Solved

Juniper SRX Site to Site VPN not working

Posted on 2014-11-11
14
998 Views
Last Modified: 2014-11-12
Hi Experts

I have never configured Site to Site VPN for Juniper srx240h2 and I have a customer that want me to setup Site to site VPN. Since I'm not familiar CLI for this Juniper SRX, I followed from this link http://www.petenetlive.com/KB/Article/0000710.htm (only for Juniper as for both Firewall are same Juniper SRX) .
I did not set "Step 3 - Additional Steps required (for Cisco ASA)" as I assume it is only required if one site is ASA.

After done, when I check in - Interface - port - S0.1 I can see it is showing UP.
And in Monitor tab - IPsecVPN- Phase 1 , also it is showing as UP.

But I cannot ping from one site to another site internal IP.
I can see policy to allow from Local subnet to remote subnet, remote subnet to local subnet is automatically added.

Software versions are as follows:
1. JUNOS Software Release [12.1X44-D15.5]
2. UNOS Software Release [12.1X44-D10.4]
Any suggestion why it cannot connect each other ? What else I can check to troubleshoot ?

Thanks
0
Comment
Question by:bominthu
  • 7
  • 7
14 Comments
 
LVL 12

Accepted Solution

by:
Faruk Onder Yerli earned 500 total points
ID: 40435065
you can find below policy based and route based IPSEC example.

http://kb.juniper.net/InfoCenter/index?page=content&id=TN108

below link can guide you about troubleshooting of SRX.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB10093
0
 
LVL 4

Author Comment

by:bominthu
ID: 40435077
I already found that in Google but it is CLI.
Do you have any reference/guide to configure in GUI for two SRX ?

For second link, when I type
show security ipsec security-associations
show: Command not found.
0
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
ID: 40435106
SRX GUI is not enough well to use for complicated configuration. CLI is more easy than web. while analyzing configuration you can use | display set statement too. configuration will be more readable for beginners.

#show | display set
#show security | display set
#show interface | display set

etc.

you have to use this command not in configuration mode. if you need to use in configuration mode you need to use run statement.

>show security ipsec security-associations
or
#run show security ipsec security-associations
0
 
LVL 4

Author Comment

by:bominthu
ID: 40435139
something is wrong.

If I type as you mentioned, below is the result.

% show | display set
show: Command not found.
display: Command not found.
0
 
LVL 12

Assisted Solution

by:Faruk Onder Yerli
Faruk Onder Yerli earned 500 total points
ID: 40435148
if % prompt you have, this means that you enter console and didn't start cli yet. please enter

% cli
than > prompt will come.
0
 
LVL 12

Assisted Solution

by:Faruk Onder Yerli
Faruk Onder Yerli earned 500 total points
ID: 40435155
> configure
will bring # prompt .
0
 
LVL 4

Author Comment

by:bominthu
ID: 40435167
Ok Thanks. You are right. Sorry I'm new to Juniper CLI.

Now it shows like this .

Juniper# show security ipsec security-associations
                                       ^
syntax error.


If I type ?
So which one is to see tunnel status ?

[edit]
root@JSML_Juniper# show security ipsec ?
Possible completions:
  <[Enter]>            Execute this command
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> policy               Define an IPSec policy
> proposal             Define an IPSec proposal
> traceoptions         Trace options for IPSec data-plane debug
> vpn                  Define an IPSec VPN
> vpn-monitor-options  Global options for VPN liveliness monitoring
  |                    Pipe through a command
[edit]
root@JSML_Juniper# show security ipsec
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 12

Expert Comment

by:Faruk Onder Yerli
ID: 40435214
please use run in # prompt
0
 
LVL 4

Author Comment

by:bominthu
ID: 40435239
Thanks Frunk.

Now it shows :

root@JSML_Juniper# run show security ipsec security-associations
  Total active tunnels: 2
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
 <131076 ESP:3des/sha1 1eb70b56 2849/ unlim   U   root 500   1.1.1.1
  >131076 ESP:3des/sha1 88257420 2849/ unlim   U   root 500   1.1.1.1

  <131075 ESP:3des/sha1 5cd06e01 3581/  1022   U   root 500   2.2.2.2
  >131075 ESP:3des/sha1 a52709fb 3581/  1022   U   root 500   2.2.2.2

From above, the one I highlighted is I setup one. assume 1.1.1.1 as remote public IP.
The second one is someone else setup from beginning . Not sure who. Please ignore 2.2.2.2 tunnel.

Above means Tunnel is UP right ?
0
 
LVL 4

Author Comment

by:bominthu
ID: 40435268
Show routing-options also include remote network subnet

route 192.168.2.0/24 next-hop st0.3;

st0.3 is tunnel interface I created.
0
 
LVL 12

Assisted Solution

by:Faruk Onder Yerli
Faruk Onder Yerli earned 500 total points
ID: 40435351
it looks phase 2 is working. you need to check zone and policy configuration.

also please read below link. It will help you to understand types of IPSEC.
http://kb.juniper.net/InfoCenter/index?page=content&id=kb10105
0
 
LVL 4

Author Comment

by:bominthu
ID: 40435521
I check Both Phase 1 and Phase 2 is UP .
But I still cannot ping remote Local network.

By the way, fyi I'm test pinging from firewall console .
Normal behavior allows to ping remote network hosts from firewall ssh console ?
0
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
ID: 40435886
You can try to ping remote st interface. But anyway you need to check security policies.
0
 
LVL 4

Author Comment

by:bominthu
ID: 40436807
Which one you ar referring as "remote st" ?

Anyway I have found how to ping. I needed to ping " run ping host interface g-x.x.x

Once I set local interface g-x.x.x in fact I can ping to remote host internal network IP .
If I "run ping x.x.x.x " it doesn't ping. Not sure why

That means VPN was already UP and running from beginning .

Thanks for your guides in troublshooting in CLI.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now