I'm following the Juniper example here for VPLS/IPSEC over GRE tunnel. My remote office SRX220 brings up the tunnel but my local office SRX345 doesn't. For testing, I have the public statics on the WAN both on the same /24 (which Juniper's example does too) The remote office shows:
root@srx220> show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway<131073 ESP:3des/sha1 973a7448 3506/ unlim - root 500 1.2.3.4>131073 ESP:3des/sha1 fb08d49a 3506/ unlim - root 500 1.2.3.4<131073 ESP:3des/sha1 fa796c85 3567/ unlim - root 500 1.2.3.4>131073 ESP:3des/sha1 5dfae167 3567/ unlim - root 500 1.2.3.4 root@srx220> show security ipsec statistics ESP Statistics: Encrypted bytes: 425808 Decrypted bytes: 0 Encrypted packets: 2957 Decrypted packets: 0 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0
And I can ping the 10.1.1.2, but not 10.1.1.1 (local office). On the local office SRX345 it shows:
root@srx345> show security ipsec security-associations Total active tunnels: 0
I can ping both WAN interfaces from both units and both units connect to the internet. My config for the non-working local SRX345 looks like:
root@srx345> show configuration | display set set version 15.1X49-D45 set groups test security policies from-zone trust-flow to-zone vpn policy all match source-address any set groups test security policies from-zone trust-flow to-zone vpn policy all match destination-address any set groups test security policies from-zone trust-flow to-zone vpn policy all match application junos-gre set groups test security policies from-zone trust-flow to-zone vpn policy all then permit tcp-options syn-check-required set groups test security policies from-zone trust-flow to-zone vpn policy all then permit tcp-options sequence-check-required set system host-name srx345 set system root-authentication encrypted-password "$" set security idp idp-policy gre-reassembly rulebase-ips rule match-gre match application junos-gre set security idp idp-policy gre-reassembly rulebase-ips rule match-gre then action ignore-connection set security idp active-policy gre-reassembly set security ike policy SRX mode main set security ike policy SRX proposal-set standard set security ike policy SRX pre-shared-key ascii-text "$" set security ike gateway SRX220 ike-policy SRX set security ike gateway SRX220 address 1.2.3.5 set security ike gateway SRX220 external-interface ge-0/0/0.0 set security ipsec policy SRX proposal-set standard set security ipsec vpn SRX220 bind-interface st0.0 set security ipsec vpn SRX220 ike gateway SRX220 set security ipsec vpn SRX220 ike ipsec-policy SRX set security ipsec vpn SRX220 establish-tunnels immediately set security flow tcp-session no-syn-check set security flow tcp-session no-sequence-checkset security policies apply-groups test set security policies from-zone trust-flow to-zone vpn policy gre match source-address any set security policies from-zone trust-flow to-zone vpn policy gre match destination-address any set security policies from-zone trust-flow to-zone vpn policy gre match application junos-gre set security policies from-zone trust-flow to-zone vpn policy gre then permit application-services idp set security policies from-zone vpn to-zone trust-flow policy gre match source-address any set security policies from-zone vpn to-zone trust-flow policy gre match destination-address any set security policies from-zone vpn to-zone trust-flow policy gre match application junos-gre set security policies from-zone vpn to-zone trust-flow policy gre then permit application-services idp set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces lo0.0 set security zones security-zone untrust interfaces lt-0/0/0.2001 set security zones security-zone untrust interfaces gr-0/0/0.0 set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone vpn host-inbound-traffic