SRX Services Gateway
Reply
Contributor
h3cisco
Posts: 11
Registered: ‎09-20-2011
0
Accepted Solution

Dynamic vpn established,but VPN client couldn't access trust zone resorce

Dear all ,

Now i am do a dynamic VPN test . But i meet a problem.

i could authentication vpn by Junos Plus and could got the ip address which i assign to VPN client .

But i couldn't access the trust resouce (such ping)

Blow is my configuration . Please help me check whether i had do some false confiaguration


[edit]
srx@srx100h# show | display set
set version 11.4R1.6
set system services ssh
set system services telnet
set system services web-management management-url srx-jweb
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system services web-management https interface fe-0/0/0.0

set interfaces fe-0/0/0 unit 0 family inet address 172.32.1.1/24 (outside)
set interfaces fe-0/0/1 unit 0 family inet address 192.168.80.200/24 (inside
set interfaces fe-0/0/7 unit 0 family inet address 10.10.10.11/24   (management )
set interfaces st0 unit 0 family inet address 172.31.1.2/24
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set routing-options static route 0.0.0.0/0 next-hop 10.10.10.2
set routing-options static route 192.168.7.0/24 next-hop 10.10.10.1
set security ike proposal dy-vpn-proposal authentication-method pre-shared-keys
set security ike proposal dy-vpn-proposal dh-group group2
set security ike proposal dy-vpn-proposal authentication-algorithm md5
set security ike proposal dy-vpn-proposal encryption-algorithm 3des-cbc
set security ike policy dy-vpn-policy mode aggressive
set security ike policy dy-vpn-policy proposals dy-vpn-proposal
set security ike policy dy-vpn-policy pre-shared-key ascii-text "$9$ZXji.n6A01hHqA0"
set security ike gateway dy-vpn-gw ike-policy dy-vpn-policy
set security ike gateway dy-vpn-gw dynamic hostname dyvpn
set security ike gateway dy-vpn-gw dynamic connections-limit 10
set security ike gateway dy-vpn-gw dynamic ike-user-type shared-ike-id
set security ike gateway dy-vpn-gw external-interface fe-0/0/0
set security ike gateway dy-vpn-gw xauth access-profile dy-vpn-user
set security ipsec proposal dy2-vpn-proposal protocol esp
set security ipsec proposal dy2-vpn-proposal authentication-algorithm hmac-md5-96
set security ipsec proposal dy2-vpn-proposal encryption-algorithm 3des-cbc
set security ipsec policy dy2-vpn-policy proposals dy2-vpn-proposal
set security ipsec vpn dyn-vpn ike gateway dy-vpn-gw
set security ipsec vpn dyn-vpn ike ipsec-policy dy2-vpn-policy
set security dynamic-vpn access-profile dy-vpn-user
set security dynamic-vpn clients all remote-protected-resources 192.168.80.0/24 (i don't the protect address is what ?  either trust zone network  , or the assign to vpn client network ?)
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn dyn-vpn
set security dynamic-vpn clients all user srx1
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set snat from zone trust
set security nat source rule-set snat to zone untrust
set security nat source rule-set snat rule 1 match destination-address 10.32.1.0/24
set security nat source rule-set snat rule 1 then source-nat off (if need  NO NAT )
set security nat source rule-set snat rule 2 match source-address 0.0.0.0/0
set security nat source rule-set snat rule 2 then source-nat interface
set security policies from-zone trust to-zone untrust policy permit-any match source-address any
set security policies from-zone trust to-zone untrust policy permit-any match destination-address any
set security policies from-zone trust to-zone untrust policy permit-any match application any
set security policies from-zone trust to-zone untrust policy permit-any then permit
set security policies from-zone untrust to-zone trust policy dy-vpn-policy match source-address any
set security policies from-zone untrust to-zone trust policy dy-vpn-policy match destination-address any
set security policies from-zone untrust to-zone trust policy dy-vpn-policy match application any
set security policies from-zone untrust to-zone trust policy dy-vpn-policy then permit tunnel ipsec-vpn dyn-vpn
set security zones functional-zone management interfaces fe-0/0/7.0 host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces fe-0/0/1.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone route-vpn host-inbound-traffic system-services all
set security zones security-zone route-vpn interfaces st0.0
set access profile dy-vpn-user client srx1 firewall-user password "$9$d0soGjHmPQniHCtu0IRNdV"
set access profile dy-vpn-user address-assignment pool dy-vpn-pool
set access address-assignment pool dy-vpn-pool family inet network 10.32.1.1/24
set access address-assignment pool dy-vpn-pool family inet xauth-attributes primary-dns 8.8.8.8/32
set access firewall-authentication web-authentication default-profile dy-vpn-user
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0

