AshivinO, I tried your suggestion, did not work.
Thanks
↧
Re: Allow ping to public address from SPECIFIED public address(s)
↧
Re: export network between routing instances
rsuraj wrote:Can you check if there is any other import policy? If yes, we need to make sure the last term on that policy states "next-policy" instead of "reject". You may use below comman to check if there is any other import policies,
> show configuration routing-instances Untrust-vr routing-options instance-import
Hi
Yes there ar other import policies configure
root@CWFWGI01> show configuration routing-instances Untrust-vr routing-options instance-import
instance-import [ APN03_public SWu_Route SES_Ruta ];
There were configure previously. some of them applied on Untrust VR some dont. Some might no even used but they are there.
Here they are.
set policy-options policy-statement APN03_public term 1 from instance Trust-vr
set policy-options policy-statement APN03_public term 1 from protocol ospf
set policy-options policy-statement APN03_public term 1 from route-filter 201.225.230.0/24 exact
set policy-options policy-statement APN03_public term 1 then accept
set policy-options policy-statement SES_Ruta term 1 from instance Trust-vr
set policy-options policy-statement SES_Ruta term 1 from protocol direct
set policy-options policy-statement SES_Ruta term 1 from route-filter 192.168.27.64/28 exact
set policy-options policy-statement SES_Ruta term 1 then accept
set policy-options policy-statement SES_Ruta term 2 then reject
set policy-options policy-statement SWu_Route term 1 from instance Trust-vr
set policy-options policy-statement SWu_Route term 1 from protocol static
set policy-options policy-statement SWu_Route term 1 from route-filter 192.168.166.26/32 exact
set policy-options policy-statement SWu_Route term 1 then accept
set policy-options policy-statement SWu_Route term 2 then reject
set policy-options policy-statement bgp-network term 1 from protocol aggregate
set policy-options policy-statement bgp-network term 1 from route-filter 201.227.226.128/26 orlonger
set policy-options policy-statement bgp-network term 1 then accept
set policy-options policy-statement bgp-network_Balboa term 1 from protocol aggregate
set policy-options policy-statement bgp-network_Balboa term 1 from route-filter 201.227.226.144/29 exact
set policy-options policy-statement bgp-network_Balboa term 1 from route-filter 201.227.226.128/26 exact
set policy-options policy-statement bgp-network_Balboa term 1 then accept
set policy-options policy-statement bgp-network_JF term 1 from protocol aggregate
set policy-options policy-statement bgp-network_JF term 1 from route-filter 201.227.226.136/29 exact
set policy-options policy-statement bgp-network_JF term 1 from route-filter 201.227.226.128/26 exact
set policy-options policy-statement bgp-network_JF term 1 then accept
set policy-options policy-statement bgp-network_apn03 term 1 from route-filter 201.225.230.0/24 exact
set policy-options policy-statement bgp-network_apn03 term 1 then accept
set policy-options policy-statement exportstatic1 term exportstatic1 from protocol static
set policy-options policy-statement exportstatic1 term exportstatic1 then accept
set policy-options policy-statement ospf-default from protocol static
set policy-options policy-statement ospf-default from route-filter 0.0.0.0/0 exact
set policy-options policy-statement ospf-default then accept
↧
↧
Re: srx1500 HA Control Port
thanks for your quick answer
I understand a 10G would not be officially supported, but can it work though ?
thanks
↧
Re: ipsec vpn config on MX80 MIC card
Hello,
I can see Your troubles start after this line:
Sep 19 14:52:24 [10.42.131.81 <-> 10.42.147.32] kmd_pm_ike_match_remote_id: Remote ID check failed, Received ID(type = dn (9), len = 82, value = 3050312d 302b0603 55040313 244b3931 34333131 36313434 2e6e6f6b 69617369 656d656e 736e6574 776f726b 732e636f 6d311f30 1d060355 040a1316 4e6f6b69 61205369 656d6 Sep 19 14:52:24 [10.42.131.81 <-> 10.42.147.32] kmd_pm_ike_match_remote_id: remote ID check failed Sep 19 14:52:24 [10.42.131.81 <-> 10.42.147.32] IKE SA negotiation failed for remote-ip:10.42.147.32,do tunnel failover
You need to explicitly configure local-id and remote-id to be FQDN, since JUNOS responder tries to match IP addresses by default.
set services ipsec-vpn ike policy all-ca-level-l1 remote-id fqdn BLAH-BLAH set services ipsec-vpn ike policy all-ca-level-l1 local-id fqdn BLAH-BLAH-BLAH
etc etc
HTH
Thx
Alex
↧
Re: srx1500 HA Control Port
No it won't work. A standard SFP port will only support 1G optics. You need an SFP+ port to be able to use 10G optics. This is a basic hardware standard, nothing to do with support for the config or not.
↧
↧
Re: export network between routing instances
Yes, your policy chain has three policies.
APN03_public SWu_Route SES_Ruta
So the final chain looks like this:
set policy-options policy-statement APN03_public term 1 from instance Trust-vr
set policy-options policy-statement APN03_public term 1 from protocol ospf
set policy-options policy-statement APN03_public term 1 from route-filter 201.225.230.0/24 exact
set policy-options policy-statement APN03_public term 1 then accept
set policy-options policy-statement SWu_Route term 1 from instance Trust-vr
set policy-options policy-statement SWu_Route term 1 from protocol static
set policy-options policy-statement SWu_Route term 1 from route-filter 192.168.166.26/32 exact
set policy-options policy-statement SWu_Route term 1 then accept
set policy-options policy-statement SWu_Route term 2 then reject
set policy-options policy-statement SES_Ruta term 1 from instance Trust-vr
set policy-options policy-statement SES_Ruta term 1 from protocol direct
set policy-options policy-statement SES_Ruta term 1 from route-filter 192.168.27.64/28 exact
set policy-options policy-statement SES_Ruta term 1 then accept
set policy-options policy-statement SES_Ruta term 2 then reject
The bolded term in SWu_Route will need to be removed
But you will need to look at all the other uses of this policy to see if you need a final reject term added
the more universal policy chain would eliminate the final reject term from ALL policies then create a "reject" only policy that you add as the LAST policy then in every chain.
