vsrx Junos 15.1X49-D130.6 - Unable to use traffic selectos.

‎06-12-2018 01:15 PM

HI there,


I have setup a dynamic VPN and everything works fine when I use proxy-id. When I try to use a traffic-selector, everything looks fine until I go to commit the config then I get 


p2mp bind interface is not supported with traffic-selector


Looking at other configs the following should work:


davew@vsrxtest-1# show security ike
traceoptions {
    file ikedebug;
    flag all;
proposal g14-aes256-sha256 {
    authentication-method rsa-signatures;
    dh-group group14;
    authentication-algorithm sha-256;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 28800;
policy ike_pol_vpn {
    mode aggressive;
    proposals g14-aes256-sha256;
    certificate {
        local-certificate juno;
        peer-certificate-type x509-signature;
gateway gw_vpn {
    ike-policy ike_pol_vpn;
    dynamic {
        hostname .example.net;
        ike-user-type group-ike-id;
    local-identity hostname vpn.example.net;
    external-interface ge-0/0/1.0;
    aaa {
        access-profile docker-aaa;
    version v2-only;

davew@vsrxtest-1# show security ipsec
traceoptions {
    flag all;
proposal ipsec-phase2-proposal {
    protocol esp;
    authentication-algorithm hmac-sha-256-128;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 28800;
proposal 3des-md5 {
    authentication-algorithm hmac-md5-96;
    encryption-algorithm 3des-cbc;
policy ipsec_pol_vpn {
    proposals [ 3des-md5 ipsec-phase2-proposal ];
vpn test_vpn {
    bind-interface st0.1;
    ike {
        gateway gw_vpn;
        ipsec-policy ipsec_pol_vpn;
    traffic-selector vpn_ts {
    establish-tunnels on-traffic;

IS there any way to fix this?



Re: vsrx Junos 15.1X49-D130.6 - Unable to use traffic selectos.

‎06-12-2018 03:32 PM



Dynamic VPN is based on policy-based vpn which doens't utilize st0.x interfaces and traffic-selectors. These are used with route-based site2site VPNs. Therefore you are getting commit errors.


What I think you are trying to accomplish is defining which internal subnet(s) are being routed via the VPN. That is handled under the dynamic-vpn part of the configuration. Example from https://www.juniper.net/documentation/en_US/junos/topics/example/vpn-security-dynamic-example-config... below where only 10/8 is routed via the VPN.


set security dynamic-vpn access-profile dyn-vpn-access-profile
set security dynamic-vpn clients all remote-protected-resources
set security dynamic-vpn clients all remote-exceptions
set security dynamic-vpn clients all ipsec-vpn dyn-vpn
set security dynamic-vpn clients all user client1
set security dynamic-vpn clients all user client2

To get this working you should remove the bind-interface + traffic-selectors from the ipsec vpn stanza and try to replicate configuration from the provided example.

Best regards,

Jonas Hauge Klingenberg
Juniper Ambassador & Technology Architect, SEC DATACOM A/S (Denmark)