Dear all ,
Now i am do a dynamic VPN test . But i meet a problem.
i could authentication vpn by Junos Plus and could got the ip address which i assign to VPN client .
But i couldn't access the trust resouce (such ping)
Blow is my configuration . Please help me check whether i had do some false confiaguration
[edit]
srx@srx100h# show | display set
set version 11.4R1.6
set system services ssh
set system services telnet
set system services web-management management-url srx-jweb
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system services web-management https interface fe-0/0/0.0
set interfaces fe-0/0/0 unit 0 family inet address 172.32.1.1/24 (outside)
set interfaces fe-0/0/1 unit 0 family inet address 192.168.80.200/24 (inside)
set interfaces fe-0/0/7 unit 0 family inet address 10.10.10.11/24 (management )
set interfaces st0 unit 0 family inet address 172.31.1.2/24
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set routing-options static route 0.0.0.0/0 next-hop 10.10.10.2
set routing-options static route 192.168.7.0/24 next-hop 10.10.10.1
set security ike proposal dy-vpn-proposal authentication-method pre-shared-keys
set security ike proposal dy-vpn-proposal dh-group group2
set security ike proposal dy-vpn-proposal authentication-algorithm md5
set security ike proposal dy-vpn-proposal encryption-algorithm 3des-cbc
set security ike policy dy-vpn-policy mode aggressive
set security ike policy dy-vpn-policy proposals dy-vpn-proposal
set security ike policy dy-vpn-policy pre-shared-key ascii-text "$9$ZXji.n6A01hHqA0"
set security ike gateway dy-vpn-gw ike-policy dy-vpn-policy
set security ike gateway dy-vpn-gw dynamic hostname dyvpn
set security ike gateway dy-vpn-gw dynamic connections-limit 10
set security ike gateway dy-vpn-gw dynamic ike-user-type shared-ike-id
set security ike gateway dy-vpn-gw external-interface fe-0/0/0
set security ike gateway dy-vpn-gw xauth access-profile dy-vpn-user
set security ipsec proposal dy2-vpn-proposal protocol esp
set security ipsec proposal dy2-vpn-proposal authentication-algorithm hmac-md5-96
set security ipsec proposal dy2-vpn-proposal encryption-algorithm 3des-cbc
set security ipsec policy dy2-vpn-policy proposals dy2-vpn-proposal
set security ipsec vpn dyn-vpn ike gateway dy-vpn-gw
set security ipsec vpn dyn-vpn ike ipsec-policy dy2-vpn-policy
set security dynamic-vpn access-profile dy-vpn-user
set security dynamic-vpn clients all remote-protected-resources 192.168.80.0/24 (i don't the protect address is what ? either trust zone network , or the assign to vpn client network ?)
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn dyn-vpn
set security dynamic-vpn clients all user srx1
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set snat from zone trust
set security nat source rule-set snat to zone untrust
set security nat source rule-set snat rule 1 match destination-address 10.32.1.0/24
set security nat source rule-set snat rule 1 then source-nat off (if need NO NAT )
set security nat source rule-set snat rule 2 match source-address 0.0.0.0/0
set security nat source rule-set snat rule 2 then source-nat interface
set security policies from-zone trust to-zone untrust policy permit-any match source-address any
set security policies from-zone trust to-zone untrust policy permit-any match destination-address any
set security policies from-zone trust to-zone untrust policy permit-any match application any
set security policies from-zone trust to-zone untrust policy permit-any then permit
set security policies from-zone untrust to-zone trust policy dy-vpn-policy match source-address any
set security policies from-zone untrust to-zone trust policy dy-vpn-policy match destination-address any
set security policies from-zone untrust to-zone trust policy dy-vpn-policy match application any
set security policies from-zone untrust to-zone trust policy dy-vpn-policy then permit tunnel ipsec-vpn dyn-vpn
set security zones functional-zone management interfaces fe-0/0/7.0 host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces fe-0/0/1.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone route-vpn host-inbound-traffic system-services all
set security zones security-zone route-vpn interfaces st0.0
set access profile dy-vpn-user client srx1 firewall-user password "$9$d0soGjHmPQniHCtu0IRNdV"
set access profile dy-vpn-user address-assignment pool dy-vpn-pool
set access address-assignment pool dy-vpn-pool family inet network 10.32.1.1/24
set access address-assignment pool dy-vpn-pool family inet xauth-attributes primary-dns 8.8.8.8/32
set access firewall-authentication web-authentication default-profile dy-vpn-user
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0
srx@srx100h> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
7370239 UP 55d2e00246603150 c30ce76f7cc4bd2d Aggressive 172.32.1.2
srx@srx100h> show security flow session
Session ID: 5500, Policy name: dy-vpn-policy/4, Timeout: 52, Valid
In: 10.32.1.5(vpn client got ip address)/347 --> 192.168.80.220(server in trust zone)/1;icmp, If: fe-0/0/0.0, Pkts: 1, Bytes: 60
Out: 192.168.80.220/1 --> 10.32.1.5/347;icmp, If: fe-0/0/1.0, Pkts: 0, Bytes: 0
Session ID: 5501, Policy name: dy-vpn-policy/4, Timeout: 56, Valid
In: 10.32.1.5/348 --> 192.168.80.220/1;icmp, If: fe-0/0/0.0, Pkts: 1, Bytes: 60
Out: 192.168.80.220/1 --> 10.32.1.5/348;icmp, If: fe-0/0/1.0, Pkts: 0, Bytes: 0
srx@srx100h> show security ipsec statistics
ESP Statistics:
Encrypted bytes: 214616
Decrypted bytes: 121843
Encrypted packets: 1473
Decrypted packets: 1758 (traffic was be decrypted)
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Thanks.