Cannot pass ping through Site-to-Site Route-based VPN between Two SRX's

Moderator: mike

Post Reply
Jotaro
Posts: 13
Joined: Tue May 02, 2017 6:42 am

Cannot pass ping through Site-to-Site Route-based VPN between Two SRX's

Post by Jotaro » Tue Dec 12, 2017 7:02 pm

I configured a route-based site-to-site VPN between two vSRXs on EVE.
Although IKE Phases 1&2 are both up, ping doesn't pass through the VPN.
I attached my lab here. Could someone check and see if you can ping from R9 to R10?
I changed R7 and R8 to SRX (R7-J and R8-J).
Although the original R7 and R8 are still in the lab, their e0/1 interfaces are shut down and they can be ignored.

Topology:
INE's CCIE R&S v5 Advanced Technology Labs - IPSec VPN

Modification from the original INE lab:
- Changed R7 and R8 to SRX
- Changed routing from EIGRP to OSPF
- Change routing from OSPF to static

INE Lab I'm trying to reproduce by using Juniper for R7 and R8:
CCIE R&S v5 Advanced Technology Labs
- IPSec VPN / IPsec VPNs with Crypto Maps

SRX root password:
"Juniper" (without the double quotation marks)

My Investigation Results:
(1) Ping from R9 Lo0 to R10 Lo0 fails
R9#ping 150.1.10.10 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.10.10, timeout is 2 seconds:
Packet sent with a source address of 150.1.9.9
.....
Success rate is 0 percent (0/5)
R9#

(2) When I ping from R9 Lo0 to R10 Lo0, the traffic log on R7 shows the following:
Dec 12 18:49:43 R7-J RT_FLOW: RT_FLOW_SESSION_CREATE: session created 150.1.9.9/4->150.1.10.10/0 0x0 icmp 150.1.9.9/4->150.1.10.10/0 0x0 N/A N/A N/A N/A 1 TRUST_TO_VPN trust VPN 11 N/A(N/A) ge-0/0/1.79 UNKNOWN UNKNOWN UNKNOWN

root@R7-J>

show security flow session source-prefix 150.1.10.10 destination-prefix 150.1.9.9
Session ID: 50, Policy name: TRUST_TO_VPN/8, Timeout: 26, Valid
In: 150.1.9.9/0 --> 150.1.10.10/2;icmp, Conn Tag: 0x0, If: ge-0/0/1.79, Pkts: 1, Bytes: 100,
Out: 150.1.10.10/2 --> 150.1.9.9/0;icmp, Conn Tag: 0x0, If: st0.0, Pkts: 0, Bytes: 0,

Session ID: 51, Policy name: TRUST_TO_VPN/8, Timeout: 28, Valid
In: 150.1.9.9/1 --> 150.1.10.10/2;icmp, Conn Tag: 0x0, If: ge-0/0/1.79, Pkts: 1, Bytes: 100,
Out: 150.1.10.10/2 --> 150.1.9.9/1;icmp, Conn Tag: 0x0, If: st0.0, Pkts: 0, Bytes: 0,

Session ID: 52, Policy name: TRUST_TO_VPN/8, Timeout: 30, Valid
In: 150.1.9.9/2 --> 150.1.10.10/2;icmp, Conn Tag: 0x0, If: ge-0/0/1.79, Pkts: 1, Bytes: 100,
Out: 150.1.10.10/2 --> 150.1.9.9/2;icmp, Conn Tag: 0x0, If: st0.0, Pkts: 0, Bytes: 0,

Session ID: 53, Policy name: TRUST_TO_VPN/8, Timeout: 32, Valid
In: 150.1.9.9/3 --> 150.1.10.10/2;icmp, Conn Tag: 0x0, If: ge-0/0/1.79, Pkts: 1, Bytes: 100,
Out: 150.1.10.10/2 --> 150.1.9.9/3;icmp, Conn Tag: 0x0, If: st0.0, Pkts: 0, Bytes: 0,

Session ID: 54, Policy name: TRUST_TO_VPN/8, Timeout: 34, Valid
In: 150.1.9.9/4 --> 150.1.10.10/2;icmp, Conn Tag: 0x0, If: ge-0/0/1.79, Pkts: 1, Bytes: 100,
Out: 150.1.10.10/2 --> 150.1.9.9/4;icmp, Conn Tag: 0x0, If: st0.0, Pkts: 0, Bytes: 0,
Total sessions: 5

root@R7-J>

(3) When I ping from R9 Lo0 to R10 Lo0, no traffic log is generated on R8.
oot@R8-J> show log ALLOWED_TRAFFIC >> no output
root@R8-J> show log DENIED_TRAFFIC >> no output

root@R8-J> show security flow session source-prefix 150.1.9.9 destination-prefix 150.1.10.10
Total sessions: 0

root@R8-J>
You do not have the required permissions to view the files attached to this post.
Last edited by Jotaro on Thu Dec 14, 2017 5:00 am, edited 2 times in total.

Chris929
Posts: 83
Joined: Tue Jun 27, 2017 8:51 am

Re: Cannot pass ping through Site-to-Site Route-based VPN between Two SRX's

Post by Chris929 » Wed Dec 13, 2017 10:34 am

Do you have the appropriate Policys in Place, attached st0 to a zone and allowed inter and tntra-Zone Traffic?
Can you send me your configs from both Devices?
What Version do you use? vSRX-D100, D110 or D120?

Jotaro
Posts: 13
Joined: Tue May 02, 2017 6:42 am

Re: Cannot pass ping through Site-to-Site Route-based VPN between Two SRX's

Post by Jotaro » Thu Dec 14, 2017 1:38 am

I attached st0 to zone "VPN" and allowed anything from the local subnet (lo0.0 on R7) to the remote subnet (lo0.0 on R8) and vice versa.
I use vSRX (15.1X49-D80.4). I'm not sure if its vSRX-D100, D110 or D120.
These are the config of R7 and R8.

