SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Dynamic-VPN weird routing

    Posted 08-07-2012 20:28

    I have a strange issue (to me at least!). Hopefully someone will find something obvious to point out.

    I first configured a dynamic vpn with the address pool in the same subnet as the trust interface. I am able to connect and access all hosts within the protected-resources list. However, I'm not able to ping the trust interface address.

    I then configured the address pool with a different subnet (20.20.20.0/24 low .20 high .30) and was able to ping the trust interface address and still ping the protected-resources hosts. However, the SRX did not have a route for 20.20.20.0/24 so any traffic initated from the trust subnet got routed out the default route instead of to the VPN user.

    Any ideas? I'm running JunOS 12.1R2.9.

     

     

    Thank you!!!

     

    set interfaces fe-0/0/0 fastether-options redundant-parent reth1
    set interfaces fe-0/0/1 fastether-options redundant-parent reth0
    set interfaces fe-0/0/2 fastether-options redundant-parent reth2
    set interfaces fe-1/0/0 fastether-options redundant-parent reth1
    set interfaces fe-1/0/1 fastether-options redundant-parent reth0
    set interfaces fe-1/0/2 fastether-options redundant-parent reth2
    set interfaces fab0 fabric-options member-interfaces fe-0/0/5
    set interfaces fab1 fabric-options member-interfaces fe-1/0/5
    set interfaces lo0 unit 0 family inet address 100.100.100.2/32
    set interfaces reth0 redundant-ether-options redundancy-group 1
    set interfaces reth0 unit 0 family inet address 10.0.0.20/24
    set interfaces reth1 redundant-ether-options redundancy-group 1
    set interfaces reth1 unit 0 family inet address 192.168.2.1/24
    set interfaces reth2 redundant-ether-options redundancy-group 1
    set interfaces reth2 unit 0 family inet address 192.168.100.1/24
    set access profile vpn-users client mike firewall-user password "$9$/y75Au1Srv7-wRh-wYgUD9Ap0RhylK8xN"
    set access profile vpn-users address-assignment pool vpn-pool
    set access address-assignment pool vpn-pool family inet network 192.168.2.0/24
    set access address-assignment pool vpn-pool family inet range range1 low 192.168.2.20
    set access address-assignment pool vpn-pool family inet range range1 high 192.168.2.30
    set access address-assignment pool vpn-pool family inet xauth-attributes primary-dns 8.8.8.8/32
    set access firewall-authentication web-authentication default-profile vpn-users
    set security ike policy dyn-vpn mode aggressive
    set security ike policy dyn-vpn proposal-set standard
    set security ike policy dyn-vpn pre-shared-key ascii-text "$9$jqkmT69pRhrz3hrev7Nik.Pz3/CtOIE"
    set security ike gateway dyn-vpn-gw ike-policy dyn-vpn
    set security ike gateway dyn-vpn-gw dynamic hostname netzolt.com
    set security ike gateway dyn-vpn-gw dynamic connections-limit 2
    set security ike gateway dyn-vpn-gw dynamic ike-user-type shared-ike-id
    set security ike gateway dyn-vpn-gw external-interface reth0.0
    set security ike gateway dyn-vpn-gw xauth access-profile vpn-users
    set security ipsec policy dyn-vpn-pol proposal-set standard
    set security ipsec vpn dyn-vpn ike gateway dyn-vpn-gw
    set security ipsec vpn dyn-vpn ike ipsec-policy dyn-vpn-pol
    set security dynamic-vpn access-profile vpn-users
    set security dynamic-vpn clients allusers remote-protected-resources 192.168.100.0/24
    set security dynamic-vpn clients allusers remote-protected-resources 192.168.2.0/24
    set security dynamic-vpn clients allusers remote-exceptions 0.0.0.0/0
    set security dynamic-vpn clients allusers ipsec-vpn dyn-vpn
    set security dynamic-vpn clients allusers user mike
    set security nat proxy-arp interface reth1.0 address 192.168.2.20/32 to 192.168.2.30/32
    set security policies from-zone untrust to-zone trust policy vpn-ingress match source-address any
    set security policies from-zone untrust to-zone trust policy vpn-ingress match destination-address any
    set security policies from-zone untrust to-zone trust policy vpn-ingress match application any
    set security policies from-zone untrust to-zone trust policy vpn-ingress then permit tunnel ipsec-vpn dyn-vpn
    set security policies default-policy permit-all
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic protocols all
    set security zones security-zone trust interfaces reth1.0
    set security zones security-zone trust interfaces reth2.0
    set security zones security-zone untrust host-inbound-traffic system-services ping
    set security zones security-zone untrust host-inbound-traffic system-services ike
    set security zones security-zone untrust host-inbound-traffic system-services traceroute
    set security zones security-zone untrust host-inbound-traffic system-services https
    set security zones security-zone untrust host-inbound-traffic system-services ssh
    set security zones security-zone untrust host-inbound-traffic protocols ospf
    set security zones security-zone untrust interfaces reth0.0



  • 2.  RE: Dynamic-VPN weird routing

    Posted 08-07-2012 21:07

    Hello, from trust zone can't ping VPN user, because in firewall don't has route to VPN user. I have the same situation.



  • 3.  RE: Dynamic-VPN weird routing

    Posted 08-09-2012 06:38

    Anyone have an idea on this? If i need to add a static route, what is the next hop?



  • 4.  RE: Dynamic-VPN weird routing
    Best Answer

    Posted 08-09-2012 07:59

    Is you intention to initiate traffic from inside the SRX to the client which has connected into box via Dynamic VPN / Pulse?

     

    If so, then this is not supported.  Traffic must originate from the Client side.