SRX

last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Dynamic vpn established,but VPN client couldn't access trust zone resorce

    Posted 02-23-2012 03:35

    Dear all ,

    Now i am do a dynamic VPN test . But i meet a problem.

    i could authentication vpn by Junos Plus and could got the ip address which i assign to VPN client .

    But i couldn't access the trust resouce (such ping)

    Blow is my configuration . Please help me check whether i had do some false confiaguration


    [edit]
    srx@srx100h# show | display set
    set version 11.4R1.6
    set system services ssh
    set system services telnet
    set system services web-management management-url srx-jweb
    set system services web-management http interface vlan.0
    set system services web-management https system-generated-certificate
    set system services web-management https interface vlan.0
    set system services web-management https interface fe-0/0/0.0

    set interfaces fe-0/0/0 unit 0 family inet address 172.32.1.1/24 (outside)
    set interfaces fe-0/0/1 unit 0 family inet address 192.168.80.200/24 (inside
    set interfaces fe-0/0/7 unit 0 family inet address 10.10.10.11/24   (management )
    set interfaces st0 unit 0 family inet address 172.31.1.2/24
    set interfaces vlan unit 0 family inet address 192.168.1.1/24
    set routing-options static route 0.0.0.0/0 next-hop 10.10.10.2
    set routing-options static route 192.168.7.0/24 next-hop 10.10.10.1
    set security ike proposal dy-vpn-proposal authentication-method pre-shared-keys
    set security ike proposal dy-vpn-proposal dh-group group2
    set security ike proposal dy-vpn-proposal authentication-algorithm md5
    set security ike proposal dy-vpn-proposal encryption-algorithm 3des-cbc
    set security ike policy dy-vpn-policy mode aggressive
    set security ike policy dy-vpn-policy proposals dy-vpn-proposal
    set security ike policy dy-vpn-policy pre-shared-key ascii-text "$9$ZXji.n6A01hHqA0"
    set security ike gateway dy-vpn-gw ike-policy dy-vpn-policy
    set security ike gateway dy-vpn-gw dynamic hostname dyvpn
    set security ike gateway dy-vpn-gw dynamic connections-limit 10
    set security ike gateway dy-vpn-gw dynamic ike-user-type shared-ike-id
    set security ike gateway dy-vpn-gw external-interface fe-0/0/0
    set security ike gateway dy-vpn-gw xauth access-profile dy-vpn-user
    set security ipsec proposal dy2-vpn-proposal protocol esp
    set security ipsec proposal dy2-vpn-proposal authentication-algorithm hmac-md5-96
    set security ipsec proposal dy2-vpn-proposal encryption-algorithm 3des-cbc
    set security ipsec policy dy2-vpn-policy proposals dy2-vpn-proposal
    set security ipsec vpn dyn-vpn ike gateway dy-vpn-gw
    set security ipsec vpn dyn-vpn ike ipsec-policy dy2-vpn-policy
    set security dynamic-vpn access-profile dy-vpn-user
    set security dynamic-vpn clients all remote-protected-resources 192.168.80.0/24 (i don't the protect address is what ?  either trust zone network  , or the assign to vpn client network ?)
    set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
    set security dynamic-vpn clients all ipsec-vpn dyn-vpn
    set security dynamic-vpn clients all user srx1
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security nat source rule-set snat from zone trust
    set security nat source rule-set snat to zone untrust
    set security nat source rule-set snat rule 1 match destination-address 10.32.1.0/24
    set security nat source rule-set snat rule 1 then source-nat off (if need  NO NAT )
    set security nat source rule-set snat rule 2 match source-address 0.0.0.0/0
    set security nat source rule-set snat rule 2 then source-nat interface
    set security policies from-zone trust to-zone untrust policy permit-any match source-address any
    set security policies from-zone trust to-zone untrust policy permit-any match destination-address any
    set security policies from-zone trust to-zone untrust policy permit-any match application any
    set security policies from-zone trust to-zone untrust policy permit-any then permit
    set security policies from-zone untrust to-zone trust policy dy-vpn-policy match source-address any
    set security policies from-zone untrust to-zone trust policy dy-vpn-policy match destination-address any
    set security policies from-zone untrust to-zone trust policy dy-vpn-policy match application any
    set security policies from-zone untrust to-zone trust policy dy-vpn-policy then permit tunnel ipsec-vpn dyn-vpn
    set security zones functional-zone management interfaces fe-0/0/7.0 host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust interfaces fe-0/0/1.0
    set security zones security-zone untrust screen untrust-screen
    set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services all
    set security zones security-zone route-vpn host-inbound-traffic system-services all
    set security zones security-zone route-vpn interfaces st0.0
    set access profile dy-vpn-user client srx1 firewall-user password "$9$d0soGjHmPQniHCtu0IRNdV"
    set access profile dy-vpn-user address-assignment pool dy-vpn-pool
    set access address-assignment pool dy-vpn-pool family inet network 10.32.1.1/24
    set access address-assignment pool dy-vpn-pool family inet xauth-attributes primary-dns 8.8.8.8/32
    set access firewall-authentication web-authentication default-profile dy-vpn-user
    set vlans vlan-trust vlan-id 3
    set vlans vlan-trust l3-interface vlan.0

