SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Dynamic VPN with 2 zone Trust

    Posted 08-06-2012 06:06

    Hi all,

     

    I have problem with VPN remote access or Dynamic VPN

     

    I have 3 zone : Zone A = 192.168.10.0/24, Zone B = 192.168.22.0/24, and Zone C = IP public

    Zone A and B is Trust

    Zone C is Untrust

     

    First, I create Dynamic VPN and Successfull

    From Untrust can ping to Zone A

    then I crete again for Untrust to Zone B, but it can not ping

     

    What's a problem?

     

    Thanks

     

    Feri

     



  • 2.  RE: Dynamic VPN with 2 zone Trust

    Posted 08-06-2012 11:49

    Hi,

     

     

    Please post your config, also what version of junos you are running and what type of SRX



  • 3.  RE: Dynamic VPN with 2 zone Trust

    Posted 08-12-2012 06:46
      |   view attached

    Hi 

    Attachment(s)

    txt
    config vpn new.txt   2 KB 1 version


  • 4.  RE: Dynamic VPN with 2 zone Trust

    Posted 08-08-2012 07:38

    Hello,

     

    Did you define valid protected resources for both zones ?

    I confirm it works fine for 2 trusted zones (I use this type of architecture with SRX210 running on 11.4 and Junos Pulse 3.0R3)

     

     

    Do you use Junos Pulse client ?

     

    Regards,



  • 5.  RE: Dynamic VPN with 2 zone Trust

    Posted 08-12-2012 06:52

    Hi ludo,

     

    yes, I define that

    but still not working

    please find attach for configure

    could you check my configure?

     

    I use Junos Pulse versi0n 3.0 and use Jonos 10.4R6.5

     

    Thanks

     

    Feri 



  • 6.  RE: Dynamic VPN with 2 zone Trust
    Best Answer

    Posted 08-12-2012 10:38

    Hi,

     

    Can you please try the following in Zone-B config.  There is a known issue where one policy to the 2nd set of protected resources has to be set as below without referencing the vpn.

     

    Try it and let me know

     

    [edit security policies from-zone Untrust to-zone Zone-B] 
set security policies from-zone Untrust to-zone Zone-B policy dyn-vpn-policy match source-address any
set security policies from-zone Untrust to-zone Zone-B policy dyn-vpn-policy match destination-address 192.168.22.0
set security policies from-zone Untrust to-zone Zone-B policy dyn-vpn-policy match application any
set security policies from-zone Untrust to-zone Zone-B policy dyn-vpn-policy then permit

     



  • 7.  RE: Dynamic VPN with 2 zone Trust

    Posted 08-13-2012 12:00

    Hi,

     

    why is this without tunnel? only permit?

     

    is this true? set security policies from-zone Untrust to-zone Zone-B policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn?

     

    thanks

     

     

    feri



  • 8.  RE: Dynamic VPN with 2 zone Trust

    Posted 08-14-2012 01:00

    The traffic going to the 2nd zone will be coming down the tunnel anyway, the pushed routes from the SRX will make it do this.  Try the above, there is a known issue going right up to 11.1 at least, when accessing 2 zones down a tunnel that one will not work and needs to be set up with the above, just permitting all, rather than referencing the tunnel.

     

    Try it out, it may not be your issue.



  • 9.  RE: Dynamic VPN with 2 zone Trust

    Posted 08-14-2012 07:51

    Hi,

     

    Thanks a lot

    this is working

     

    So, if i want to allow another zone enough permit without tunnel?

     

     

    Thanks

     

    Feri



  • 10.  RE: Dynamic VPN with 2 zone Trust

    Posted 08-14-2012 07:59

    Hi there,

     

    Glad its working, I have never done it with 3 zones but the concept would be the same,  just push the protected resources subnet to the client and do the same as above and I think it will be fine.