↧
Re: SRX 340 OSPF Advertise entire /23 when only portions of the subnet currently exist in the routing table
I'm not sure I follow the problem, but I think what you describe is the behavior of OSPF. The area will send the same routes to all the ABRs and you can't send different routes to different ones.
↧
Re: SRX 340 OSPF Advertise entire /23 when only portions of the subnet currently exist in the routing table
My apologies for not being clear.
I want to only send my aggregate routes to area 0.0.0.0.
I had assumed that the following would send ospf default route to all areas/interfaces but only send the aggregated routes to area 0.0.0.0 on ge-0/0/4.
I guess what I am saying is that I want to apply the send-aggregate policy to the 0.0.0.0 area only but the below only sends the default route and the routes from the send-aggregate policy do not appear in the ospf database. If I change the "set protocols ospf export send-default" to "set protocols ospf export send-aggregate" this sends the aggregate routes but since there is no area defined in the global ospf settings I assume this would send out all interfaces.
set protocols ospf enable
set protocols ospf export send-default
set protocols ospf area 0.0.0.0 network-summary-export send-aggregate
set protocols ospf area 0.0.0.0 interface ge-0/0/4.0
↧
Re: Comit error message
Hi,
Rebooting the SRX would take care of the message.
Regards,
Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.
↧
↧
Re: SRX config for Playstation
Lets go ahead and try it .. ![Smiley Happy]( "Smiley Happy")
↧
Re: ipsec vpn config on MX80 MIC card
Hi aarseniev,
Where can I found local-id and remote-id FQDN ? Is there any command to varify that in cli on juniper?
↧
Re: ipsec vpn config on MX80 MIC card
Hello,
You could decode the logs to get them:
3050312d 302b0603 55040313 244b3931 34333131 36313434 2e6e6f6b 69617369 656d656e 736e6574 776f726b 732e636f 6d311f30 1d060355 040a1316 4e6f6b69 61205369 656d6
decodes to:
0P1-0+U$K9143116144.nokiasiemensnetworks.com10UNokia Siem
http://www.rapidtables.com/convert/number/hex-to-ascii.htm
Does it ring a bell? DNs You used in the certificates, perhaps?
HTH
Thx
Alex
↧
Re: Allow ping to public address from SPECIFIED public address(s)
Hi,
You would probably need a combination of host-inbound services allowed and security policies permitting the traffic to junos-host zone:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB24227&actp=search
Cheers,
Ashvin
↧
↧
Re: How to configure IPSec RemoteVPN on new branch SRX?
Hi,
15.1X49-D60 was released a few hours ago with support for Remote access VPN client (dynamic vpn). No need for third party solutions anymore.
↧
Re: How to configure IPSec RemoteVPN on new branch SRX?
Thanks for great info. Will test that and edit this post.
In old boxes 2 dynamic VPN connections where on the box and for more we needed license. What about new SRX300 which doesn't have licenses for dynamic vpn?
↧
Re: How to configure IPSec RemoteVPN on new branch SRX?
The CLI shows 2 licenses included with the box:
root@srx300> show system license
License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
dynamic-vpn 0 2 0 permanent
I expect the license scheme used on the SRX300 is the same as the legacy branch series (SRX-RAC-X-LTU where X is 5,10,25,50,100,150,250) but please check with your reseller/partner to avoid issues.
The SRX-RAC- licenses are still present in the latest pricelist from Juniper.
↧
Re: SRX 340 OSPF Advertise entire /23 when only portions of the subnet currently exist in the routing table
Hi,
Non-ospf routes are considered as external routes [LSA Type 5] and have an interarea flooding scope, hence policies are applied globally and external routes are exported to all areas under ospf.
set protocols ospf area 0.0.0.0 network-summary-export send-aggregate
The above command is for Network Summary LSAs [Type 3] which are generated by an ABR in a multi area OSPF topology. The export policy [send-aggregate] enables you to specify which network summary LSAs are flooded into an area. It is possible to summarize Type 3 LSAs using area-range.
I believe in your case [static/aggregate] injected in ospf cannot thus be constrained to specific ospf interfaces.
Cheers,
Ashvin
↧
↧
Re: ipsec vpn config on MX80 MIC card
Yes, you are right. This is DNS I used in CA. So remote fqdn would be " nokiasiemensnetworks.com " or " K9143116144.nokiasiemensnetworks.com "?
What about local fqdn ?
↧
Re: How to configure IPSec RemoteVPN on new branch SRX?
Just to confirm. Dynamic VPN on new software D60 is working and it is using the licenses installed on the box:
License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
dynamic-vpn 1 2 0 permanent
Instructions for configuring dynamic vpn with Pulse Secure client:
In free time I may check if now I can get Shrew to work to bypass the need to use dynamic-vpn licenses.
↧
Re: ipsec vpn config on MX80 MIC card
Hello,
Please start with configuring the "remote-id" exactly the same as DN used in certificate on remote peer.
You don't need to configure "local-id" yet.
If IKE is again giving You probs, then You can try to configure anything You want as local-id/remote-id pair and re-try.
HTH
Thx
Alex
↧