     

    srx@srx100h> show security ike security-associations
    Index State Initiator cookie Responder cookie Mode Remote Address
    7370239 UP 55d2e00246603150 c30ce76f7cc4bd2d Aggressive 172.32.1.2

     

    srx@srx100h> show security flow session

    Session ID: 5500, Policy name: dy-vpn-policy/4, Timeout: 52, Valid
    In: 10.32.1.5(vpn client got ip address)/347 --> 192.168.80.220(server in trust zone)/1;icmp, If: fe-0/0/0.0, Pkts: 1, Bytes: 60
    Out: 192.168.80.220/1 --> 10.32.1.5/347;icmp, If: fe-0/0/1.0, Pkts: 0, Bytes: 0

    Session ID: 5501, Policy name: dy-vpn-policy/4, Timeout: 56, Valid
    In: 10.32.1.5/348 --> 192.168.80.220/1;icmp, If: fe-0/0/0.0, Pkts: 1, Bytes: 60
    Out: 192.168.80.220/1 --> 10.32.1.5/348;icmp, If: fe-0/0/1.0, Pkts: 0, Bytes: 0

     

    srx@srx100h> show security ipsec statistics
    ESP Statistics:
    Encrypted bytes: 214616
    Decrypted bytes: 121843
    Encrypted packets: 1473
    Decrypted packets: 1758  (traffic was be decrypted)
    AH Statistics:
    Input bytes: 0
    Output bytes: 0
    Input packets: 0
    Output packets: 0

     

    Thanks.



  • 2.  RE: Dynamic vpn established,but VPN client couldn't access trust zone resorce

    Posted 02-23-2012 04:05

    Id try disabling and reenabling the policy first as there is a known issue with this:

     

    user@srx#deactivate security policies from-zone untrust to-zone trust policy dy-vpn-policy
    user@srx#commit full
    user@srx#activate security policies from-zone untrust to-zone trust policy dy-vpn-policy
    user@srx#commit full

     If this still does not work you will need to provide a basic-datapath trace.



  • 3.  RE: Dynamic vpn established,but VPN client couldn't access trust zone resorce

    Posted 02-23-2012 18:27

    Thanks for your help..

     

    I think it's good solution for me to trouble shooting VPN issue in the future.


    @MMcD @i-conX wrote:

    Id try disabling and reenabling the policy first as there is a known issue with this:

     

    user@srx#deactivate security policies from-zone untrust to-zone trust policy dy-vpn-policy
    user@srx#commit full
    user@srx#activate security policies from-zone untrust to-zone trust policy dy-vpn-policy
    user@srx#commit full

     If this still does not work you will need to provide a basic-datapath trace.


     



  • 4.  RE: Dynamic vpn established,but VPN client couldn't access trust zone resorce

    Posted 02-23-2012 12:54

    Hi

     

    I have noticed two issues with your config

     

    You need to specify an exact non overlapping address range for the DynamicVPN IP address pool, and you also need to setup the SRX to proxy ARP for the same IP range.  The pool and proxy ARP address must be connected to a local interface, and have teh same subnet on it.

     

    E.G. VLAN is my internal network

     

    set security nat proxy-arp interface vlan.0 address 192.168.80.120/32 to 192.168.80.129/32

     

    set access address-assignment pool dy-vpn-pool family inet range dvpn-range low  192.168.80.120

    set access address-assignment pool dy-vpn-pool family inet range dvpn-range high 192.168.80.129

     

    However your config appears to be incomplete.  Your VLAN.0 is 192.168.1.0/24 but your VPN inside network is 192.168.80.0/24 and your dynamic vpn is 10.32.1.1/24

     

    I will make another post with a copy of my cleaned up working config



  • 5.  RE: Dynamic vpn established,but VPN client couldn't access trust zone resorce
    Best Answer

    Posted 02-23-2012 13:03
      |   view attached

    Here is my sample config. 

     

    Do not use as it is as it contains errors (IP addresses)

     

     

    Attachment(s)



  • 6.  RE: Dynamic vpn established,but VPN client couldn't access trust zone resorce

    Posted 02-23-2012 18:34

    @johnrbaker wrote:

    Here is my sample config. 

     

    Do not use as it is as it contains errors (IP addresses)

     

     




    It is working now ..

    Thanks for your help.

    according to your advice i had done below change.

     

    set security nat proxy-arp interface fe-0/0/1.0 address 192.168.80.230/32 to 192.168.80.235/32

    set access address-assignment pool dy-vpn-pool family inet range dy-vpn-range low 192.168.80.230
    set access address-assignment pool dy-vpn-pool family inet range dy-vpn-range high 192.168.80.235

     

    So Juniper dynamic VPN is different with Cisco remote vpn.

    Cisco remote vpn could define a diffrent subnet from internal subnet ..then do define nat policy with action is no nat.