when using point-tpoint VPN is it a must that both st0 interface be in the same subnet ???
when using multi point VPN is it a must that all st0 interfaces be in the same subnet ???
↧
Route-based VPN
↧
Re: Route-based VPN
Yes, when doing the route based vpn you should think of the links between the tunnel interfaces as if they were connected physical interfaces.
So for the point-to-point links are in the same subnet.
And the the multi-point links all vpn interfaces are in the same broadcast domain and subnet.
This allows normal routing protocols like OSPF then to work for the segment you connect.
↧
↧
Re: Route-based VPN
Dear Steve,
thx for you r replay
please i have one more issue, is that when i was wtuding GRE over IPSEC configuration i found that they are using st0 (un-number) which was very confusing
https://kb.juniper.net/InfoCenter/index?page=content&id=KB19372&actp=METADATA
↧
Re: Route-based VPN
You only need to use GRE over IPSEC if you are connecting to another vendor that requires GRE encapsulation. Juniper and many other vendors support having broadcast traffic like OSPF directly over IPSEC without further tunneling.
That GRE over IPSEC is mainly used with older Cisco versions that required the double tunnel.
↧
Re: Transition vpn from SRX220 to SRX300
Thanks for the info. I'm on the latest junos version for the SRX300 (15.1X49-D80.4).
I'd go with an SSL VPN but is there a client that works on the iPhone/iPad? AFAIK an NCP client doesn't exist for iPhone/iPad yet.
My configuration had been a scaled back version based on this thread (http://forums.juniper.net/t5/Security/How-To-Apple-iPhone-iPad-VPN-to-Juniper-SRX/ta-p/290254) with no certs and using local users. I'm starting to get the feeling that the dynamic VPN support just isn't fully there yet in 15.1.
I'll keep playing around a bit, but maybe D85 or D90 will 'fix it'. I realize this isn't a valid gateway config, just wanted to show some of the config warnings / checkout issues I was receving.
##
## Warning: When dynamic ike-user-type is configured, IKEv2 with authentication-method pre-shared-key is not allowed
##
ike-policy ike-phase1-policy;
dynamic {
user-at-hostname "demarcop@thedemarcos.dyndns.org";
ike-user-type shared-ike-id;
}
local-identity inet 1.1.1.1;
external-interface ge-0/0/0.0;
aaa {
##
## Warning: DEP is not allowed with AAA access profile.
##
access-profile home_vpn;
}
xauth { ## Warning: 'xauth' is deprecated
access-profile home_vpn;
}
version v2-only;
↧
↧
Re: Setting up PPPoE with username and password
thanks for the link looks like thats what i need
its a little differnt using the j web but the cli should do
than ks for the help
regards FIleFinish180
↧
SRX Cluster to L3/L2 Switch
Hello guys,
Looking to implement intervlan routing, using an SRX 550 (cluster) and a cisco L3 switch, what is Junipers design recommendation SRX on a stick or RVI ?
Thank you
↧
Re: office365
I know this is an old topic, but the problem does not go away.
However people who are familiar with XML and Juos Automation have the tools to solve this problem.
Note -
- The list of Microsoft sites associated with Office 365, Azure, Exchange, OneDrive, Skype, (and quite a few others), is not only long it is dynamic and volatile.
- Microsoft operates a RSS feed that contains additions, updates and deletions to the list of valid IP address /domain names. Usually new information is released during the last three businerss days of each month.
- The underlying format for RSS is XML
- I don't know, because I know nothing about Junos Automation, but I surmise that it must be relatively trivial to take automate collecting the data from the RSS feed and converting it to a format that can be used to automate an address book for the SRX. This capability is alluded to on page 4 of Woodberg & Cameron's Juniper SRX Series - O'Reilly 2013.
- Being able to automate a task such as updating the Microsoft address book is just as important for small offices as it is for data centres and carriers. Few small offices have suitably qualified IT staff to make these updates, automation solves that problem.
- As far as Exchange is concerned, it is common for users to include calendars created by others that cover events outside the office environment, these also need updating.
Quite obviously a number of us who are new to Junos / SRX are in need of assistance in implementing such a process. If the task is automated, the size of the address list is not significant.
↧
Re: SRX Cluster to L3/L2 Switch
to shed more light on my previous post, the reth 0 is our LAN facing interface. For the implentation i hope to configure SVIs on the cisco 3850 and have the subnets advertised to the SRX which is the Edge device on the network through a static route and a physical connection from the routed interface on the 3850 with an IP address of 192.168.0.2 to the Reth interface of the SRX ip address 192.168.0.2. The issue is having the SRX talk to the 3850, am wondering if LACP is a viable option, and what the configuration on the Reth interface will look like.
