I'm trying to build a site-to-site IPSec tunnel with two J-4350's, but I'm running into a strange issue.
The tunnel appears to be up, the two routers see each other as neighbors in OSPF, I can even ping between the two routers. In addition a host on one side can ping a host on the other side. The problem comes when I try to put "real" traffic over the link. Connecting to port 80 on a remote machine doesn't work. Packet captures show no traffic coming back from the remote side. I'm sure I'm missing something simple - but I'm at a loss as to what it is. If anyone has any suggestions, they'd be much appreciated. -- matt Here's my partial config: root> show ospf neighbor Address Interface State ID Pri Dead 10.206.32.1 sp-0/0/0.11 Full 218.81.216.253 128 37 root> show route protocol ospf inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.206.32.0/24 *[OSPF/10] 00:42:47, metric 2 > via sp-0/0/0.11 10.206.32.1/32 *[OSPF/10] 04:24:03, metric 1 > via sp-0/0/0.11 10.206.34.0/24 *[OSPF/10] 00:42:47, metric 2 > via sp-0/0/0.11 10.206.35.0/24 *[OSPF/10] 00:42:47, metric 2 > via sp-0/0/0.11 192.168.1.1/32 [OSPF/10] 05:05:46, metric 2 > via sp-0/0/0.11 218.81.216.0/24 *[OSPF/10] 00:42:47, metric 2 > via sp-0/0/0.11 224.0.0.5/32 *[OSPF/10] 1w0d 01:42:30, metric 1 MultiRecv __juniper_private1__.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) protocols { ospf { area 0.0.0.0 { interface sp-0/0/0.11; interface ge-0/0/0.0 { passive; } } } } services { service-set ipsec { next-hop-service { inside-service-interface sp-0/0/0.11; outside-service-interface sp-0/0/0.10; } ipsec-vpn-options { local-gateway 1.1.1.1; } ipsec-vpn-rules ipsec-out; } ipsec-vpn { rule ipsec-out { term 1 { then { remote-gateway 2.2.2.2; dynamic { ike-policy ike-policy-hq; ipsec-policy ipsec-policy-hq; } clear-dont-fragment-bit; tunnel-mtu 1440; } } match-direction input; } ipsec { proposal ipsec-proposal-hq { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-192-cbc; lifetime-seconds 3600; } policy ipsec-policy-hq { proposals ipsec-proposal-hq; } } ike { proposal site-to-site { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm aes-192-cbc; lifetime-seconds 86400; } policy ike-policy-hq { mode main; proposals site-to-site; pre-shared-key ascii-text "XXX"; ## SECRET-DATA } } establish-tunnels immediately; } } _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp