90% sure it's nested tunnels (GRE over IPSec). You cannot do them in a cluster.
If you can get the Cisco side to remove the GRE layer and route directly over the secure tunnel (have not tried it so I don't know if they can or not), then it will work (using st0 on the SRX). If you can't, your only workaround is to terminate that tunnel on something else (standalone SRX separate from the cluster, or something). http://www.juniper.net/techpubs/en_US/junos12.1/information-products/topic-collections/release-notes/12.1/topic-64979.html Buried in there (search for nested) is what you're looking for. On May 8, 2014, at 10:53 PM, Morgan McLean wrote: > Do you have an external zone to external zone allow rule? Obviously ike > allowed for host inbound services as well for external. > > Thanks, > Morgan > > > On Thu, May 8, 2014 at 1:04 PM, Levi Pederson < > levipeder...@mankatonetworks.net> wrote: > >> Greetings, >> >> I've created several VPNs with little or no trouble in the past. Between >> both Cisco and Juniper devices. But I am a little stumped by I cannot >> connect a simple (Static IP) IPSec Tunnel between an SRX240 Cluster and a >> single srx210. I've checked the policies and the proposals and they are >> spot on identical. I've put the external interface on the cluster (lo0.0) >> on the right external zone. I'm also running OS 12.1.X44.D30 which >> supports. I've been reading several diatribes on how to place the loopback >> into the redundancy and I have done that as well. I'm still gathering the >> configurations for perusal as they need to be secured. First question >> would be, does anything instantly pop out to anyone? I'll have the configs >> loaded as soon as I can. >> >> Thank you, >> *Levi Pederson* >> Mankato Networks LLC >> cell | 612.481.0769 >> work | 612.787.7392 >> levipeder...@mankatonetworks.net >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
