Commit full? Also do you a have static route for the peer gateway IP? I tried the deactivate, commit, reactivate, commit method…no such luck :(
On 2013-03-20 2:12 PM, "Gabriel Blanchard" <g...@teksavvy.ca> wrote: >Same thing here, that or I had to > >deactivate security vpn <name> >commit >and reactivate. >commit > >On 13-03-20 02:03 PM, Bjørn Tore wrote: >> As I mentioned offline - I once had to reboot an SRX 240 after changing >>IPSEC config, to make things come up. Might not be the case here, but >>with the code quality these days - who knows.. >> >> Bjørn Tore @ mobil >> >> Den 20. mars 2013 kl. 18:57 skrev Patrick Dickey >><dickeypj...@yahoo.com>: >> >>> I'd start to suspect the other side of the tunnel. What is your peer >>>device? >>> >>> >>> >>> On Mar 20, 2013, at 11:55 AM, Bill Sandiford >>><b...@telnetcommunications.com> wrote: >>> >>>> So I added the following configuration in. The syntax was a little >>>> different than what you sent, but basically the same thing (I think). >>>> >>>>> show configuration security policies >>>> from-zone trust to-zone trust { >>>> policy policy1 { >>>> match { >>>> source-address any; >>>> destination-address any; >>>> application any; >>>> } >>>> then { >>>> permit; >>>> } >>>> } >>>> } >>>> default-policy { >>>> permit-all; >>>> } >>>> >>>> >>>> >>>> Šbut still not working :( >>>> >>>> >>>> >>>> >>>> On 2013-03-20 12:29 PM, "Aaron Dewell" <aaron.dew...@gmail.com> wrote: >>>> >>>>> >>>>> You'll also need a policy which allows traffic from trust to trust, >>>>>i.e.: >>>>> >>>>> set security policies from-zone trust to-zone trust match >>>>>source-address >>>>> any >>>>> set security policies from-zone trust to-zone trust match >>>>> destination-address any >>>>> set security policies from-zone trust to-zone trust match protocol >>>>>any >>>>> set security policies from-zone trust to-zone trust then permit >>>>> >>>>> Cross-interface traffic is not allowed by default even within the >>>>>same >>>>> zone. >>>>> >>>>> On Mar 20, 2013, at 10:16 AM, Bill Sandiford wrote: >>>>>> For the most part this J-series has always just acted as a router >>>>>> without >>>>>> any tunnels per se. As such, I have always had all interfaces in >>>>>>the >>>>>> trust zone, as follows >>>>>> >>>>>> zones { >>>>>> security-zone trust { >>>>>> tcp-rst; >>>>>> host-inbound-traffic { >>>>>> system-services { >>>>>> any-service; >>>>>> } >>>>>> protocols { >>>>>> all; >>>>>> } >>>>>> } >>>>>> interfaces { >>>>>> all; >>>>>> } >>>>>> } >>>>>> } >>>>>> >>>>>> Will this accomplish what you are suggesting? >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On 2013-03-20 11:52 AM, "Patrick Dickey" <dickeypj...@yahoo.com> >>>>>>wrote: >>>>>> >>>>>>> I don't remember if the J series behaves exactly like the SRXs >>>>>>>when it >>>>>>> comes >>>>>>> to IPSec, but if it is make sure to put the st0.x interface into a >>>>>>> security >>>>>>> zone and have a security policy allowing the traffic. >>>>>>> >>>>>>> I believe that's only a requirement if you're running the enhanced >>>>>>> services/security code on the J, but I think you have to be to get >>>>>>> IPSec. >>>>>>> >>>>>>> HTH >>>>>>> >>>>>>> >>>>>>> -----Original Message----- >>>>>>> From: juniper-nsp-boun...@puck.nether.net >>>>>>> [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Bill >>>>>>> Sandiford >>>>>>> Sent: Wednesday, March 20, 2013 8:47 AM >>>>>>> To: juniper-nsp@puck.nether.net >>>>>>> Subject: [j-nsp] Help needed with IPSEC VPN on J-Series >>>>>>> >>>>>>> Hi All, >>>>>>> >>>>>>> I need some help with an IPSEC tunnel that I just can't seem to get >>>>>>> working >>>>>>> on a J-6350. I have been able to get the tunnels to come up, but >>>>>>>can't >>>>>>> seem >>>>>>> to pass traffic over the tunnels >>>>>>> >>>>>>> I've done the usual things. I've created an st0.0 interface and >>>>>>>bound >>>>>>> it >>>>>>> to >>>>>>> the tunnel using the bind-interface command. I've created a static >>>>>>> route >>>>>>> and pointed it at the st0.0 interface. I just can't seem to get >>>>>>> traffic >>>>>>> to >>>>>>> pass over the tunnel. >>>>>>> >>>>>>> Any help or suggestions would be appreciated. I'm also willing to >>>>>>>put >>>>>>> a >>>>>>> $$$ >>>>>>> bounty on this for anyone that is willing to help me get it >>>>>>>working via >>>>>>> teamviewer. >>>>>>> >>>>>>> Regards, >>>>>>> Bill >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> juniper-nsp mailing list juniper-nsp@puck.nether.net >>>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> juniper-nsp mailing list juniper-nsp@puck.nether.net >>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp >>> >>> _______________________________________________ >>> juniper-nsp mailing list juniper-nsp@puck.nether.net >>> https://puck.nether.net/mailman/listinfo/juniper-nsp >> >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> >_______________________________________________ >juniper-nsp mailing list juniper-nsp@puck.nether.net >https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp