm 3des-cbc;
}
policy ipsec_pol_vpn {
    proposals [ 3des-md5 ipsec-phase2-proposal ];
}
vpn test_vpn {
    bind-interface st0.1;
    ike {
        gateway gw_vpn;
        ipsec-policy ipsec_pol_vpn;
    }
    traffic-selector vpn_ts {
        local-ip 192.168.1.0/24;
        remote-ip 0.0.0.0/0;
    }
    establish-tunnels on-traffic;
}

IS there any way to fix this?

 

1 REPLY 1
vSRX

Re: vsrx Junos 15.1X49-D130.6 - Unable to use traffic selectos.

‎06-12-2018 03:32 PM

Hi,

 

Dynamic VPN is based on policy-based vpn which doens't utilize st0.x interfaces and traffic-selectors. These are used with route-based site2site VPNs. Therefore you are getting commit errors.

 

What I think you are trying to accomplish is defining which internal subnet(s) are being routed via the VPN. That is handled under the dynamic-vpn part of the configuration. Example from https://www.juniper.net/documentation/en_US/junos/topics/example/vpn-security-dynamic-example-config... below where only 10/8 is routed via the VPN.

 

set security dynamic-vpn access-profile dyn-vpn-access-profile
set security dynamic-vpn clients all remote-protected-resources 10.0.0.0/8
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn dyn-vpn
set security dynamic-vpn clients all user client1
set security dynamic-vpn clients all user client2

To get this working you should remove the bind-interface + traffic-selectors from the ipsec vpn stanza and try to replicate configuration from the provided example.


--
Best regards,

Jonas Hauge Klingenberg
Systems Engineer, SEC DATACOM A/S (Denmark)