Yes, i saved, the installed the policy.

i also tried to force the /24 via user.def.fw1 but still ko.

so i roll back the user.def.fw1

Is there any natting inside the community?

Nat-t is enabled. This is necessary on juniper side.

How are you clearing your VPN between attempts/changes?

Which Jumbo take is present on these systems?

Note R80.40 will be EOL next month.

Makes sense, I heard that about Juniper before. Hey, is this enabled or not on CP side inside vpn community settings?

Andy

I would do quick debug on CP side to see what it shows. Get iked and vpnd files from $FWDIR/log dir and run vpn iked calculate peer_ip_address to see which iked files are relevant

vpn debug trunc

vpn debug ikeon

-try generate some traffic

vpndebug ikeoff

Best,

Andy

Please what do you mean by run vpn iked calculate? 

What I mean is this.

Andy

[Expert@cpazurecluster1:0]# vpn iked calculate 20.151.89.116

vpn: Address 20.151.89.116 is handled by IKED 0

[Expert@cpazurecluster1:0]#

And what above means is that when you run debug, you ONLY care about iked0 files.

I tried  running the command in expert mode but it return:

Unknown command « iked »

Just type vpn from expert mode and see if iked shows up in the menu, as below

[Expert@cpazurecluster1:0]# vpn
Usage:
vpn debug ... # print debug msgs to VPN log files
vpn iked # various 'iked' related commands
vpn cccd # various 'cccd' related commands
vpn crl_zap # erase all CRLs from cache
vpn drv ... # attach vpn driver to fw driver and more
vpn ver [-k] # display VPN version
vpn crlview ... # debugging tool for CRLs
vpn compstat # display compression/decompression statistics
vpn compreset # reset compression/decompression statistics
vpn macutil [user_name] # display generated MAC address by username or
# DN from arg or stdin (also: vpn mu)
vpn tunnelutil # launch TunnelUtil tool to control
# VPN Tunnels (also: vpn tu)
vpn nssm_topology ... # generate topology in NSSM format for
# Nokia clients
vpn rll dump fileName/sync # Route Lookup Layer: Dump DB
# Sync DB
vpn overlap_encdom ... # Display overlapping encryption domains
vpn dll dump fileName # DNS Lookup Layer: Dump DB
vpn dll resolve [hostname] # Request Resolve
vpn 3rd_party_mep #
vpn ipafile_check filename [level] # Verify candidate for ipassignment.conf
vpn set_slim_server ... # Starting/stopping the slim web server
vpn set_snx_encdom_groups ... # enabling/disabling the encryption domain
# per usergroup feature for snx
vpn mep_refresh # Initiate MEP re-decision in case of
# backup stickiness configuration
vpn rim_cleanup # Clean RIM routes
vpn shell ... # Command Line Interface
vpn set_trac disable/enable # Starting/Stopping trac server
vpn neo_proto [on/off] # switching neo client protocol
vpn show_tcpt # show visitor mode users
vpn check_ttm # Check if a ttm file is valid
vpn dump_psk # dump hash (SHA256) of peers pre-shared-keys
vpn snx_unban # Reset the failed login attempt history of a client IP address
[Expert@cpazurecluster1:0]#

There is no iked option with vpn colmand

thank you 

Ok, no worries. Lets do remote if you are allowed, I think we can figure this out.

If yes, just DM me and I can send you zoom.

Andy

Thank you the-rock but i can use remote, company restriction.

if i disable nat on cp, is it necessary to do the same on juniper?

Correct.

Attention, quoting from Important security update - stay protected against VPN Information Disclosure (CVE-2024-24919)

In R81.10 we added a feature to improve VPN performance - named CCCD

This feature is disabled by default, and we know about few advanced customers who are using it.

Customers who enable CCCD are still vulnerable to CVE-2024-24919 even after installing the Hotfix!

YOU MUST DISABLE CCCD TO BECOME PROTECTED!

Instructions below and also on SK182336:

Run the command: vpn cccd status
The expected output is: vpn: 'cccd' is disabled.

If the output differs, stop the CCCD process by running the vpn cccd disable command.

More info by the link above.

Hello, i made all this change but my cp gateway still send /16 as MyTSI

can someone explain me to understand how the gateway obtain /16?  

thank you in advance

Can you please send screenshots of changes you made in guidbedit, as well as community settings? Please blue out any sensitive info. Also, do the debug I mentioned last nite.

vpn debug trunc

vpn debug ikeon

-try generate some traffic

vpn debug ikeoff

Look for iked and vpnd files in $FWDIR/log dir

Best,

Andy

When run the command for debug i have this message. I have other vpn and are working fine with the same configuration, no supernetting.

i can t figure out why the gateway still send /16.

I would work with TAC on this, something does not look right. Remote session would be way to go.

We will open a tac.

thank you

Yes, Juniper is very picky. My notes from troubleshooting this back in December:

"This issue happens on IKEv2 and IKEv1.

The network team in charge of the Juniper did provide me with this error:

• Dec  4 15:16:24  localpeer-eec-vsrx kmd[26736]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: remote, Peer Proposed traffic-selector local-ip: ipv4(icmp,2.4.2.2),ipv4(2.4.2.2),  Peer Proposed traffic-selector remote-ip: ipv4(icmp,5.4.2.1),ipv4(5.4.2.1)

The above is the error message and for the traffic selector to work, the message should have looked something like this:

• Dec  4 15:16:24  localpeer-eec-vsrx kmd[26736]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: remote, Peer Proposed traffic-selector local-ip: ipv4(icmp,2.4.2.2),  Peer Proposed traffic-selector remote-ip: ipv4(icmp,5.4.2.1)

Essentially when Check Point sends over a single host it does it in a range type format that the Juniper does not like and rejects it."

I did get bi-directional communication working using the user defined encryption setting with one VPN tunnel per Gateway pair tunnel sharing option. I hope this helps.

Thats certainly something to try.

hello all,

today i changed the vpn community from star to mesh, and i put a /16 on proxy id on juniper the tunnel worked and i can get traffic to the gateway juniper, but after an other policy install on cp, traffic is ko.

i begin have message like:

exchange timeout, preshared secret failed,.. when traffic from juniper to cp is ok

Are you sauing traffic now works one way? Did you try option tunnel per gateway?

Andy