On Tue, Nov 30, 2010 at 3:58 AM, Jonathan Lassoff <j...@thejof.com> wrote:
> On Mon, Nov 29, 2010 at 6:49 PM, Adam Leff <a...@leff.co> wrote: > > Also, for what it's worth, I do have multiple logical interfaces under > st0 > > (i.e. st0.0 and st0.1) and it is working without requiring NHTB. > > Without NHTB? So the "security ipsec vpn XXX" hierarchy has a > "bind-interface" statement, but the iff hierarchy under st0 *doesn't* > have a "next-hop-tunnel" statement? > Yes. We run either BGP or OSPF over the tunnel links, so no next-hop-tunnel statements are required. Are you binding "st0" or the full "st0.1" interface to your VPN? Here's a snippet of our config. Feel free to contact me off-list with your config and I'm happy to give it a glance. in [edit security]: ike { policy phx1 { mode main; proposal-set compatible; pre-shared-key ascii-text "<redacted>"; } gateway phx1 { ike-policy phx1; address <redacted>; external-interface ge-4/0/0.0; } } ipsec { vpn phx1 { bind-interface st0.1; vpn-monitor; ike { gateway phx1; ipsec-policy compatible; } establish-tunnels immediately; } } in [edit interfaces]: st0 { unit 1 { description "VPN to PHX1"; family inet { address 10.10.11.8/31; } } } > > Do you have all the pre-requisites set up? i.e. st0.1 in the proper > > security zone, a route pointed down st0.1 for the traffic to be tunneled, > > etc.? > > I'm pretty sure everything looks right (but just to me, so it's > certainly possible that there's a bug or two in my config). st0.1 is > in a security zone that has policies to permit vpn-monitor ICMP > traffic, and I'm not even routing over the st0.1 interface yet, just > pinging the remote end. > > Cheers, > jof > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp