Hello,
I have a SRX100 with, at start, a IPSec tunnel established and fonctionnal (LAN ; 192.168.88.0/24 on fe-0/0/0.0, remote LAN ; 10.200.0.0/16 using ISP1 on fe-0/0/6.0).
Now, I'm adding virtual router to get separate network (with dedicated ISP2 on fe-0/0/7.0) for the Wifi (network 192.168.33.0/24 on fe-0/0/1.0). As I wish to acces the Wifi's AP from the LAN, I've added shared rig group.
But now, I'm unable to access anything on the other side of the ipsec tunnel.
The tunnel is still up and fonctionnal :
root@srx> ping interface st0.0 10.2.0.4 PING 10.200.0.4 (10.200.0.4): 56 data bytes 64 bytes from 10.200.0.4: icmp_seq=0 ttl=127 time=23.501 ms 64 bytes from 10.200.0.4: icmp_seq=1 ttl=127 time=23.051 ms 64 bytes from 10.200.0.4: icmp_seq=2 ttl=127 time=25.324 ms
Routes seems ok too :
root@srx> show route
inet.0: 1 destinations, 1 routes (0 active, 0 holddown, 1 hidden)
RouteLANInternet.inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Access-internal/12] 2d 17:34:53
> to 88.184.1.254 via fe-0/0/6.0
10.2.0.0/21 *[Static/5] 2d 17:35:01> via st0.0
X.X.X.0/24 *[Direct/0] 2d 17:34:53> via fe-0/0/6.0
X.X.X.X/32 *[Local/0] 2d 17:34:53
Local via fe-0/0/6.0
192.168.11.0/24 *[Direct/0] 17:39:53> via fe-0/0/7.0
192.168.11.254/32 *[Local/0] 17:39:53
Local via fe-0/0/7.0
192.168.33.0/24 *[Direct/0] 17:39:53> via fe-0/0/1.0
192.168.33.10/32 *[Local/0] 17:39:53
Local via fe-0/0/1.0
192.168.88.0/24 *[Direct/0] 2d 17:35:02> via fe-0/0/0.0
192.168.88.8/32 *[Local/0] 2d 17:35:02
Local via fe-0/0/0.0
RouteWifiCameraInternetOrange.inet.0: 19 destinations, 19 routes (19 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 2d 17:35:01
> to 192.168.11.1 via fe-0/0/7.0
X.X.X.0/24 *[Direct/0] 17:39:53> via fe-0/0/6.0
X.X.X.X/32 *[Local/0] 17:39:53
Local via fe-0/0/6.0
192.168.11.0/24 *[Direct/0] 2d 17:35:02> via fe-0/0/7.0
192.168.11.254/32 *[Local/0] 2d 17:35:02
Local via fe-0/0/7.0
192.168.33.0/24 *[Direct/0] 2d 17:35:02> via fe-0/0/1.0
192.168.33.10/32 *[Local/0] 2d 17:35:02
Local via fe-0/0/1.0
192.168.33.101/32 *[Access-internal/12] 2d 17:29:28> to 192.168.33.10 via fe-0/0/1.0
192.168.33.118/32 *[Access-internal/12] 03:02:45> to 192.168.33.10 via fe-0/0/1.0
192.168.33.119/32 *[Access-internal/12] 03:02:42> to 192.168.33.10 via fe-0/0/1.0
192.168.33.120/32 *[Access-internal/12] 03:01:58> to 192.168.33.10 via fe-0/0/1.0
192.168.33.121/32 *[Access-internal/12] 03:01:45> to 192.168.33.10 via fe-0/0/1.0
192.168.33.122/32 *[Access-internal/12] 03:01:38> to 192.168.33.10 via fe-0/0/1.0
192.168.33.123/32 *[Access-internal/12] 02:57:17> to 192.168.33.10 via fe-0/0/1.0
192.168.33.125/32 *[Access-internal/12] 01:06:26> to 192.168.33.10 via fe-0/0/1.0
192.168.88.0/24 *[Direct/0] 17:39:53> via fe-0/0/0.0
192.168.88.8/32 *[Local/0] 17:39:53
Local via fe-0/0/0.0Interfaces :
interfaces {
# LAN
fe-0/0/0 {
unit 0 {
description lan;
family inet {
address 192.168.88.8/24;
}
}
}
# Wifi
fe-0/0/1 {
unit 0 {
description wifi;
family inet {
address 192.168.33.10/24;
}
}
}
# ISP1
fe-0/0/6 {
unit 0 {
description ISP1;
family inet {
dhcp-client;
}
}
}
# ISP2 (wifi dedicated)
fe-0/0/7 {
unit 0 {
description ISP2;
family inet {
address 192.168.11.254/24;
}
}
}
lo0 {
unit 0 {
family inet {
filter {
input loopback-fw-filter;
}
address 127.0.0.1/32;
}
}
}
# VPN
st0 {
unit 0 {
family inet;
}
}
}
This is my virtual router config :
routing-instances {
RouteLANInternet {
instance-type virtual-router;
interface fe-0/0/0.0;
interface fe-0/0/6.0;
interface st0.0;
routing-options {
interface-routes {
rib-group inet LAN-External;
}
static {
route 10.2.0.0/21 next-hop st0.0;
route 0.0.0.0/0 next-hop 88.184.1.47;
}
}
}
RouteWifiCameraInternetOrange {
instance-type virtual-router;
interface fe-0/0/2.0;
interface fe-0/0/7.0;
routing-options {
interface-routes {
rib-group inet LAN-External;
}
static {
route 0.0.0.0/0 next-hop 192.168.11.1;
}
}
}
}and routing-options for the shared rib group
routing-options {
rib-groups {
LAN-External {
import-rib [ RouteWifiCameraInternetOrange.inet.0 RouteLANInternet.inet.0 ];
}
}
forwarding-table {
export load-balancing-policy;
}
}source nat to get internet access
nat {
source {
# mapping LAN on dedicated ISP1
rule-set snatRuleLAN-To-Internet {
from zone LAN;
to zone Internet;
rule nat-LANToInternet {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
# Mapping Wifi on dedicated ISP2
rule-set snatRuleWifi-To-InternetWifi {
from zone Wifi;
to zone InternetWifi;
rule nat-WifiToInternetWifi {
match {
source-address 192.168.33.0/24;
}
then {
source-nat {
interface;
}
}
}
}
}
}and zones :
zones {
security-zone LAN {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
fe-0/0/0.0;
}
}
security-zone Wifi {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
fe-0/0/1.0;
}
}
security-zone Internet {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
fe-0/0/6.0;
st0.0;
}
}
security-zone InternetWifi {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
fe-0/0/7.0;
}
}
}My main problem is that I don't know where to look at to get debug info. Oh, and to be sure, my policies are temporary to admit everything, just to be sure.
Thanks for your help !