root@R7-SRX>


### R7 Config ###
root@R7-SRX> show configuration | display set
set version 15.1X49-D80.4
set system host-name R7-SRX
set system root-authentication encrypted-password "$5$KPt9eyUB$9uiWFq9VE27gDdEVksTpIpl0.RIusLMMkCngxkAl799"
set system services ssh
set system services web-management http interface fxp0.0
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system syslog file kmd-logs daemon info
set system syslog file kmd-logs match KMD
set system syslog file DENIED_TRAFFIC any any
set system syslog file DENIED_TRAFFIC match RT_FLOW_SESSION_DENY
set system syslog file ALLOWED_TRAFFIC any any
set system syslog file ALLOWED_TRAFFIC match RT_FLOW_SESSION
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set security ike proposal IKE_PROPOSAL authentication-method pre-shared-keys
set security ike proposal IKE_PROPOSAL dh-group group2
set security ike proposal IKE_PROPOSAL authentication-algorithm sha-256
set security ike proposal IKE_PROPOSAL encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROPOSAL lifetime-seconds 86400
set security ike policy IKE_POLICY mode main
set security ike policy IKE_POLICY proposals IKE_PROPOSAL
set security ike policy IKE_POLICY pre-shared-key ascii-text "$9$KbV8LN4oGiqfX7Gi"
set security ike gateway IKE_GW ike-policy IKE_POLICY
set security ike gateway IKE_GW address 155.1.58.8
set security ike gateway IKE_GW external-interface lo0
set security ipsec proposal IPSEC_PROPOSAL protocol esp
set security ipsec proposal IPSEC_PROPOSAL authentication-algorithm hmac-md5-96
set security ipsec proposal IPSEC_PROPOSAL encryption-algorithm 3des-cbc
set security ipsec proposal IPSEC_PROPOSAL lifetime-seconds 3600
set security ipsec policy IPSEC_POLICY proposals IPSEC_PROPOSAL
set security ipsec vpn IPSEC_VPN_R7-R8 bind-interface st0.0
set security ipsec vpn IPSEC_VPN_R7-R8 ike gateway IKE_GW
set security ipsec vpn IPSEC_VPN_R7-R8 ike ipsec-policy IPSEC_POLICY
set security ipsec vpn IPSEC_VPN_R7-R8 traffic-selector TRAFFIC_SELECTOR_1 local-ip 150.1.9.9/32
set security ipsec vpn IPSEC_VPN_R7-R8 traffic-selector TRAFFIC_SELECTOR_1 remote-ip 150.1.10.10/32
set security ipsec vpn IPSEC_VPN_R7-R8 establish-tunnels immediately
set security address-book ADDR_BOOK_TRUST address 150.1.7.7/32 150.1.7.7/32
set security address-book ADDR_BOOK_TRUST address 155.1.7.0/24 155.1.7.0/24
set security address-book ADDR_BOOK_TRUST address 155.1.79.0/24 155.1.79.0/24
set security address-book ADDR_BOOK_TRUST address 150.1.9.9/32 150.1.9.9/32
set security address-book ADDR_BOOK_TRUST address-set LOCAL_INT_TRUST address 155.1.7.0/24
set security address-book ADDR_BOOK_TRUST address-set LOCAL_INT_TRUST address 155.1.79.0/24
set security address-book ADDR_BOOK_TRUST address-set LOCAL_INT_TRUST address 150.1.7.7/32
set security address-book ADDR_BOOK_TRUST address-set LOCAL_LAN address 150.1.9.9/32
set security address-book ADDR_BOOK_TRUST attach zone trust
set security address-book ADDR_BOOK_UNTRUST address 155.1.37.0/24 155.1.37.0/24
set security address-book ADDR_BOOK_UNTRUST address 155.1.67.0/24 155.1.67.0/24
set security address-book ADDR_BOOK_UNTRUST address-set LOCAL_INT_UNTRUST address 155.1.37.0/24
set security address-book ADDR_BOOK_UNTRUST address-set LOCAL_INT_UNTRUST address 155.1.67.0/24
set security address-book ADDR_BOOK_UNTRUST attach zone untrust
set security address-book ADDR_BOOK_VPN address 150.1.10.10/32 150.1.10.10/32
set security address-book ADDR_BOOK_VPN address-set REMOTE_LAN address 150.1.10.10/32
set security address-book ADDR_BOOK_VPN attach zone VPN
set security flow tcp-mss ipsec-vpn mss 1350
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy UNTRUST_TO_TRUST match source-address any
set security policies from-zone untrust to-zone trust policy UNTRUST_TO_TRUST match destination-address LOCAL_INT_TRUST
set security policies from-zone untrust to-zone trust policy UNTRUST_TO_TRUST match application junos-icmp-all
set security policies from-zone untrust to-zone trust policy UNTRUST_TO_TRUST match application udp_trace
