Dial-up bi-directional VPN: packet dropped, no way(tunnel) out

  • Hello,

    I configured a VPN like described here:
    but with certificates instead of pre-shared keys.

    The tunnel works from the client to server but when I try to ping the client from the server side, it does not work.
    Here is the output from debug flow basic:
    ****** 4229818.0: <trust 0="" ethernet0="">packet received [84]******
      ipid = 0(0000), @05cba984
      packet passed sanity check.
      flow_decap_vector IPv4 process
      ethernet0/0:>,1(8/0) <root>no session found
      flow_first_sanity_check: in <ethernet0 0="">, out <n a="">chose interface ethernet0/0 as incoming nat if.
      flow_first_routing: in <ethernet0 0="">, out <n a="">search route to (ethernet0/0,> in vr trust-vr for vsd-0/flag-0/ifp-null
      [ Dest] 14.route>, to tunnel.1
      routed (x_dst_ip from ethernet0/0 (ethernet0/0 in 0) to tunnel.1
      policy search from zone 2-> zone 1
    policy_flow_search  policy search nat_crt from zone 2-> zone 1
      RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip, port 35945, proto 1)
      No SW RPC rule match, search HW rule
    swrs_search_ip: policy matched id/idx/action = 10/8/0x9
      Permitted by policy 10
      No src xlate NHTB entry search not found: vpn none tif tunnel.1 nexthop
      packet dropped, no way(tunnel) out Is a host behind the vpn where I try to ping from and is my VPN client IP (assigned by the Juniper).
    The relevant routing table:
    erasmus-ext-fw-> get route ip
    Dest for
    trust-vr      : => (id=14) via (vr: trust-vr)
                        Interface tunnel.1 , metric 1

    potential routes in other vrouters:

    untrust-vr    : => (id=2) via (vr: trust-vr)
                        Interface tunnel.1 , metric 1

    I put the second route (untrust-vr) myself but with or without it does not make any difference.

    Any hints would be very appreciated!

  • Btw, get sa prints the following:

    HEX ID    Gateway        Port Algorithm    SPI      Life:sec kb Sta  PID vsys
    00000001<  500 esp:a128/md5  00000000 expir unlim I/I    -1 0
    00000001>  500 esp:a128/md5  00000000 expir unlim I/I    -1 0
    0000803a<  a.b.c.d 4500 esp:a128/md5  f83880fe  1604 unlim A/-    -1 0
    0000803a>  a.b.c.d 4500 esp:a128/md5  00bce5a6  1604 unlim A/-    -1 0

    where a.b.c.d is the public IP of my VPN client.