↧
↧
Re: SRX Cluster to L3/L2 Switch
My apologies, IP address of the reth interfaces is 192.168.0.1
↧
Re: SRX Cluster to L3/L2 Switch
You should follow the first example design in this document begining on page 10,
1) Basic Active/Standby scenario
https://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/NT260/SRX_HA_Deployment_Guide.pdf
↧
Remote access VPN clients on RIs
According to the above diagram, RA VPN client A has to access his resources on 10.2.3/24 A location. Like wise B has to access his resources on 10.2.3/24 B location.
A and B are two different companies. We can achive our goal if we can bind RA VPN clients on seperate RIs based on the ike pre-shared key.
Kindle share expert knowledge to solve this problem.
↧
Betreff: please confirm if system storage is ok or it can hamper services
devfs 1.0K 1.0K 0B 100% /junos/dev/
procfs 4.0K 4.0K 0B 100% /proc
/dev/md0 522M 522M 0B 100% /junos
devfs 1.0K 1.0K 0B 100% /dev
devfs 1.0K 1.0K 0B 100% /jail/dev
what does above directories represent?
100% can cause any impact?
↧
↧
Re: HIGH SESSION UTILIZATION IN SRX 1400
Hello,
So if i need to install SPC in slot 2, then i need to do in low traffic hours.
I just need to put the card SPC in slot 2 and reboot the firewall?
Or are there any pre-requisite?
↧
Re: VPN Hub and Spoke with IP Dynamic tunnel up but can not ping
Thank you but it isn't work with my case. I tried with vpn-monitor, dead peer detection, SA life time aren't successful. Anyway, i can control with ping source and restart ipsec-key-management. Thank you very much.
↧
Re: SRX Cluster to L3/L2 Switch
Thank you so much....Will go through the doc right away.
↧
Betreff: please confirm if system storage is ok or it can hamper services
Hi,
Folders such as /dev those are a device files "dev=device" , and its ok to be at 100% usage .
Notice if you issue the request storage cleanup command those files will stay at 100% usage because this command mostly will affect the /var /tmp /log .. folders .
root> show system storage
fpc0:
--------------------------------------------------------------------------
Filesystem Size Used Avail Capacity Mounted on
/dev/da0s1a 183M 112M 57M 66% /
devfs 1.0K 1.0K 0B 100% /dev
/dev/md0 58M 58M 0B 100% /packages/mnt/jbase
/dev/md1 2.6M 2.6M 0B 100% /packages/mnt/fips-mode-arm-12.3R9.4
/dev/md2 11M 11M 0B 100% /packages/mnt/jcrypto-ex-12.3R9.4
/dev/md3 5.0M 5.0M 0B 100% /packages/mnt/jdocs-ex-12.3R9.4
/dev/md4 87M 87M 0B 100% /packages/mnt/jkernel-ex-2200-12.3R9.4
/dev/md5 18M 18M 0B 100% /packages/mnt/jpfe-ex22x-12.3R9.4
/dev/md6 31M 31M 0B 100% /packages/mnt/jroute-ex-12.3R9.4
/dev/md7 18M 18M 0B 100% /packages/mnt/jswitch-ex-12.3R9.4
/dev/md8 24M 24M 0B 100% /packages/mnt/jweb-ex-12.3R9.4
/dev/da0s3e 123M 1.3M 112M 1% /var
/dev/md9 126M 14K 116M 0% /tmp
/dev/da0s3d 369M 146K 339M 0% /var/tmp
/dev/da0s4d 62M 48K 57M 0% /config
/dev/md10 59M 19M 35M 35% /var/rundb
procfs 4.0K 4.0K 0B 100% /proc
/var/jail/etc 123M 1.3M 112M 1% /packages/mnt/jweb-ex-12.3R9.4/jail/var/etc
/var/jail/run 123M 1.3M 112M 1% /packages/mnt/jweb-ex-12.3R9.4/jail/var/run
/var/jail/tmp 123M 1.3M 112M 1% /packages/mnt/jweb-ex-12.3R9.4/jail/var/tmp
/var/tmp 369M 146K 339M 0% /packages/mnt/jweb-ex-12.3R9.4/jail/var/tmp/uploads
devfs 1.0K 1.0K 0B 100% /packages/mnt/jweb-ex-12.3R9.4/jail/dev
{master:0}
root> request system storage cleanup
Please check the list of files to be deleted using the dry-run option. i.e.
