05-19-2011 10:27 AM
OK, I have 2 SRX100b's one in my Office and one in the home. The SRX at home is using a cable modem with a Dynamic IP and the one in the office has a static. At the office I also have a SRX 210 that is our main gateway. We want to use the SRX 100 in the office to be our VPN endpoint for remote users.
Here is the issue I am having. I configured a SITE TO SITE Route based vpn between the SRX 100's. Checking the Security associations between the two I see both Phase 1 and Phase 2 up.
From my Home workstation I can ping to the work Subnet. From Work I can ping my home Subnet. I cannot ping the work subnet from the home juniper but can from the workstations behind it. I can ping the home subnet from the Work Juniper and all my workstations behind it.
From Home: I can SSH, PING, Telnet,DNS across the tunnel to the work subnet no problem. when I try to access file shares or RDP over the tunnel the connections fail. This happens when I use the IP address or hostname of the device.
From Work: All traffic works except that the connection is intermittent. I.E if on RDP the screen freezes every 15-30 seconds for about 10-15 seconds.
I can not for the life of me figure it out.
05-21-2011 05:12 PM
The reason you can't ping from the Juniper to your remote subnets is to do with your security policy only allowing traffic from the your LAN subnet and the fact that you don't have numbered st0 interfaces.
To get around this, either use:
ping <office-address> source <LAN-side IP address of local SRX>
or configure a point-to-point subnet on your st0.1 interface (eg: a /30).
Looking at your configuration, I'd also recommend moving the st0.1 interface into a dedicated "Work" security zone so that you have better control over the inbound and outbound policies to and from your work.
With regards to accessing file shares and your RDP issues, try turning the tcp mss values down a bit lower - I generally use between 1350 and 1380 depending on the WAN interface and generally don't have any issues.
I notice you are using vpn-monitor on one end, but don't seem to have either a source or destination address configured - you may find that your tunnel is actually flapping. I'd be inclined to turn off vpn-monitor and use dead-peer detection on both ends.
Hope this helps!
JNCIP-ENT, JNCIS-SP, JNCIE-SEC #63
Follow me @labelswitcher