?
Solved

Juniper SRX Site to Site VPN not working

Posted on 2014-11-11
14
Medium Priority
?
1,195 Views
Last Modified: 2014-11-12
Hi Experts

I have never configured Site to Site VPN for Juniper srx240h2 and I have a customer that want me to setup Site to site VPN. Since I'm not familiar CLI for this Juniper SRX, I followed from this link http://www.petenetlive.com/KB/Article/0000710.htm (only for Juniper as for both Firewall are same Juniper SRX) .
I did not set "Step 3 - Additional Steps required (for Cisco ASA)" as I assume it is only required if one site is ASA.

After done, when I check in - Interface - port - S0.1 I can see it is showing UP.
And in Monitor tab - IPsecVPN- Phase 1 , also it is showing as UP.

But I cannot ping from one site to another site internal IP.
I can see policy to allow from Local subnet to remote subnet, remote subnet to local subnet is automatically added.

Software versions are as follows:
1. JUNOS Software Release [12.1X44-D15.5]
2. UNOS Software Release [12.1X44-D10.4]
Any suggestion why it cannot connect each other ? What else I can check to troubleshoot ?

Thanks
0
Comment
Question by:bominthu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
14 Comments
 
LVL 12

Accepted Solution

by:
Faruk Onder Yerli earned 2000 total points
ID: 40435065
you can find below policy based and route based IPSEC example.

http://kb.juniper.net/InfoCenter/index?page=content&id=TN108

below link can guide you about troubleshooting of SRX.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB10093
0
 
LVL 4

Author Comment

by:bominthu
ID: 40435077
I already found that in Google but it is CLI.
Do you have any reference/guide to configure in GUI for two SRX ?

For second link, when I type
show security ipsec security-associations
show: Command not found.
0
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
ID: 40435106
SRX GUI is not enough well to use for complicated configuration. CLI is more easy than web. while analyzing configuration you can use | display set statement too. configuration will be more readable for beginners.

#show | display set
#show security | display set
#show interface | display set

etc.

you have to use this command not in configuration mode. if you need to use in configuration mode you need to use run statement.

>show security ipsec security-associations
or
#run show security ipsec security-associations
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 4

Author Comment

by:bominthu
ID: 40435139
something is wrong.

If I type as you mentioned, below is the result.

% show | display set
show: Command not found.
display: Command not found.
0
 
LVL 12

Assisted Solution

by:Faruk Onder Yerli
Faruk Onder Yerli earned 2000 total points
ID: 40435148
if % prompt you have, this means that you enter console and didn't start cli yet. please enter

% cli
than > prompt will come.
0
 
LVL 12

Assisted Solution

by:Faruk Onder Yerli
Faruk Onder Yerli earned 2000 total points
ID: 40435155
> configure
will bring # prompt .
0
 
LVL 4

Author Comment

by:bominthu
ID: 40435167
Ok Thanks. You are right. Sorry I'm new to Juniper CLI.

Now it shows like this .

Juniper# show security ipsec security-associations
                                       ^
syntax error.


If I type ?
So which one is to see tunnel status ?

[edit]
root@JSML_Juniper# show security ipsec ?
Possible completions:
  <[Enter]>            Execute this command
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> policy               Define an IPSec policy
> proposal             Define an IPSec proposal
> traceoptions         Trace options for IPSec data-plane debug
> vpn                  Define an IPSec VPN
> vpn-monitor-options  Global options for VPN liveliness monitoring
  |                    Pipe through a command
[edit]
root@JSML_Juniper# show security ipsec
0
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
ID: 40435214
please use run in # prompt
0
 
LVL 4

Author Comment

by:bominthu
ID: 40435239
Thanks Frunk.

Now it shows :

root@JSML_Juniper# run show security ipsec security-associations
  Total active tunnels: 2
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
 <131076 ESP:3des/sha1 1eb70b56 2849/ unlim   U   root 500   1.1.1.1
  >131076 ESP:3des/sha1 88257420 2849/ unlim   U   root 500   1.1.1.1

  <131075 ESP:3des/sha1 5cd06e01 3581/  1022   U   root 500   2.2.2.2
  >131075 ESP:3des/sha1 a52709fb 3581/  1022   U   root 500   2.2.2.2

From above, the one I highlighted is I setup one. assume 1.1.1.1 as remote public IP.
The second one is someone else setup from beginning . Not sure who. Please ignore 2.2.2.2 tunnel.

Above means Tunnel is UP right ?
0
 
LVL 4

Author Comment

by:bominthu
ID: 40435268
Show routing-options also include remote network subnet

route 192.168.2.0/24 next-hop st0.3;

st0.3 is tunnel interface I created.
0
 
LVL 12

Assisted Solution

by:Faruk Onder Yerli
Faruk Onder Yerli earned 2000 total points
ID: 40435351
it looks phase 2 is working. you need to check zone and policy configuration.

also please read below link. It will help you to understand types of IPSEC.
http://kb.juniper.net/InfoCenter/index?page=content&id=kb10105
0
 
LVL 4

Author Comment

by:bominthu
ID: 40435521
I check Both Phase 1 and Phase 2 is UP .
But I still cannot ping remote Local network.

By the way, fyi I'm test pinging from firewall console .
Normal behavior allows to ping remote network hosts from firewall ssh console ?
0
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
ID: 40435886
You can try to ping remote st interface. But anyway you need to check security policies.
0
 
LVL 4

Author Comment

by:bominthu
ID: 40436807
Which one you ar referring as "remote st" ?

Anyway I have found how to ping. I needed to ping " run ping host interface g-x.x.x

Once I set local interface g-x.x.x in fact I can ping to remote host internal network IP .
If I "run ping x.x.x.x " it doesn't ping. Not sure why

That means VPN was already UP and running from beginning .

Thanks for your guides in troublshooting in CLI.
0

Featured Post

ATEN's HDBaseT Presentation at InfoComm 2017

Hear ATEN Product Manager YT Liang review HDBaseT technology, highlighting ATEN’s latest solutions as they relate to real-world applications during her presentation at the HDBaseT booth at InfoComm 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question