request system storage cleanup dry-run
Do you want to proceed ? [yes,no] (no) yes
fpc0:
--------------------------------------------------------------------------
List of files to delete:
Size Date Name
11B Feb 12 14:28 /var/jail/tmp/alarmd.ts
112B Feb 12 16:05 /var/log/default-log-messages.0.gz
5252B Feb 12 14:25 /var/log/dhcp_logfile.0.gz
9169B Feb 12 14:16 /var/log/dhcp_logfile.1.gz
5969B Feb 12 16:05 /var/log/interactive-commands.0.gz
21.0K Feb 12 16:05 /var/log/messages.0.gz
129B Feb 12 14:17 /var/log/wtmp.0.gz
130B Feb 12 14:08 /var/log/wtmp.1.gz
3898B Feb 12 14:11 /var/tmp/ex_autod_config
2998B Feb 12 14:11 /var/tmp/ex_autod_rollback_cfg
124.0K Feb 12 14:11 /var/tmp/gres-tp/env.dat
0B Feb 12 14:05 /var/tmp/gres-tp/lock
0B Feb 12 14:11 /var/tmp/rtsdb/if-rtsdb
{master:0}
root> show system storage
fpc0:
--------------------------------------------------------------------------
Filesystem Size Used Avail Capacity Mounted on
/dev/da0s1a 183M 112M 57M 66% /
devfs 1.0K 1.0K 0B 100% /dev/dev/md0 58M 58M 0B 100% /packages/mnt/jbase
/dev/md1 2.6M 2.6M 0B 100% /packages/mnt/fips-mode-arm-12.3R9.4
/dev/md2 11M 11M 0B 100% /packages/mnt/jcrypto-ex-12.3R9.4
/dev/md3 5.0M 5.0M 0B 100% /packages/mnt/jdocs-ex-12.3R9.4
/dev/md4 87M 87M 0B 100% /packages/mnt/jkernel-ex-2200-12.3R9.4
/dev/md5 18M 18M 0B 100% /packages/mnt/jpfe-ex22x-12.3R9.4
/dev/md6 31M 31M 0B 100% /packages/mnt/jroute-ex-12.3R9.4
/dev/md7 18M 18M 0B 100% /packages/mnt/jswitch-ex-12.3R9.4
/dev/md8 24M 24M 0B 100% /packages/mnt/jweb-ex-12.3R9.4
/dev/da0s3e 123M 1.1M 112M 1% /var
/dev/md9 126M 14K 116M 0% /tmp
/dev/da0s3d 369M 138K 339M 0% /var/tmp
/dev/da0s4d 62M 48K 57M 0% /config
/dev/md10 59M 19M 35M 35% /var/rundb
procfs 4.0K 4.0K 0B 100% /proc
/var/jail/etc 123M 1.1M 112M 1% /packages/mnt/jweb-ex-12.3R9.4/jail/var/etc
/var/jail/run 123M 1.1M 112M 1% /packages/mnt/jweb-ex-12.3R9.4/jail/var/run
/var/jail/tmp 123M 1.1M 112M 1% /packages/mnt/jweb-ex-12.3R9.4/jail/var/tmp
/var/tmp 369M 138K 339M 0% /packages/mnt/jweb-ex-12.3R9.4/jail/var/tmp/uploads
devfs 1.0K 1.0K 0B 100% /packages/mnt/jweb-ex-12.3R9.4/jail/dev
/proc/ directory contains a number of directories with numerical names.
These directories are called process directories, as they are named after a program's process ID and contain information specific to that process. So this kind of directory also you cannot manage its usage and it is not affected by the request storage cleanup command .
root@:RE:0% cd /proc/ root@:RE:0% ls 0 1214 1230 1242 1253 17 2208 304 4 50 1 1215 1231 1243 1265 18 2231 31 40 6 10 1216 1232 1244 13 180 23 32 41 7 100 1217 1233 1245 14 19 24 33 43 8 11 1223 1234 1246 140 2 25 34 44 80 12 1224 1235 1247 15 20 26 340 45 856 120 1225 1236 1248 16 200 27 35 46 9 1209 1226 1237 1249 160 21 28 36 47 949 1210 1227 1238 1250 1669 22 29 37 48 curproc 1211 1228 1239 1251 1687 220 3 38 49 1213 1229 1241 1252 1688 2207 30 39 5
More useful information to read about this folder can be found here
↧
↧
Re: IKEv1 main mode
any help please ?????
↧
Re: Setting up PPPoE with username and password
My functioning PPPoE settings are slightly different
services {
. . . .
dhcp {
. . . .
propagate-ppp-settings pp0.0;
}
}
. . .
interfaces {
ge-0/0/0 {
unit 0 {
encapsulation ppp-over-ether;
}
}
. . .
pp0 {
unit 0 {
apply-macro Startup_Connection;
ppp-options {
chap {
default-chap-secret "$9$AvB-u01cye";
local-name "bthomehub@btbroadband.com";
passive;
}
pap {
local-name "bthomehub@btbroadband.com";
local-password "$9$wl2gaDiq";
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/0.0;
}
family inet {
negotiate-address;
}
}
}
}My SRX300 is connected to a (UK spec) Vigor 130 VDSL modem (no router functionality) in PPPoE Bridge mode (passes multicast for IP TV correctly).
I haven't found the documentation that explains what " apply-macro Startup_Connection;" does, but it just works.
↧
Re: SRX Cluster to L3/L2 Switch
Went through the document, port Agreggation accross a cluster wont be possible and since the Reth interface supports sub interfaces and vlan tagging, I would have to go with SRX on a stick as my only alternative for intervlan routing.
↧