Juniper SRX Site to Site VPN not working
Hi Experts
I have never configured Site to Site VPN for Juniper srx240h2 and I have a customer that want me to setup Site to site VPN. Since I'm not familiar CLI for this Juniper SRX, I followed from this link http://www.petenetlive.com/KB/Article/0000710.htm (only for Juniper as for both Firewall are same Juniper SRX) .
I did not set "Step 3 - Additional Steps required (for Cisco ASA)" as I assume it is only required if one site is ASA.
After done, when I check in - Interface - port - S0.1 I can see it is showing UP.
And in Monitor tab - IPsecVPN- Phase 1 , also it is showing as UP.
But I cannot ping from one site to another site internal IP.
I can see policy to allow from Local subnet to remote subnet, remote subnet to local subnet is automatically added.
Software versions are as follows:
1. JUNOS Software Release [12.1X44-D15.5]
2. UNOS Software Release [12.1X44-D10.4]
Any suggestion why it cannot connect each other ? What else I can check to troubleshoot ?
Thanks
I have never configured Site to Site VPN for Juniper srx240h2 and I have a customer that want me to setup Site to site VPN. Since I'm not familiar CLI for this Juniper SRX, I followed from this link http://www.petenetlive.com/KB/Article/0000710.htm (only for Juniper as for both Firewall are same Juniper SRX) .
I did not set "Step 3 - Additional Steps required (for Cisco ASA)" as I assume it is only required if one site is ASA.
After done, when I check in - Interface - port - S0.1 I can see it is showing UP.
And in Monitor tab - IPsecVPN- Phase 1 , also it is showing as UP.
But I cannot ping from one site to another site internal IP.
I can see policy to allow from Local subnet to remote subnet, remote subnet to local subnet is automatically added.
Software versions are as follows:
1. JUNOS Software Release [12.1X44-D15.5]
2. UNOS Software Release [12.1X44-D10.4]
Any suggestion why it cannot connect each other ? What else I can check to troubleshoot ?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SRX GUI is not enough well to use for complicated configuration. CLI is more easy than web. while analyzing configuration you can use | display set statement too. configuration will be more readable for beginners.
#show | display set
#show security | display set
#show interface | display set
etc.
you have to use this command not in configuration mode. if you need to use in configuration mode you need to use run statement.
>show security ipsec security-associations
or
#run show security ipsec security-associations
#show | display set
#show security | display set
#show interface | display set
etc.
you have to use this command not in configuration mode. if you need to use in configuration mode you need to use run statement.
>show security ipsec security-associations
or
#run show security ipsec security-associations
ASKER
something is wrong.
If I type as you mentioned, below is the result.
% show | display set
show: Command not found.
display: Command not found.
If I type as you mentioned, below is the result.
% show | display set
show: Command not found.
display: Command not found.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok Thanks. You are right. Sorry I'm new to Juniper CLI.
Now it shows like this .
Juniper# show security ipsec security-associations
^
syntax error.
If I type ?
So which one is to see tunnel status ?
[edit]
root@JSML_Juniper# show security ipsec ?
Possible completions:
<[Enter]> Execute this command
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> policy Define an IPSec policy
> proposal Define an IPSec proposal
> traceoptions Trace options for IPSec data-plane debug
> vpn Define an IPSec VPN
> vpn-monitor-options Global options for VPN liveliness monitoring
| Pipe through a command
[edit]
root@JSML_Juniper# show security ipsec
Now it shows like this .
Juniper# show security ipsec security-associations
^
syntax error.
If I type ?
So which one is to see tunnel status ?
[edit]
root@JSML_Juniper# show security ipsec ?
Possible completions:
<[Enter]> Execute this command
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> policy Define an IPSec policy
> proposal Define an IPSec proposal
> traceoptions Trace options for IPSec data-plane debug
> vpn Define an IPSec VPN
> vpn-monitor-options Global options for VPN liveliness monitoring
| Pipe through a command
[edit]
root@JSML_Juniper# show security ipsec
please use run in # prompt
ASKER
Thanks Frunk.
Now it shows :
root@JSML_Juniper# run show security ipsec security-associations
Total active tunnels: 2
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131076 ESP:3des/sha1 1eb70b56 2849/ unlim U root 500 1.1.1.1
>131076 ESP:3des/sha1 88257420 2849/ unlim U root 500 1.1.1.1
<131075 ESP:3des/sha1 5cd06e01 3581/ 1022 U root 500 2.2.2.2
>131075 ESP:3des/sha1 a52709fb 3581/ 1022 U root 500 2.2.2.2
From above, the one I highlighted is I setup one. assume 1.1.1.1 as remote public IP.
The second one is someone else setup from beginning . Not sure who. Please ignore 2.2.2.2 tunnel.
Above means Tunnel is UP right ?
Now it shows :
root@JSML_Juniper# run show security ipsec security-associations
Total active tunnels: 2
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131076 ESP:3des/sha1 1eb70b56 2849/ unlim U root 500 1.1.1.1
>131076 ESP:3des/sha1 88257420 2849/ unlim U root 500 1.1.1.1
<131075 ESP:3des/sha1 5cd06e01 3581/ 1022 U root 500 2.2.2.2
>131075 ESP:3des/sha1 a52709fb 3581/ 1022 U root 500 2.2.2.2
From above, the one I highlighted is I setup one. assume 1.1.1.1 as remote public IP.
The second one is someone else setup from beginning . Not sure who. Please ignore 2.2.2.2 tunnel.
Above means Tunnel is UP right ?
ASKER
Show routing-options also include remote network subnet
route 192.168.2.0/24 next-hop st0.3;
st0.3 is tunnel interface I created.
route 192.168.2.0/24 next-hop st0.3;
st0.3 is tunnel interface I created.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I check Both Phase 1 and Phase 2 is UP .
But I still cannot ping remote Local network.
By the way, fyi I'm test pinging from firewall console .
Normal behavior allows to ping remote network hosts from firewall ssh console ?
But I still cannot ping remote Local network.
By the way, fyi I'm test pinging from firewall console .
Normal behavior allows to ping remote network hosts from firewall ssh console ?
You can try to ping remote st interface. But anyway you need to check security policies.
ASKER
Which one you ar referring as "remote st" ?
Anyway I have found how to ping. I needed to ping " run ping host interface g-x.x.x
Once I set local interface g-x.x.x in fact I can ping to remote host internal network IP .
If I "run ping x.x.x.x " it doesn't ping. Not sure why
That means VPN was already UP and running from beginning .
Thanks for your guides in troublshooting in CLI.
Anyway I have found how to ping. I needed to ping " run ping host interface g-x.x.x
Once I set local interface g-x.x.x in fact I can ping to remote host internal network IP .
If I "run ping x.x.x.x " it doesn't ping. Not sure why
That means VPN was already UP and running from beginning .
Thanks for your guides in troublshooting in CLI.
ASKER
Do you have any reference/guide to configure in GUI for two SRX ?
For second link, when I type
show security ipsec security-associations
show: Command not found.