set security policies from-zone untrust to-zone trust policy UNTRUST_TO_TRUST then permit
set security policies from-zone untrust to-zone trust policy UNTRUST_TO_TRUST_EXPLICIT_DENY match source-address any
set security policies from-zone untrust to-zone trust policy UNTRUST_TO_TRUST_EXPLICIT_DENY match destination-address any
set security policies from-zone untrust to-zone trust policy UNTRUST_TO_TRUST_EXPLICIT_DENY match application any
set security policies from-zone untrust to-zone trust policy UNTRUST_TO_TRUST_EXPLICIT_DENY then deny
set security policies from-zone untrust to-zone trust policy UNTRUST_TO_TRUST_EXPLICIT_DENY then log session-init
set security policies from-zone trust to-zone VPN policy TRUST_TO_VPN match source-address LOCAL_LAN
set security policies from-zone trust to-zone VPN policy TRUST_TO_VPN match destination-address REMOTE_LAN
set security policies from-zone trust to-zone VPN policy TRUST_TO_VPN match application any
set security policies from-zone trust to-zone VPN policy TRUST_TO_VPN then permit
set security policies from-zone trust to-zone VPN policy TRUST_TO_VPN then log session-init
set security policies from-zone trust to-zone VPN policy TRUST_TO_VPN_EXPLICIT_DENY match source-address any
set security policies from-zone trust to-zone VPN policy TRUST_TO_VPN_EXPLICIT_DENY match destination-address any
set security policies from-zone trust to-zone VPN policy TRUST_TO_VPN_EXPLICIT_DENY match application any
set security policies from-zone trust to-zone VPN policy TRUST_TO_VPN_EXPLICIT_DENY then deny
set security policies from-zone trust to-zone VPN policy TRUST_TO_VPN_EXPLICIT_DENY then log session-init
set security policies from-zone VPN to-zone trust policy VPN_TO_TRUST match source-address REMOTE_LAN
set security policies from-zone VPN to-zone trust policy VPN_TO_TRUST match destination-address LOCAL_LAN
set security policies from-zone VPN to-zone trust policy VPN_TO_TRUST match application any
set security policies from-zone VPN to-zone trust policy VPN_TO_TRUST then permit
set security policies from-zone VPN to-zone trust policy VPN_TO_TRUST_EXPLICIT_DENY match source-address any
set security policies from-zone VPN to-zone trust policy VPN_TO_TRUST_EXPLICIT_DENY match destination-address any
set security policies from-zone VPN to-zone trust policy VPN_TO_TRUST_EXPLICIT_DENY match application any
set security policies from-zone VPN to-zone trust policy VPN_TO_TRUST_EXPLICIT_DENY then deny
set security policies from-zone VPN to-zone trust policy VPN_TO_TRUST_EXPLICIT_DENY then log session-init
set security zones security-zone trust tcp-rst
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces lo0.0
set security zones security-zone trust interfaces ge-0/0/1.7
set security zones security-zone trust interfaces ge-0/0/1.79
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic protocols ospf
set security zones security-zone untrust interfaces ge-0/0/1.37
set security zones security-zone VPN interfaces st0.0
set interfaces ge-0/0/1 vlan-tagging
set interfaces ge-0/0/1 unit 7 vlan-id 7
set interfaces ge-0/0/1 unit 7 family inet address 155.1.7.7/24
set interfaces ge-0/0/1 unit 37 vlan-id 37
set interfaces ge-0/0/1 unit 37 family inet address 155.1.37.7/24
set interfaces ge-0/0/1 unit 79 vlan-id 79
set interfaces ge-0/0/1 unit 79 family inet address 155.1.79.7/24
set interfaces fxp0 unit 0
set interfaces lo0 unit 0 family inet address 150.1.7.7/32
set interfaces st0 unit 0 family inet
set routing-options static route 0.0.0.0/0 next-hop 155.1.37.3
set routing-options static route 155.1.9.0/24 next-hop 155.1.79.9
set routing-options static route 150.1.9.9/32 next-hop 155.1.79.9
set protocols ospf area 0.0.0.0 interface lo0.0
set protocols ospf area 0.0.0.0 interface ge-0/0/1.7
set protocols ospf area 0.0.0.0 interface ge-0/0/1.37
set applications application udp_trace protocol udp
set applications application udp_trace destination-port 33434-33534

