SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Configuration help on Dynamic VPN - Hit a snag :(

    Posted 10-02-2013 13:54
      |   view attached

    Good morning dudes!

     

    So I currently have an SRX 220h at home and wanted to setup dynamic VPN so I can connect to my home network remotely. I have a sucessfull site-to-ste vpn tunnel setup (not peering with another SRX if that changes anything), no issues there.

     

    Now I setup the dynamic VPN via GUI Wizard, the client just hangs at "connecting", below are some logs when I attempt to connect. Nothing is yelling foul (that I can tell):

     

    Messages Log

    Oct  2 13:28:57  sc-srx220h-fw1 httpd-gk: DYNAMIC_VPN_AUTH_INVALID: token 96393c4bd82418cfa8335967bbc5bf0f is invalid
Oct  2 13:29:11  sc-srx220h-fw1 httpd-gk: DYNAMIC_VPN_LICENSE_CHECK_OK: Dynamic VPN license check succeed for user test
Oct  2 13:29:11  sc-srx220h-fw1 httpd-gk: DYNAMIC_VPN_AUTH_OK: user test with remote IP 10.200.21.137 authenticated successfully.
Oct  2 13:29:11  sc-srx220h-fw1 httpd-gk: DYNAMIC_VPN_AUTH_OK: user test with remote IP 10.200.21.137 authenticated successfully.

     IKE Debug Log is empty 😞

     

    It looks like this isnt starting ike process, I cant seem to locate any logs in the PULSE client to point to an issue.

     

    Here is the configs for it:

    scline@sc-srx220h-fw1> show configuration security ike 
traceoptions {
    file ike.log;
    flag all;
}
policy ike_pol_wizard_dyn_vpn {
    mode aggressive;
    proposal-set compatible;
    pre-shared-key ascii-text; ## SECRET-DATA
}

gateway gw_wizard_dyn_vpn {
    ike-policy ike_pol_wizard_dyn_vpn;
    dynamic {
        hostname *******.net;
        connections-limit 50;
        ike-user-type group-ike-id;
    }
    external-interface ge-0/0/0.0;
    xauth access-profile remote_access_profile;
}


scline@sc-srx220h-fw1> show configuration security ipsec  
policy ipsec_pol_wizard_dyn_vpn {
    perfect-forward-secrecy {
        keys group2;
    }
    proposal-set compatible;
}
vpn wizard_dyn_vpn {
    ike {
        gateway gw_wizard_dyn_vpn;
        ipsec-policy ipsec_pol_wizard_dyn_vpn;
    }
}

scline@sc-srx220h-fw1> show configuration security dynamic-vpn 
access-profile remote_access_profile;
clients {
    wizard-dyn-group {
        remote-protected-resources {
            192.168.200.0/22;
        }
        remote-exceptions {
            0.0.0.0/0;
        }
        ipsec-vpn wizard_dyn_vpn;
        user {
            test;
        }
    }
}

scline@sc-srx220h-fw1> show configuration access   
profile remote_access_profile {
    client test {
        firewall-user {
            password; ## SECRET-DATA
        }
    }
    address-assignment {
        pool dyn-vpn-address-pool;
    }
}
address-assignment {
    pool dyn-vpn-address-pool {
        family inet {
            network 192.168.200.32/28;
            xauth-attributes {
                primary-dns 8.8.8.8/32;
            }
        }
    }
}
firewall-authentication {
    web-authentication {
        default-profile remote_access_profile;
    }
}

    Show commands (the entry listed if from the site-to-site tunnel)

    scline@sc-srx220h-fw1> show security ike sa 
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
2710137 UP     5bc3f18d09a599c1  c92deb06b8dea1eb  Main           xxx.xxx.xxx.xxx

     

     

     

    Thanks in advance for looking at this (^_^)



  • 2.  RE: Configuration help on Dynamic VPN - Hit a snag :(
    Best Answer

    Posted 10-02-2013 16:50

    silly me, issue resolved. I had the system service ike alowed on untrust but not the actual interface. Interesting that the site-to-site works with just ike enabled at the zone level but dynamic-vpn would not unless its on the interface level.

     

    Thanks guys!

     

    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike