SRX

I have a SRX100 which I am trying to setup a route-based vpn to a remote SRX210 and also dynamic vpn for remote clients using pulse secure.  The srx100 has a srx1400 in front of it, srx100 is connected from fe-0/0/0.0 (10.4.4.2/24) untrust zone to the srx1400 ge-0/0/5.0 (10.4.4.1/24)  abc zone.  The srx1400 is connected to the internet through ge-0/0/0.0 untrust zone, this interface has an internet line connected to it with two different public ip addresses, 1.1.1.1/30 and 2.2.2.1/30.  The 2.2.2.1/30 address is static natted to 10.4.4.2/24 which is the ge-0/0/0.0 of the SRX100.  

I setup a route based vpn between the SRX1400 and the SRX210 and it works but since SRX1400 does not support dynamic vpn is the reason why I have added a SRX100 and so far I'm not having any success getting the vpn up and running with this setup. I am unable to get the vpn up from the SRX100 to the SRX210 nor can I use dynamic vpn. The IKE status for between SRX100 and SRX210 are down on both sides.  

Hello ,

In this case , let the Site to site VPN be between the SRX1400 and the remote SRX210 . To make the Dynamic VPN work, you already have a static NAT for 2.2.2.1/30  to 10.4.4.2/24 . So creat a Dynamic VPN configuration on SRX100 for that  interface fe-0/0/0.0 as external interface .

So the Pulse useres have to connect to 2.2.2.1 which will get static NATed to 10.4.4.2  and hit the dynamic VPN configuration on SRX100 .

For more reference check this out  : https://kb.juniper.net/InfoCenter/index?page=content&id=KB23191&smlogin=true

I am unable to get the dynamic vpn working, pulse secure connects to the vpn login screen, once I type in the username and password and click on connect it just sits there trying to connecting but never gets anywhere.

Here are my dynamic vpn settings:

set access profile dyn-vpn-access-profile client user1 firewall-user password "1234"
set access profile dyn-vpn-access-profile client user2 firewall-user password "1234"
set access profile dyn-vpn-access-profile address-assignment pool dyn-vpn-address-pool
set access address-assignment pool dyn-vpn-address-pool family inet network 192.168.100.0/24
set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 8.8.8.8/32
set access firewall-authentication web-authentication default-profile dyn-vpn-access-profile

set security ike policy ike-dyn-vpn-policy mode aggressive
set security ike policy ike-dyn-vpn-policy proposal-set standard
set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text "test"
set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy
set security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn
set security ike gateway dyn-vpn-local-gw dynamic connections-limit 100
set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id
set security ike gateway dyn-vpn-local-gw external-interface fe-0/0/0.0
set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile
set security ipsec policy ipsec-dyn-vpn-policy proposal-set standard
set security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw
set security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match source-address any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match destination-address any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match application any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services https

set security dynamic-vpn access-profile dyn-vpn-access-profile
set security dynamic-vpn clients all remote-protected-resources 10.0.0.0/8
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn dyn-vpn
set security dynamic-vpn clients all user user1
set security dynamic-vpn clients all user user2

Settings added to the srx1400:

set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services https

set security zones security-zone abc host-inbound-traffic system-services ike
set security zones security-zone abc host-inbound-traffic system-services https

Hello ,

 I cannot see the configuration for "local-identity inet " in your gateway configuration . Please do that configuration and let me know if you still face the same issue . 

Thanks Joses, I was able to get the dynamic vpn up and running with that small change.

What changes would I need to make to my route-based vpn setup to get around the srx1400 nat? I tried using local-identity and remote-identity with hostname/user-at-hostname/inet but none of them were able to get the route-based vpn up.

Here's my route-based vpn setup:

SRX100 side
set security ike policy ike-policy-210 mode main
set security ike policy ike-policy-210 proposal-set standard
set security ike policy ike-policy-210 pre-shared-key ascii-text "test"
set security ike gateway ike-gate-210 ike-policy ike-policy-210
set security ike gateway ike-gate-210 address 3.3.3.1
set security ike gateway ike-gate-210 dead-peer-detection always-send
set security ike gateway ike-gate-210 external-interface fe-0/0/0
set security ike gateway ike-gate-210 version v2-only
set security ipsec vpn ipsec-vpn-210 bind-interface st0.1
set security ipsec vpn ipsec-vpn-210 ike gateway ike-gate-210
set security ipsec vpn ipsec-vpn-210 ike ipsec-policy ipsec-policy-210
set security ipsec vpn ipsec-vpn-210 establish-tunnels immediately

SRX210 side
set security ike policy ike-policy-100 mode main
set security ike policy ike-policy-100 proposal-set standard
set security ike policy ike-policy-100 pre-shared-key ascii-text "test"
set security ike gateway ike-gate-100 ike-policy ike-policy-100
set security ike gateway ike-gate-100 address 2.2.2.1
set security ike gateway ike-gate-100 dead-peer-detection always-send
set security ike gateway ike-gate-100 external-interface ge-0/0/0
set security ike gateway ike-gate-100 version v2-only
set security ipsec vpn ipsec-vpn-100 bind-interface st0.1
set security ipsec vpn ipsec-vpn-100 ike gateway ike-gate-100
set security ipsec vpn ipsec-vpn-100 ike ipsec-policy ipsec-policy-100
set security ipsec vpn ipsec-vpn-100 establish-tunnels immediately

Hello ,

I was in an impression that your Route based VPN is working fine with SRX1400 . We are more concerned on Dynamic VPN .

But anyways if you need to bypass the SRX1400 NAT for route based VPN and terminate site to site VPN on SRX100 also ,  then we need to have local identity INET as SRX1400 Public IP ( from which the peer device connects )  . And you need to have a Static NAT in SRX1400 from SRX1400 Public IP to SRX100 Connected interafce IP .

But make sure the Dynamic VPN IP and the Site to site VPN have different public IP , else it will conflict and cause issues in futur .

Finally got the route-based vpn working from SRX100 to SRX210, it didn't work with the local identity inet until I removed the dead-peer detection.

I am curious what kind of problems will I encounter if a route based vpn and dynamic vpn have the same public ip address?  I have that exact setup at my office and it's working so far.

Hello ,

There will not be any problen as such , but if the remote protecdted resource and the Site to site VPN users access the same resources , then there may be some conflicts , but its rare cases and depends on the customer topology .

But out case is simple and clean .