SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Contributor
Posts: 33
Registered: ‎07-21-2016
0 Kudos
Accepted Solution

Dynamic VPN (somewhat works) - I need a bump in the right direction

I've managed to get a test dynamic VPN working to some degree.

A bit about our architecture:
Two offices - A & B
Amazon Cloud - Z

The current static VPNS are:
A - B
A - Z
B - Z


Eventually I will have dynamic VPN setup on the SRX's serving office A & B. Currently just working on one SRX.

Currently working on SRX B for initial setup.
I am able to connect, authenticate, and access resources behind B.
I cannot access resources behind A & Z.

The ip settings of the virtual adapter when connected are:
IPv4    192.168.1.13
Subnet Mask:  255.255.255.255

Default Gateway:    

DNS:   192.168.xx.80|

I am able to resolve the resources on networks B & Z.

I feel like I am really close to getting this right but need a nudge in the right direction.

Below is the current config with non-relevant information removed and IP addresses changed.

version 15.1X49-D60.7;

    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface [ ge-0/0/1.0 st0.3 ];
            }
            https {
                system-generated-certificate;
                interface [ ge-0/0/1.0 ge-0/0/0.0 ];
            }
        }
    }
}
security {
    ike {
        proposal Dynamic-VPN-P1-Proposal {
            description Dynamic_P1_Proposal;
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 1200;
        }
        policy Dynamic-VPN-P2-Policy {
            mode aggressive;
            description Dynamic_P2_Policy;
            proposals Dynamic-VPN-P1-Proposal;
            pre-shared-key ascii-text "$9$KteMWXdb2JGirewg4aHk.P5z9tp01ylvbsaUjkQzEcSeLx7-Vb24W8GD"; ## SECRET-DATA
        }
        gateway Dynamic-VPN-P1-Gateway {
            ike-policy Dynamic-VPN-P2-Policy;
            dynamic {
                hostname mustbegeek.com;
                ike-user-type shared-ike-id;
            }
            external-interface ge-0/0/0.0;
            xauth {
                access-profile Dynamic-XAuth;
            }
        }
    }
    ipsec {
        proposal Dynamic-P2-Proposal {
            description Dynamic-VPN-P2-Proposal;
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 3600;
        }
        policy Dynamic-P2-Policy {
            perfect-forward-secrecy {
                keys group5;
            }
            proposals Dynamic-P2-Proposal;
        }
        vpn Dynamic-VPN {
            ike {
                gateway Dynamic-VPN-P1-Gateway;
                ipsec-policy Dynamic-P2-Policy;
            }
            establish-tunnels immediately;
        }
    }
    dynamic-vpn {
        force-upgrade;
        access-profile Dynamic-XAuth;
        clients {
            all {
                remote-protected-resources {
                    192.168.26.0/24;												<-- Office B
                    192.168.25.0/24;												<-- Office A
                    192.168.57.0/24;												<-- Amazon 
                }
                remote-exceptions {
                    0.0.0.0/0;
                }
                ipsec-vpn Dynamic-VPN;
                user {
                    Jed;
                    Steve;
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy Dynamic-VPN {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn Dynamic-VPN;
                        }
                    }
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                    bgp;
                }
            }
            interfaces {
                ge-0/0/1.0;
                st0.3;
                st0.1;
                st0.2;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ike;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            https;
                            ping;
                            ike;
                        }
                    }
                }
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 55.55.55.50/30;									<-- Public IP of SRX
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.26.254/24;							<-- Local network
            }
        }
    }
    st0 {
        unit 1 {
            family inet {
                mtu 1436;
                address 11.22.33.44/30;									<-- VPN to Amazon
            }
        }
        unit 2 {
            family inet {
                mtu 1436;
                address 11.22.33.55/30;									<-- VPN to Amazon
            }
        }
        unit 3 {
            family inet {
                mtu 1436;
                address 22.33.44.66/24;									< -- VPN to office A
            }
        }
    }
}
routing-options {
    static {
        route 10.0.0.0/16 next-hop [ st0.1 st0.2 ];			<-- Route to Amazon
        route 0.0.0.0/0 next-hop 55.55.55.51;					<-- Route to internet
        route 192.168.25.0/24 next-hop st0.3;					<-- Route to office A 
    }
}
access {
    profile Dynamic-XAuth {
        client Jed {
            firewall-user {
                password "$9$emBKL7N-b2oGdbT3n6AtM8XxNb"; ## SECRET-DATA
            }
        }
        client Steve {
            firewall-user {
                password "$9$UzDqPf5z6CuTzlMW87Nik.mfz"; ## SECRET-DATA
            }
        }
        address-assignment {
            pool Dynamic-VPN-Pool;
        }
    }
    address-assignment {
        pool Dynamic-VPN-Pool {
            family inet {
                network 192.168.10.0/24;
                range Range1 {
                    low 192.168.10.10;
                    high 192.168.10.30;
                }
                dhcp-attributes {
                    domain-name stonemountainaccess.com;
                    name-server {
                        192.168.26.80;												<-- Domain controller office B
                    }
                    router {
                        192.168.10.1;
                    }
                }
                xauth-attributes {
                    primary-dns 192.168.26.80/32;					<-- Domain controller office B
                    secondary-dns 192.168.25.80/32;				<-- Domain controller office A
                }
            }
        }
    }
    firewall-authentication {
        web-authentication {
            default-profile Dynamic-XAuth;
        }
    }
}
Distinguished Expert
Posts: 683
Registered: ‎06-22-2011
0 Kudos

Re: Dynamic VPN (somewhat works) - I need a bump in the right direction

You are only allowing access to the following subnets

 

remote-protected-resources {
                    192.168.26.0/24;												<-- Office B
                    192.168.25.0/24;												<-- Office A
                    192.168.57.0/24;	

What are the IPs you are trying to reach?

Contributor
Posts: 33
Registered: ‎07-21-2016
0 Kudos

Re: Dynamic VPN (somewhat works) - I need a bump in the right direction

I am able to reach all resources on 192.168.26.0
I cannot reach anything on the other two subnets.

Contributor
Posts: 33
Registered: ‎07-21-2016
0 Kudos

Re: Dynamic VPN (somewhat works) - I need a bump in the right direction

The solution was adding a static route to the routers.

My pings were reaching the other networks by could not find a return path.

Example below for two SRX devices prior to solution

 

SRX-A hosts
- IP block 192.168.5.0/24

- Has static routes for Internet, Amazon, and SRX-B internal network
- Assigns 192.168.10.0/24 to dynamic-vpn

 

# show routing-options

static {
route 10.0.0.0/16 next-hop [ st0.1 st0.2 ];
route 0.0.0.0/0 next-hop 173.161.47.xxx;
route 192.168.6.0/24 next-hop st0.3;

 

 

SRX-B hosts

- IP block 192.168.6.0/24

- Has static routes for Internet, Amazon, and SRX-B internal network
- Assigns 192.168.20.0/24 to dynamic-vpn

 

# show routing-options

static {
route 10.0.0.0/16 next-hop [ st0.1 st0.2 ];
route 0.0.0.0/0 next-hop 173.161.47.xxx;
route 192.168.5.0/24 next-hop st0.3;

 

In the above example dynamic vpn traffic could reach the other networks but there was no return path. SRX-A had no idea how to send traffic to 192.168.20.0.

 


Below is the solution:

SRX-A hosts

# show routing-options

static {
route 10.0.0.0/16 next-hop [ st0.1 st0.2 ];
route 0.0.0.0/0 next-hop 173.161.47.xxx;
route 192.168.6.0/24 next-hop st0.3;     <-- this is the route to SRX-B

route 192.168.20.0/24 next hop st0.3;   <-- this is the route to the dynamic-vpn ip-range on SRX-B

 

SRX-B hosts

# show routing-options

static {
route 10.0.0.0/16 next-hop [ st0.1 st0.2 ];
route 0.0.0.0/0 next-hop 173.161.47.xxx;
route 192.168.5.0/24 next-hop st0.3;  <-- this is the route to SRX-A

route 192.168.10.0/24 next-hop st0.3; <-- this is the route to the dynamic-vpn ip-range on SRX-A