Dial-up bi-directional VPN: packet dropped, no way(tunnel) out



  • Hello,

    I configured a VPN like described here:
    http://kb.juniper.net/InfoCenter/index?page=content&id=KB15272
    but with certificates instead of pre-shared keys.

    The tunnel works from the client to server but when I try to ping the client from the server side, it does not work.
    Here is the output from debug flow basic:
    ****** 4229818.0: <trust 0="" ethernet0="">packet received [84]******
      ipid = 0(0000), @05cba984
      packet passed sanity check.
      flow_decap_vector IPv4 process
      ethernet0/0:172.17.6.4/13->10.1.0.10/3431,1(8/0) <root>no session found
      flow_first_sanity_check: in <ethernet0 0="">, out <n a="">chose interface ethernet0/0 as incoming nat if.
      flow_first_routing: in <ethernet0 0="">, out <n a="">search route to (ethernet0/0, 172.17.6.4->10.1.0.10) in vr trust-vr for vsd-0/flag-0/ifp-null
      [ Dest] 14.route 10.1.0.10->10.1.0.10, to tunnel.1
      routed (x_dst_ip 10.1.0.10) from ethernet0/0 (ethernet0/0 in 0) to tunnel.1
      policy search from zone 2-> zone 1
    policy_flow_search  policy search nat_crt from zone 2-> zone 1
      RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.1.0.10, port 35945, proto 1)
      No SW RPC rule match, search HW rule
    swrs_search_ip: policy matched id/idx/action = 10/8/0x9
      Permitted by policy 10
      No src xlate NHTB entry search not found: vpn none tif tunnel.1 nexthop 10.1.0.10
      packet dropped, no way(tunnel) out


    172.17.6.4 Is a host behind the vpn where I try to ping from and 10.1.0.10 is my VPN client IP (assigned by the Juniper).
    The relevant routing table:
    erasmus-ext-fw-> get route ip 10.1.0.10
    Dest for 10.1.0.10
    –------------------------------------------------------------------------------------
    trust-vr      : => 10.1.0.0/24 (id=14) via 0.0.0.0 (vr: trust-vr)
                        Interface tunnel.1 , metric 1

    potential routes in other vrouters:

    untrust-vr    : => 10.1.0.0/24 (id=2) via 0.0.0.0 (vr: trust-vr)
                        Interface tunnel.1 , metric 1

    I put the second route (untrust-vr) myself but with or without it does not make any difference.

    Any hints would be very appreciated!
    nicolae</n></ethernet0></n></ethernet0></root></trust>



  • Btw, get sa prints the following:

    HEX ID    Gateway        Port Algorithm    SPI      Life:sec kb Sta  PID vsys
    00000001<        0.0.0.0  500 esp:a128/md5  00000000 expir unlim I/I    -1 0
    00000001>        0.0.0.0  500 esp:a128/md5  00000000 expir unlim I/I    -1 0
    0000803a<  a.b.c.d 4500 esp:a128/md5  f83880fe  1604 unlim A/-    -1 0
    0000803a>  a.b.c.d 4500 esp:a128/md5  00bce5a6  1604 unlim A/-    -1 0

    where a.b.c.d is the public IP of my VPN client.


 

48
Online

38.4k
Users

12.7k
Topics

44.5k
Posts