We help IT Professionals succeed at work.

Juniper SRX Site to Site VPN not working

1,831 Views
Last Modified: 2014-11-12
Hi Experts

I have never configured Site to Site VPN for Juniper srx240h2 and I have a customer that want me to setup Site to site VPN. Since I'm not familiar CLI for this Juniper SRX, I followed from this link http://www.petenetlive.com/KB/Article/0000710.htm (only for Juniper as for both Firewall are same Juniper SRX) .
I did not set "Step 3 - Additional Steps required (for Cisco ASA)" as I assume it is only required if one site is ASA.

After done, when I check in - Interface - port - S0.1 I can see it is showing UP.
And in Monitor tab - IPsecVPN- Phase 1 , also it is showing as UP.

But I cannot ping from one site to another site internal IP.
I can see policy to allow from Local subnet to remote subnet, remote subnet to local subnet is automatically added.

Software versions are as follows:
1. JUNOS Software Release [12.1X44-D15.5]
2. UNOS Software Release [12.1X44-D10.4]
Any suggestion why it cannot connect each other ? What else I can check to troubleshoot ?

Thanks
Comment
Watch Question

CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
I already found that in Google but it is CLI.
Do you have any reference/guide to configure in GUI for two SRX ?

For second link, when I type
show security ipsec security-associations
show: Command not found.
CERTIFIED EXPERT

Commented:
SRX GUI is not enough well to use for complicated configuration. CLI is more easy than web. while analyzing configuration you can use | display set statement too. configuration will be more readable for beginners.

#show | display set
#show security | display set
#show interface | display set

etc.

you have to use this command not in configuration mode. if you need to use in configuration mode you need to use run statement.

>show security ipsec security-associations
or
#run show security ipsec security-associations

Author

Commented:
something is wrong.

If I type as you mentioned, below is the result.

% show | display set
show: Command not found.
display: Command not found.
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Ok Thanks. You are right. Sorry I'm new to Juniper CLI.

Now it shows like this .

Juniper# show security ipsec security-associations
                                       ^
syntax error.


If I type ?
So which one is to see tunnel status ?

[edit]
root@JSML_Juniper# show security ipsec ?
Possible completions:
  <[Enter]>            Execute this command
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> policy               Define an IPSec policy
> proposal             Define an IPSec proposal
> traceoptions         Trace options for IPSec data-plane debug
> vpn                  Define an IPSec VPN
> vpn-monitor-options  Global options for VPN liveliness monitoring
  |                    Pipe through a command
[edit]
root@JSML_Juniper# show security ipsec
CERTIFIED EXPERT

Commented:
please use run in # prompt

Author

Commented:
Thanks Frunk.

Now it shows :

root@JSML_Juniper# run show security ipsec security-associations
  Total active tunnels: 2
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
 <131076 ESP:3des/sha1 1eb70b56 2849/ unlim   U   root 500   1.1.1.1
  >131076 ESP:3des/sha1 88257420 2849/ unlim   U   root 500   1.1.1.1

  <131075 ESP:3des/sha1 5cd06e01 3581/  1022   U   root 500   2.2.2.2
  >131075 ESP:3des/sha1 a52709fb 3581/  1022   U   root 500   2.2.2.2

From above, the one I highlighted is I setup one. assume 1.1.1.1 as remote public IP.
The second one is someone else setup from beginning . Not sure who. Please ignore 2.2.2.2 tunnel.

Above means Tunnel is UP right ?

Author

Commented:
Show routing-options also include remote network subnet

route 192.168.2.0/24 next-hop st0.3;

st0.3 is tunnel interface I created.
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
I check Both Phase 1 and Phase 2 is UP .
But I still cannot ping remote Local network.

By the way, fyi I'm test pinging from firewall console .
Normal behavior allows to ping remote network hosts from firewall ssh console ?
CERTIFIED EXPERT

Commented:
You can try to ping remote st interface. But anyway you need to check security policies.

Author

Commented:
Which one you ar referring as "remote st" ?

Anyway I have found how to ping. I needed to ping " run ping host interface g-x.x.x

Once I set local interface g-x.x.x in fact I can ping to remote host internal network IP .
If I "run ping x.x.x.x " it doesn't ping. Not sure why

That means VPN was already UP and running from beginning .

Thanks for your guides in troublshooting in CLI.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.