 

srx@srx100h> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
7370239 UP 55d2e00246603150 c30ce76f7cc4bd2d Aggressive 172.32.1.2

 

srx@srx100h> show security flow session

Session ID: 5500, Policy name: dy-vpn-policy/4, Timeout: 52, Valid
In: 10.32.1.5(vpn client got ip address)/347 --> 192.168.80.220(server in trust zone)/1;icmp, If: fe-0/0/0.0, Pkts: 1, Bytes: 60
Out: 192.168.80.220/1 --> 10.32.1.5/347;icmp, If: fe-0/0/1.0, Pkts: 0, Bytes: 0

Session ID: 5501, Policy name: dy-vpn-policy/4, Timeout: 56, Valid
In: 10.32.1.5/348 --> 192.168.80.220/1;icmp, If: fe-0/0/0.0, Pkts: 1, Bytes: 60
Out: 192.168.80.220/1 --> 10.32.1.5/348;icmp, If: fe-0/0/1.0, Pkts: 0, Bytes: 0

 

srx@srx100h> show security ipsec statistics
ESP Statistics:
Encrypted bytes: 214616
Decrypted bytes: 121843
Encrypted packets: 1473
Decrypted packets: 1758  (traffic was be decrypted)
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0

 

Thanks.

Distinguished Expert
MMcD
Posts: 623
Registered: ‎07-20-2010
0

Re: Dynamic vpn established,but VPN client couldn't access trust zone resorce

Id try disabling and reenabling the policy first as there is a known issue with this:

 

user@srx#deactivate security policies from-zone untrust to-zone trust policy dy-vpn-policy
user@srx#commit full
user@srx#activate security policies from-zone untrust to-zone trust policy dy-vpn-policy
user@srx#commit full

 If this still does not work you will need to provide a basic-datapath trace.

MMcD [JNCIP-SEC, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Super Contributor
johnrbaker
Posts: 210
Registered: ‎02-17-2011
0

Re: Dynamic vpn established,but VPN client couldn't access trust zone resorce

Hi

 

I have noticed two issues with your config

 

You need to specify an exact non overlapping address range for the DynamicVPN IP address pool, and you also need to setup the SRX to proxy ARP for the same IP range.  The pool and proxy ARP address must be connected to a local interface, and have teh same subnet on it.

 

E.G. VLAN is my internal network

 

set security nat proxy-arp interface vlan.0 address 192.168.80.120/32 to 192.168.80.129/32

 

set access address-assignment pool dy-vpn-pool family inet range dvpn-range low  192.168.80.120

set access address-assignment pool dy-vpn-pool family inet range dvpn-range high 192.168.80.129

 

However your config appears to be incomplete.  Your VLAN.0 is 192.168.1.0/24 but your VPN inside network is 192.168.80.0/24 and your dynamic vpn is 10.32.1.1/24

 

I will make another post with a copy of my cleaned up working config

Super Contributor
johnrbaker
Posts: 210
Registered: ‎02-17-2011
0

Re: Dynamic vpn established,but VPN client couldn't access trust zone resorce

[ Edited ]

Here is my sample config. 

 

Do not use as it is as it contains errors (IP addresses)

 

 

Contributor
h3cisco
Posts: 11
Registered: ‎09-20-2011
0

Re: Dynamic vpn established,but VPN client couldn't access trust zone resorce

Thanks for your help..

 

I think it's good solution for me to trouble shooting VPN issue in the future.


MMcD @i-conX wrote:

Id try disabling and reenabling the policy first as there is a known issue with this:

 

user@srx#deactivate security policies from-zone untrust to-zone trust policy dy-vpn-policy
user@srx#commit full
user@srx#activate security policies from-zone untrust to-zone trust policy dy-vpn-policy
user@srx#commit full

 If this still does not work you will need to provide a basic-datapath trace.


 

Contributor
h3cisco
Posts: 11
Registered: ‎09-20-2011
0

Re: Dynamic vpn established,but VPN client couldn't access trust zone resorce

[ Edited ]

johnrbaker wrote:

Here is my sample config. 

 

Do not use as it is as it contains errors (IP addresses)

 

 




It is working now ..

Thanks for your help.

according to your advice i had done below change.

 

set security nat proxy-arp interface fe-0/0/1.0 address 192.168.80.230/32 to 192.168.80.235/32

set access address-assignment pool dy-vpn-pool family inet range dy-vpn-range low 192.168.80.230
set access address-assignment pool dy-vpn-pool family inet range dy-vpn-range high 192.168.80.235

 

So Juniper dynamic VPN is different with Cisco remote vpn.

Cisco remote vpn could define a diffrent subnet from internal subnet ..then do define nat policy with action is no nat.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.