system-services all set security zones security-zone vpn host-inbound-traffic protocols all set security zones security-zone vpn interfaces st0.0 set security zones security-zone trust-flow host-inbound-traffic system-services all set security zones security-zone trust-flow host-inbound-traffic protocols all set security zones security-zone trust-flow interfaces lt-0/0/0.2000 set interfaces ge-0/0/0 unit 0 family inet address 1.2.3.4/24 set interfaces gr-0/0/0 unit 0 clear-dont-fragment-bit set interfaces gr-0/0/0 unit 0 tunnel source 10.1.1.1 set interfaces gr-0/0/0 unit 0 tunnel destination 10.1.1.2 set interfaces gr-0/0/0 unit 0 tunnel allow-fragmentation set interfaces gr-0/0/0 unit 0 family inet mtu 1500 set interfaces gr-0/0/0 unit 0 family inet filter input inet-packet-mode set interfaces gr-0/0/0 unit 0 family mpls mtu 1462 set interfaces gr-0/0/0 unit 0 family mpls filter input mpls-packet-mode set interfaces lt-0/0/0 unit 0 description "VPLS hub port - Interconnect for CCC to SRX220" set interfaces lt-0/0/0 unit 0 encapsulation ethernet-vpls set interfaces lt-0/0/0 unit 0 peer-unit 1000 set interfaces lt-0/0/0 unit 1000 description "Stitch to VPLS for CCC to SRX220" set interfaces lt-0/0/0 unit 1000 encapsulation ethernet-ccc set interfaces lt-0/0/0 unit 1000 peer-unit 0 set interfaces lt-0/0/0 unit 1000 family ccc filter input ccc-packet-mode set interfaces lt-0/0/0 unit 2000 encapsulation frame-relay set interfaces lt-0/0/0 unit 2000 dlci 1 set interfaces lt-0/0/0 unit 2000 peer-unit 2001 set interfaces lt-0/0/0 unit 2000 family inet set interfaces lt-0/0/0 unit 2001 encapsulation frame-relay set interfaces lt-0/0/0 unit 2001 dlci 1 set interfaces lt-0/0/0 unit 2001 peer-unit 2000 set interfaces lt-0/0/0 unit 2001 family inet filter input inet-packet-mode set interfaces lt-0/0/0 unit 2001 family inet address 10.1.1.1/32 set interfaces ge-0/0/1 encapsulation ethernet-vpls set interfaces ge-0/0/1 unit 0 set interfaces lo0 unit 0 family inet address 10.2.1.1/32 set interfaces st0 unit 0 multipoint set routing-options static route 10.1.1.2/32 next-hop lt-0/0/0.2001 set routing-options static route 10.2.1.2/32 next-hop gr-0/0/0.0 set routing-options static route 0.0.0.0/0 next-hop 1.2.3.1 set protocols mpls interface gr-0/0/0.0 set protocols ldp interface gr-0/0/0.0 set protocols ldp interface lo0.0 set protocols l2circuit neighbor 10.2.1.2 interface lt-0/0/0.1000 virtual-circuit-id 1 set firewall family inet filter inet-packet-mode term control-traffic from protocol tcp set firewall family inet filter inet-packet-mode term control-traffic from port 22 set firewall family inet filter inet-packet-mode term control-traffic from port 80 set firewall family inet filter inet-packet-mode term control-traffic from port 8080 set firewall family inet filter inet-packet-mode term control-traffic then accept set firewall family inet filter inet-packet-mode term packet-mode then packet-mode set firewall family inet filter inet-packet-mode term packet-mode then accept set firewall family mpls filter mpls-packet-mode term packet-mode then packet-mode set firewall family mpls filter mpls-packet-mode term packet-mode then accept set firewall family ccc filter ccc-packet-mode term all then packet-mode set firewall family ccc filter ccc-packet-mode term all then accept set routing-instances flow-vr instance-type virtual-router set routing-instances flow-vr interface lt-0/0/0.2000 set routing-instances flow-vr interface st0.0 set routing-instances flow-vr routing-options static route 10.1.1.1/32 next-hop lt-0/0/0.2000 set routing-instances flow-vr routing-options static route 10.1.1.2/32 next-hop st0.0 set routing-instances vpls-hub instance-type vpls set routing-instances vpls-hub interface lt-0/0/0.0 set routing-instances vpls-hub interface ge-0/0/1.0
What am I missing?