Re: [j-nsp] Policy Based Routing

Not sure about Juniper but on Cisco PBR does not apply to CPU punted packets. So, in most PBR environments you will not be able to reach interfaces routed in via PBR. PBR is often counter-intuitive to trouble shoot because it (locally) breaks most ICMP features. This may be the expected behavior

[j-nsp] SRX loosing certificates

Dear All I have an issue where a remote site will loose its certificates (key-pair and ca) for no apparent reason. Cert still had more then a year to go! What is up? Could not find anything via google. -- *Med Vänliga Hälsningar / Best Regards* *Mattias Gyllenvarg

Re: [j-nsp] rpm / ip-monitoring

, Mattias Gyllenvarg wrote: > Ben, > > The BGP selects native over IPsec via local-pref (just a note in this > context). > > That may work. I will try to describe your idea in my own words. > > Add a lurking static default to the MPLS-VPN, put it on steroids when > ip-monitor

Re: [j-nsp] rpm / ip-monitoring

unless I'm missing > something else? > > Ben > > > On 29 Aug 2014, at 7:42 pm, Mattias Gyllenvarg > wrote: > > Ben > > Close but no cigar. > > The IPsec also receives a default via BGP so that works like a charm. No > need for interface routing.

Re: [j-nsp] rpm / ip-monitoring

d 21:51:10, localpref 100 > AS path: 65500 I, validation-state: unverified > > to 172.30.3.2 via ge-0/0/3.0 > > >Cheers, > > Ben > > On 29 Aug 2014, at 3:30 am, Mattias Gyllenvarg > wrote: > > Even is the default

Re: [j-nsp] rpm / ip-monitoring

> to mainline Junos will be a glorious one... > > Cheers, > > Ben > > On 28 Aug 2014, at 9:00 pm, Mattias Gyllenvarg > wrote: > > > I have looked over these and they are the basis of the configuration I am > > using. > > > > The setup is advanced in

Re: [j-nsp] rpm / ip-monitoring

ndrew Jones > wrote: > > > > > > > Surely the test will never recover without intervention, as the > interface > > > > it uses gets disabled? > > > > > > > > > > > > On 28.08.2014 02:28, Tyler Christiansen wrote: > > > > &g

[j-nsp] rpm / ip-monitoring

{ interface fe-0/0/3 { disable; } } } } } * -- *Med Vänliga Hälsningar / Best Regards* *Mattias Gyllenvarg* ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https

Re: [j-nsp] Site to Site VPN issues with Cluster

Pederson* > Mankato Networks LLC > cell | 612.481.0769 > work | 612.787.7392 > levipeder...@mankatonetworks.net > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- *Med Vänliga Hä

Re: [j-nsp] Site-To-Site VPN woes again

>> This way you can use several addresses with one interface. (Extremely >> helpful if you migrate IPsec VPNs to an existing setup.) >> >> /Per >> >> 6 maj 2014 kl. 14:56 skrev Mattias Gyllenvarg : >> >> A little vague question but I will try. >>

Re: [j-nsp] Site-To-Site VPN woes again

the untrusted side. :) //Mattias On Tue, May 6, 2014 at 2:35 PM, Mike Devlin wrote: > are using local-address config line under edit security ike gateway blah? > > > On Tue, May 6, 2014 at 8:24 AM, Mattias Gyllenvarg > wrote: > >> Turns out the HUB node can not be on

Re: [j-nsp] Site-To-Site VPN woes again

Turns out the HUB node can not be on use a "secondary" IP as the Gateway IP for the IPsec termination. This workes on SRX240 in a very similar installation. But not on the SRX210HE2 in this installation. //Mattias Gyllenvarg On Fri, May 2, 2014 at 5:07 PM, Mike Devlin wrote: >

[j-nsp] Site-To-Site VPN woes again

a template) many times. Removed and reapplied all security config. Reloaded and so on. st0.0 is in trusted and all policies are in place. Can't find a known bug or deeper troubleshooting help then check your proposals, for this error. -- *Best Regards* *Mattias Gylle

Re: [j-nsp] Advanced Address book statements

For the archives... address-book { VPN-Management { address Management { wildcard-address 10.0.255.0/255.0.255.255; } } } On Wed, Jan 22, 2014 at 2:55 PM, Mattias Gyllenvarg wrote: > Dear All > > I am looking at keeping a neat config in a VPN-hub de

[j-nsp] Advanced Address book statements

documentation for address books. Hints? -- *Med Vänliga Hälsningar* *Mattias Gyllenvarg* ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Tunnel failing at "No propsal chosen" but works when target is another device

Hi Mr Ackroyd Actually it was not, it was before but I removed it when I removed the st interface to re apply it. I have since then fixed the original issue and now got through IKE and have it working. Thank you. Mattias Gyllenvarg On Mon, Nov 25, 2013 at 2:32 PM, Nicholas Ackroyd wrote

[j-nsp] Tunnel failing at "No propsal chosen" but works when target is another device

Ev1 iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg de5800) ike_isakmp_sa_reply: Start -- *Best Regards* *Mattias Gyllenvarg* ___ jun