root@R7-SRX>

### R8 Config ###
root@R8-SRX> show configuration | display set
set version 15.1X49-D80.4
set system host-name R8-SRX
set system root-authentication encrypted-password "$5$By3hRjh3$vRh/4xzIaYTGLPXAMKRkUQbGM4Vwje2I14c6.JrWru9"
set system services ssh
set system services web-management http interface fxp0.0
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system syslog file kmd-logs daemon info
set system syslog file kmd-logs match KMD
set system syslog file DENIED_TRAFFIC any any
set system syslog file DENIED_TRAFFIC match RT_FLOW_SESSION_DENY
set system syslog file ALLOWED_TRAFFIC any any
set system syslog file ALLOWED_TRAFFIC match RT_FLOW_SESSION
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set security ike proposal IKE_PROPOSAL authentication-method pre-shared-keys
set security ike proposal IKE_PROPOSAL dh-group group2
set security ike proposal IKE_PROPOSAL authentication-algorithm sha-256
set security ike proposal IKE_PROPOSAL encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROPOSAL lifetime-seconds 86400
set security ike policy IKE_POLICY mode main
set security ike policy IKE_POLICY proposals IKE_PROPOSAL
set security ike policy IKE_POLICY pre-shared-key ascii-text "$9$VnY2aq.5F6Ago5F"
set security ike gateway IKE_GW ike-policy IKE_POLICY
set security ike gateway IKE_GW address 150.1.7.7
set security ike gateway IKE_GW external-interface ge-0/0/1.58
set security ipsec proposal IPSEC_PROPOSAL protocol esp
set security ipsec proposal IPSEC_PROPOSAL authentication-algorithm hmac-md5-96
set security ipsec proposal IPSEC_PROPOSAL encryption-algorithm 3des-cbc
set security ipsec proposal IPSEC_PROPOSAL lifetime-seconds 3600
set security ipsec policy IPSEC_POLICY proposals IPSEC_PROPOSAL
set security ipsec vpn IPSEC_VPN_R7-R8 bind-interface st0.0
set security ipsec vpn IPSEC_VPN_R7-R8 ike gateway IKE_GW
set security ipsec vpn IPSEC_VPN_R7-R8 ike ipsec-policy IPSEC_POLICY
set security ipsec vpn IPSEC_VPN_R7-R8 traffic-selector TRAFFIC_SELECTOR_1 local-ip 150.1.10.10/32
set security ipsec vpn IPSEC_VPN_R7-R8 traffic-selector TRAFFIC_SELECTOR_1 remote-ip 150.1.9.9/32
set security ipsec vpn IPSEC_VPN_R7-R8 establish-tunnels immediately
set security address-book ADDR_BOOK_TRUST address 150.1.8.8/32 150.1.8.8/32
set security address-book ADDR_BOOK_TRUST address 155.1.108.0/24 155.1.108.0/24
set security address-book ADDR_BOOK_TRUST address 155.1.8.0/24 155.1.8.0/24
set security address-book ADDR_BOOK_TRUST address 150.1.10.10/32 150.1.10.10/32
set security address-book ADDR_BOOK_TRUST address-set LOCAL_INT_TRUST address 155.1.8.0/24
set security address-book ADDR_BOOK_TRUST address-set LOCAL_INT_TRUST address 155.1.108.0/24
set security address-book ADDR_BOOK_TRUST address-set LOCAL_INT_TRUST address 150.1.8.8/32
set security address-book ADDR_BOOK_TRUST address-set LOCAL_LAN address 150.1.10.10/32
set security address-book ADDR_BOOK_TRUST attach zone trust
set security address-book ADDR_BOOK_UNTRUST address 155.1.58.0/24 155.1.58.0/24
set security address-book ADDR_BOOK_UNTRUST address-set LOCAL_INT_UNTRUST address 155.1.58.0/24
set security address-book ADDR_BOOK_UNTRUST attach zone untrust
set security address-book ADDR_BOOK_VPN address 150.1.9.9/32 150.1.9.9/32
set security address-book ADDR_BOOK_VPN address-set REMOTE_LAN address 150.1.9.9/32
set security address-book ADDR_BOOK_VPN attach zone VPN
set security flow tcp-mss ipsec-vpn mss 1350
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy UNTRUST_TO_TRUST match source-address any
set security policies from-zone untrust to-zone trust policy UNTRUST_TO_TRUST match destination-address LOCAL_INT_TRUST
set security policies from-zone untrust to-zone trust policy UNTRUST_TO_TRUST match application junos-icmp-all
set security policies from-zone untrust to-zone trust policy UNTRUST_TO_TRUST match application udp_trace
set security policies from-zone untrust to-zone trust policy UNTRUST_TO_TRUST then permit
set security policies from-zone untrust to-zone trust policy UNTRUST_TO_TRUST_EXPLICIT_DENY match source-address any
set security policies from-zone untrust to-zone trust policy UNTRUST_TO_TRUST_EXPLICIT_DENY match destination-address any
set security policies from-zone untrust to-zone trust policy UNTRUST_TO_TRUST_EXPLICIT_DENY match application any
set security policies from-zone untrust to-zone trust policy UNTRUST_TO_TRUST_EXPLICIT_DENY then deny
set security policies from-zone untrust to-zone trust policy UNTRUST_TO_TRUST_EXPLICIT_DENY then log session-init
set security policies from-zone trust to-zone VPN policy TRUST_TO_VPN match source-address LOCAL_LAN
set security policies from-zone trust to-zone VPN policy TRUST_TO_VPN match destination-address REMOTE_LAN
set security policies from-zone trust to-zone VPN policy TRUST_TO_VPN match application any
set security policies from-zone trust to-zone VPN policy TRUST_TO_VPN then permit
set security policies from-zone trust to-zone VPN policy TRUST_TO_VPN then log session-init
set security policies from-zone trust to-zone VPN policy TRUST_TO_VPN_EXPLICIT_DENY match source-address any
set security policies from-zone trust to-zone VPN policy TRUST_TO_VPN_EXPLICIT_DENY match destination-address any
set security policies from-zone trust to-zone VPN policy TRUST_TO_VPN_EXPLICIT_DENY match application any
set security policies from-zone trust to-zone VPN policy TRUST_TO_VPN_EXPLICIT_DENY then deny
set security policies from-zone trust to-zone VPN policy TRUST_TO_VPN_EXPLICIT_DENY then log session-init
set security policies from-zone VPN to-zone trust policy VPN_TO_TRUST match source-address REMOTE_LAN
set security policies from-zone VPN to-zone trust policy VPN_TO_TRUST match destination-address LOCAL_LAN
set security policies from-zone VPN to-zone trust policy VPN_TO_TRUST match application any
set security policies from-zone VPN to-zone trust policy VPN_TO_TRUST then permit
set security policies from-zone VPN to-zone trust policy VPN_TO_TRUST then log session-init
set security policies from-zone VPN to-zone trust policy VPN_TO_TRUST_EXPLICIT_DENY match source-address any
set security policies from-zone VPN to-zone trust policy VPN_TO_TRUST_EXPLICIT_DENY match destination-address any
set security policies from-zone VPN to-zone trust policy VPN_TO_TRUST_EXPLICIT_DENY match application any
set security policies from-zone VPN to-zone trust policy VPN_TO_TRUST_EXPLICIT_DENY then deny
set security policies from-zone VPN to-zone trust policy VPN_TO_TRUST_EXPLICIT_DENY then log session-init
set security zones security-zone trust tcp-rst
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces lo0.0
set security zones security-zone trust interfaces ge-0/0/1.8
set security zones security-zone trust interfaces ge-0/0/1.108
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic protocols ospf
set security zones security-zone untrust interfaces ge-0/0/1.58
set security zones security-zone VPN interfaces st0.0
set interfaces ge-0/0/1 vlan-tagging
set interfaces ge-0/0/1 unit 8 vlan-id 8
set interfaces ge-0/0/1 unit 8 family inet address 155.1.8.8/24
set interfaces ge-0/0/1 unit 58 vlan-id 58
set interfaces ge-0/0/1 unit 58 family inet address 155.1.58.8/24
set interfaces ge-0/0/1 unit 108 vlan-id 108
set interfaces ge-0/0/1 unit 108 family inet address 155.1.108.8/24
set interfaces fxp0 unit 0
set interfaces lo0 unit 0 family inet address 150.1.8.8/32
set interfaces st0 unit 0 family inet
set routing-options static route 0.0.0.0/0 next-hop 155.1.58.5
set routing-options static route 155.1.10.0/24 next-hop 155.1.108.10
set routing-options static route 150.1.10.10/32 next-hop 155.1.108.10
set protocols ospf area 0.0.0.0 interface lo0.0
set protocols ospf area 0.0.0.0 interface ge-0/0/1.58
set protocols ospf area 0.0.0.0 interface ge-0/0/1.8
set applications application udp_trace protocol udp
set applications application udp_trace destination-port 33434-33534

root@R8-SRX>

kaydubbed
Posts: 2
Joined: Tue Dec 19, 2017 10:41 pm

Re: Cannot pass ping through Site-to-Site Route-based VPN between Two SRX's

Post by kaydubbed » Tue Dec 19, 2017 11:44 pm

Do a trace route and see if it even hits the tunnel. Are you sure the traffic is originating from Lo0.0? You can also capture each network segment. In the realworld, this issue [tunnel up, traffic not passing] is the result of a routing issue [traffic not marked as interesting and being encapsulated through the tunnel, or return traffic having the same problem], an ACL on one of the routers denying ICMP [or the tunnel not allowing ICMP through].

I don't use this device, but I manage L2L tunnels every day for work and thought I could give some input.

Post Reply