I think Mike was hinting at the hidden property ’local-address’ to help select source address from an interface that has more than on address configured.
You won’t see it in the help, but if you enter this: set security ike gateway GATE local-address x.y.z.w it will work. This way you can use several addresses with one interface. (Extremely helpful if you migrate IPsec VPNs to an existing setup.) /Per 6 maj 2014 kl. 14:56 skrev Mattias Gyllenvarg <matt...@gyllenvarg.se>: > A little vague question but I will try. > > The Hub is dynamic (PKI + Distinguished names). > Spokes connect to the external IF of the HUB. > > Jeff, regarding Loopbacks. Would you configure an IP from the extrenal > scope (have a /29) as Loopback to run the VPN via? > > Never though of having a loopback in the untrusted side. :) > > //Mattias > > > On Tue, May 6, 2014 at 2:35 PM, Mike Devlin <mikecdev...@gmail.com> wrote: > >> are using local-address config line under edit security ike gateway blah? >> >> >> On Tue, May 6, 2014 at 8:24 AM, Mattias Gyllenvarg >> <matt...@gyllenvarg.se>wrote: >> >>> Turns out the HUB node can not be on use a "secondary" IP as the Gateway >>> IP for the IPsec termination. >>> This workes on SRX240 in a very similar installation. But not on the >>> SRX210HE2 in this installation. >>> >>> //Mattias Gyllenvarg >>> >>> >>> On Fri, May 2, 2014 at 5:07 PM, Mike Devlin <mikecdev...@gmail.com>wrote: >>> >>>> config please >>>> >>>> >>>> On Fri, May 2, 2014 at 9:33 AM, Mattias Gyllenvarg < >>>> matt...@gyllenvarg.se> wrote: >>>> >>>>> Hi All >>>>> >>>>> I have been cracking my skull on this one for a while now and I am not >>>>> getting anywhere I want to go. So, here is a nut for anyone proficient >>>>> in >>>>> Site-To-Site VPN with PKI and Distinguished names on SRX. >>>>> >>>>> TLDR; New installation of a setup I already have working on a global >>>>> scale. >>>>> Only difference in HW is a SRX210HE2 as HUB compared to a 240 in the >>>>> working installation. >>>>> Error is NO proposal chosen. I get this even if I try it with static IPs >>>>> and PSK. >>>>> Junos is [12.1X44-D20.3] >>>>> Waiting to try [12.1X44-D30.4] but I dont have it yet. >>>>> >>>>> So, I have double checked the proposals (they come from a template) many >>>>> times. >>>>> Removed and reapplied all security config. Reloaded and so on. >>>>> st0.0 is in trusted and all policies are in place. >>>>> >>>>> Can't find a known bug or deeper troubleshooting help then check your >>>>> proposals, for this error. >>>>> >>>>> -- >>>>> *Best Regards* >>>>> *Mattias Gyllenvarg* >>>>> _______________________________________________ >>>>> juniper-nsp mailing list juniper-nsp@puck.nether.net >>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp >>>>> >>>> >>>> >>> >>> >>> -- >>> *Med Vänliga Hälsningar / Best Regards* >>> *Mattias Gyllenvarg* >>> >> >> > > > -- > *Med Vänliga Hälsningar / Best Regards* > *Mattias Gyllenvarg* > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp