When the ICMP replies stops i can no longer see the following:Ģ68173313 ESP:3des/sha1 XXXXXXX 3531/ unlim U root 500 95.192.214.166Īnd i get the following messages from the log config you sent: I can confirm that the configs are the same on the devices and it's phase 2 thats going down. Protocol inet, MTU: 9192, Generation: 159, Route table: 0Īddresses, Flags: Is-Preferred Is-Primaryĭestination: 192.168.1.32/30, Local: 192.168.1.33, Broadcast: Unspecified, Generation: 158 Logical interface st0.11 (Index 80) (SNMP ifIndex 538) (Generation 145)įlags: Point-To-Point SNMP-Traps Encapsulation: Secure-TunnelĪllowed host-inbound traffic : bootp dns dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip r2cpįlow error statistics (Packets dropped due to): Set routing-options static route 192.168.253.0/24 next-hop st0.11 show interfaces st0.11 detail Set security zones security-zone trust address-book address NETLARM 192.168.253.0/24 Set security policies from-zone trust to-zone trust policy policy_in_STHLARM then permit Set security policies from-zone trust to-zone trust policy policy_in_STHLARM match application any Set security policies from-zone trust to-zone trust policy policy_in_STHLARM match destination-address any Set security policies from-zone trust to-zone trust policy policy_in_STHLARM match source-address NETLARM Set security policies from-zone trust to-zone trust policy policy_out_STHLARM then permit Set security policies from-zone trust to-zone trust policy policy_out_STHLARM match application any Set security policies from-zone trust to-zone trust policy policy_out_STHLARM match destination-address NETLARM
Set security policies from-zone trust to-zone trust policy policy_out_STHLARM match source-address any Set security ipsec vpn STHLARM establish-tunnels immediately Set security ipsec vpn STHLARM ike ipsec-policy ipsec_pol_STHLARM Set security ipsec vpn STHLARM ike gateway gw_STHLARM Set security ipsec vpn STHLARM vpn-monitor Set security ipsec vpn STHLARM bind-interface st0.11 Set security ipsec policy ipsec_pol_STHLARM proposal-set standard Set security ipsec policy ipsec_pol_STHLARM perfect-forward-secrecy keys group2 Set security ike gateway gw_STHLARM version v2-only Set security ike gateway gw_STHLARM external-interface ge-0/0/1.0 Set security ike gateway gw_STHLARM dead-peer-detection Set security ike gateway gw_STHLARM dynamic hostname larm-branch Set security ike gateway gw_STHLARM ike-policy ike_pol_STHLARM
Set security ike policy ike_pol_STHLARM pre-shared-key ascii-text "$342fasfasd." Set security ike policy ike_pol_STHLARM proposal-set standard Set security ike policy ike_pol_STHLARM mode aggressive Pre-shared-key ascii-text "$u812u0." # SECRET-DATA There are 8 other VPN connections with static IP's and without aggresive mode that are fully functional. On the "other" side there is an dynamic IP so IKE is configured with FQDN 'larm-branch'. The tunnel is open, the IKE negotiations are done, a static route is configured to the IF but every 100 seconds the SRX drops the static route and a 'ping -t' stops, to then continue after 30 seconds when the route is active again.
We have 2 SRX100's that are configured with policy based VPN.
0 kommentar(er)
