Well I will be sure to set that up in the LAB next time around! Thank you.
//Mattias On Tue, May 6, 2014 at 3:23 PM, Mike Devlin <mikecdev...@gmail.com> wrote: > also extremely helpful in high traffic profile tunnels on higher end srx's > with multiple SPCs > > combined with the shell command "kmd -T source_add:dest_add" you can load > balance your ipsec traffic against lower usage SPCs and improve overall > performance and throughput :) > > > On Tue, May 6, 2014 at 9:10 AM, Per Westerlund <p...@westerlund.se> wrote: > >> I think Mike was hinting at the hidden property ’local-address’ to help >> select source address from an interface that has more than on address >> configured. >> >> You won’t see it in the help, but if you enter this: >> >> set security ike gateway GATE local-address x.y.z.w >> >> it will work. >> >> This way you can use several addresses with one interface. (Extremely >> helpful if you migrate IPsec VPNs to an existing setup.) >> >> /Per >> >> 6 maj 2014 kl. 14:56 skrev Mattias Gyllenvarg <matt...@gyllenvarg.se>: >> >> A little vague question but I will try. >> >> The Hub is dynamic (PKI + Distinguished names). >> Spokes connect to the external IF of the HUB. >> >> Jeff, regarding Loopbacks. Would you configure an IP from the extrenal >> scope (have a /29) as Loopback to run the VPN via? >> >> Never though of having a loopback in the untrusted side. :) >> >> //Mattias >> >> >> On Tue, May 6, 2014 at 2:35 PM, Mike Devlin <mikecdev...@gmail.com> >> wrote: >> >> are using local-address config line under edit security ike gateway blah? >> >> >> On Tue, May 6, 2014 at 8:24 AM, Mattias Gyllenvarg <matt...@gyllenvarg.se >> >wrote: >> >> Turns out the HUB node can not be on use a "secondary" IP as the Gateway >> IP for the IPsec termination. >> This workes on SRX240 in a very similar installation. But not on the >> SRX210HE2 in this installation. >> >> //Mattias Gyllenvarg >> >> >> On Fri, May 2, 2014 at 5:07 PM, Mike Devlin <mikecdev...@gmail.com>wrote: >> >> config please >> >> >> On Fri, May 2, 2014 at 9:33 AM, Mattias Gyllenvarg < >> matt...@gyllenvarg.se> wrote: >> >> Hi All >> >> I have been cracking my skull on this one for a while now and I am not >> getting anywhere I want to go. So, here is a nut for anyone proficient >> in >> Site-To-Site VPN with PKI and Distinguished names on SRX. >> >> TLDR; New installation of a setup I already have working on a global >> scale. >> Only difference in HW is a SRX210HE2 as HUB compared to a 240 in the >> working installation. >> Error is NO proposal chosen. I get this even if I try it with static IPs >> and PSK. >> Junos is [12.1X44-D20.3] >> Waiting to try [12.1X44-D30.4] but I dont have it yet. >> >> So, I have double checked the proposals (they come from a template) many >> times. >> Removed and reapplied all security config. Reloaded and so on. >> st0.0 is in trusted and all policies are in place. >> >> Can't find a known bug or deeper troubleshooting help then check your >> proposals, for this error. >> >> -- >> *Best Regards* >> *Mattias Gyllenvarg* >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> >> >> >> >> >> -- >> *Med Vänliga Hälsningar / Best Regards* >> *Mattias Gyllenvarg* >> >> >> >> >> >> -- >> *Med Vänliga Hälsningar / Best Regards* >> >> *Mattias Gyllenvarg* >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> >> >> > -- *Med Vänliga Hälsningar / Best Regards* *Mattias Gyllenvarg* _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp