Hello Again
And once again thank you for your response:
The article that you referenced did prompt me to make changes, but not to my configuration to that of and exist WORKING vpn on the same box.
My first question is there a restriction on having more than one active policy-based vpn on a Juniper SRX210H?
Question relates to the behaviour of the box:
So after you posted your reply i ran the command run show security ipsec security-associations detail on the juniper box and recived output for the current already established active vpn and nothing for the vpn that I had configured:
Virtual-system: root
Local Gateway: 62.xx.xx.xx, Remote Gateway: 46.xx.xx.xx
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
DF-bit: clear
Policy-name: HHCL-Replication
I made the configuration changes to that vpn recommended in the article you sent, hoping that the mis-configuration of the previous vpn may be affecting my new configuration:
I then realised that the tunnel would need to be re-established for the new setting to take effect so i ran:
show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway
<2 ESP:aes-256/sha1 344bb2fc 28609/unlim - root 500 46.xx.xx.xx
>2 ESP:aes-256/sha1 5d506f41 28609/unlim - root 500 46.xx.xx.xx
show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
5046377 UP b293748beeff7552 e37efd8150826e6e Main 46.xx.xx.xx
I then cleared the security association and restarted the key service
clear security ipsec security-associations index 5046377
clear security ike security-associations index 5046377
restart ipsec-key-management
I re-entered: show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
1368853 DOWN 26433d6e5d9046c4 0000000000000000 Main 46.xx.xx.xx
1368852 DOWN d8651df14dc70b8e 0000000000000000 Main 212.xx.xx.xx
I was delighted to see some reference to my vpn (212.xx.xx.xx):
I ran: show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway
<2 ESP:aes-256/sha1 88559654 28786/unlim - root 500 46.xx.xx.xx
>2 ESP:aes-256/sha1 1729df6f 28786/unlim - root 500 46.xx.xx.xx
I once again ran: show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
1368853 UP 26433d6e5d9046c4 ae4039da226f8c44 Main 46.xx.xx.xx
Now my new vpn (212.xx.xx.xx) was once again missing, i ran show security ike security-associations detail
IKE peer 46.xx.xx.xx, Index 1368853,
Role: Initiator, State: UP
Initiator cookie: 26433d6e5d9046c4, Responder cookie: ae4039da226f8c44
Exchange type: Main, Authentication method: Pre-shared-keys
Local: 62.xx.xx.xx:500, Remote: 46.xx.xx.xx:500
Lifetime: Expires in 28648 seconds
Peer ike-id: 46.xx.xx.xx
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : sha1
Encryption : aes-cbc (256 bits)
Pseudo random function: hmac-sha1
Traffic statistics:
Input bytes : 1360
Output bytes : 3052
Input packets: 8
Output packets: 10
Flags: Caller notification sent
IPSec security associations: 1 created, 0 deleted
Phase 2 negotiations in progress: 2
Negotiation type: Quick mode, Role: Responder, Message ID: 663842090
Local: 62.xx.xx.xx:500, Remote: 46.xx.xx.xx:500
Local identity: ipv4_subnet(any:0,[0..7]=172.16.1.0/24)
Remote identity: ipv4_subnet(any:0,[0..7]=172.17.203.0/24)
Flags: Caller notification sent, Waiting for done
Negotiation type: Quick mode, Role: Responder, Message ID: 578801844
Local: 62.xx.xx.xx:500, Remote: 46.xx.xx.xx:500
Local identity: ipv4_subnet(any:0,[0..7]=172.16.1.0/24)
Remote identity: ipv4_subnet(any:0,[0..7]=172.17.203.0/24)
I was very happy to see reference to my new configuration local_hhcl 172.16.1.0/24& remote_hhcl 172.17.203.0/24.
However once again when i run show security ipsec security-associations detail
Virtual-system: root
Local Gateway: 62.xx.xx.xx, Remote Gateway: 46.xx.xx.xx
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
DF-bit: clear
Policy-name: HHCL-Replication
No reference to either my new vpn or the new local and remote subnets that i defined.
Why did my vpn appear and then disappear? Why wouldnt it always show as down?
Can you assist?
Any help much appreciated