Okay guys, I've done a fair amount with Cisco devices, but I'm a Juniper noob and need some assistance.
I've set up an OpenVPN server on our internal LAN and we've got a public IP that forwards to the OpenVPN server. Here are the symptoms of my problem:
What works:
- The VPN clients can establish the connection with the server without any issue.
- VPN Clients can ping everything on our internal LAN no problem.
- Machines on internal LAN can access VPN clients just fine
- Once a machine on the internal LAN accesses say a file share on a VPN client, everything works great for about 60 seconds and then closes
What doesn't work:
- VPN clients cannot access DNS, File shares, SSH, or seemingly any other service besides ICMP
I've placed the VPN subnet into the trust zone
I've created a custom application on UDP port 1194 for OpenVPN
I've created a static route on the Juniper from the VPN subnet (10.8.0.0/24) to next-hop to the VPN server (192.168.1.44)
I've set permit FW rules (from trust to trust, anything) - (from trust to untrust, OpenVPN app) - (from untrust to trust, OpenVPN app)
Not sure what I'm missing, but here's some debug output that seems to show the reason is that traffic isn't getting routed back to the client because a session wasn't created on the way in???
Jul 31 12:13:58 12:13:58.442592:CID-0:RT:<10.8.0.2/32494->192.168.0.113/22;6> matched filter MatchTraffic:
Jul 31 12:13:58 12:13:58.442592:CID-0:RT:packet [40] ipid = 33869, @40e7e080
Jul 31 12:13:58 12:13:58.442592:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 8, common flag 0x0, mbuf 0x40e7de80, rtbl_idx = 0
Jul 31 12:13:58 12:13:58.442592:CID-0:RT:fto 0x41dc2070
Jul 31 12:13:58 12:13:58.442592:CID-0:RT:nh word 0x350010
Jul 31 12:13:58 12:13:58.442592:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
Jul 31 12:14:01 12:14:01.472914:CID-0:RT:<192.168.0.113/22->10.8.0.2/32494;6> matched filter MatchTraffic:
Jul 31 12:14:01 12:14:01.472914:CID-0:RT:packet [52] ipid = 0, @4039951a
Jul 31 12:14:01 12:14:01.472914:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 13, common flag 0x0, mbuf 0x40399300, rtbl_idx = 0
Jul 31 12:14:01 12:14:01.472914:CID-0:RT: flow process pak fast ifl 67 in_ifp fe-0/0/0.0
Jul 31 12:14:01 12:14:01.472914:CID-0:RT: fe-0/0/0.0:192.168.0.113/22->10.8.0.2/32494, tcp, flag 12 syn ack
Jul 31 12:14:01 12:14:01.472914:CID-0:RT: find flow: table 0x44eb0620, hash 33320(0xffff), sa 192.168.0.113, da 10.8.0.2, sp 22, dp 32494, proto 6, tok 6
Jul 31 12:14:01 12:14:01.472914:CID-0:RT: no session found, start first path. in_tunnel - 0, from_cp_flag - 0
Jul 31 12:14:01 12:14:01.472914:CID-0:RT:flow_send_icmp_tcp_rst: Sending tcp-rst
Jul 31 12:14:01 12:14:01.472914:CID-0:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0
Jul 31 12:14:01 12:14:01.472914:CID-0:RT: encap vector
Jul 31 12:14:01 12:14:01.472914:CID-0:RT: no more encapping needed
Jul 31 12:14:01 12:14:01.472914:CID-0:RT: **** pak processing end.
Jul 31 12:14:01 12:14:01.472914:CID-0:RT: packet dropped, first pak not sync
Jul 31 12:14:01 12:14:01.472914:CID-0:RT: flow find session returns error.
Jul 31 12:14:01 12:14:01.472914:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)