SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Policy base VPN

    Posted 01-20-2011 10:41

    i have configure policy base vpn on SRx all things are fne but i m geetig error in last when try apply policy here is config

     

     

    match {
        source-address 192.168.10.0;
        destination-address 192.168.11.1;
        application any;
    }
    then {
        permit {
            tunnel {
                ipsec-vpn Remote-VPN;
                pair-policy Remote-END;
            }
        }
    }

     

     

    Here is the Error

     

     

    root# top commit
    error: Failed to build dop for policy Remote-End
    error: configuration check-out failed



  • 2.  RE: Policy base VPN
    Best Answer

    Posted 01-20-2011 11:30

     

    Without seeing the rest of your configuration I can't say for sure, but most likely this is caused by a missing policy for the return traffic.

     

    Where you define "pair-policy Remote-END" you must have a policy named Remote-END to define the VPN traffic in the opposite direction.

     

    For example:

     

    from-zone trust to-zone untrust {

        policy Permit-Trust-Untrust-VPN {

            match {

                source-address 192.168.10.0/24;

                destination-address 192.168.11.1/32;

                application any;

            }

            then {

                permit {

                    tunnel {

                        ipsec-vpn Remote-VPN;

                        pair-policy Permit-Untrust-Trust-VPN;

                    }

                }

            }

        }

    }

     

    from-zone untrust to-zone trust {

        policy Permit-Untrust-Trust-VPN {

            match {

                source-address 192.168.11.1/32;

                destination-address 192.168.10.0/24;

                application any;

            }

            then {

                permit {

                    tunnel {

                        ipsec-vpn Remote-VPN;

                        pair-policy Permit-Trust-Untrust-VPN;

                    }

                }

            }

        }

    }

     



  • 3.  RE: Policy base VPN

    Posted 01-20-2011 11:34

    ok it mean i have configure two policy Trust to untrust and Untrust to Trust and then apply to the tunnel 

     

    thanks



  • 4.  RE: Policy base VPN

    Posted 01-20-2011 11:50

    then what aout  Route base VPN do we need Untrust  to Trust zone configuration becuaseof  proxy-id so i dont think we need Untrsut to trust 

     

     kidly help me if need what would be the configuraton here is my cofiguration Route base VPN

     

    nterfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 10.1.1.1/24;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family inet {
                    address 202.88.34.196/32;
                }
            }
        }
        st0 {
            unit 0 {
                family inet {
                    mtu 1420;
                    address 192.168.1.1/24;
                }
            }           
        }
    }
    routing-options {
        static {
            route 10.1.2.0/32 next-hop 192.168.1.2;
        }
    }
    security {
        ike {
            proposal NLRI {
                authentication-method pre-shared-keys;
                authentication-algorithm sha1;
                encryption-algorithm 3des-cbc;
            }
            policy NLRI-Policy {
                mode main;
                proposals NLRI;
                pre-shared-key ascii-text "$9$ikPTn6A01h6/lK8LN-s2g"; ## SECRET-DATA
            }
            gateway NLRI-Gateway {
                ike-policy NLRI-Policy;
                address 58.62.31.3;
                dead-peer-detection threshold 5;
                external-interface ge-0/0/1;
            }
        }
        ipsec {
            proposal NLRI-IPSEC-Proposal {
                protocol esp;
                authentication-algorithm hmac-md5-96;
                encryption-algorithm 3des-cbc;
                lifetime-seconds 3600;
            }
            policy NLRI-IPSEC-POLICY {
                proposals NLRI-IPSEC-Proposal;
            }
            vpn NLRI-ABUDHABI {
                bind-interface st0.0;
                ike {
                    gateway NLRI-Gateway;
                    proxy-identity {
                        local 10.1.1.0/24;
                        remote 10.1.2.0/24;
                        service any;
                    }
                    ipsec-policy NLRI-IPSEC-POLICY;
                }
                establish-tunnels immediately;
            }
        }
        zones {
            security-zone Trust {
                address-book {
                    address 10.1.1.0 10.1.1.0/24;
                }
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                                ike;
                            }
                        }
                    }
                }
            }
            security-zone Untrust {
                address-book {
                    address 10.1.2.0 10.1.2.0/24;
                }
                interfaces {
                    ge-0/0/1.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                                ike;
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone Trust to-zone Untrust {
                policy VPN-TRAFFIC {
                    match {
                        source-address 10.1.1.0;
                        destination-address 10.1.2.0;
                        application any;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                            session-close;
                        }
                    }
                }
            }
        }
    }
                        
                                                         [edit]
    root#



  • 5.  RE: Policy base VPN

    Posted 01-21-2011 17:22

    For route-based VPN, you'll need to put your st0 interface into a security zone, and then have a policy between that zone and your trust zone to permit the traffic through the security device after it comes off the VPN tunnel and is decrypted.

     

    I suppose you could put the st0 interface directly into your trust zone... but honestly I've never done it that way and I don't know what the side effects might be.  Someone else here might have some insight there.

     



  • 6.  RE: Policy base VPN

    Posted 07-25-2013 05:57

     

    Yes, you can put the st0.x into any zone or even into a routing instance, if that floats your boat. 

     

    -Tom



  • 7.  RE: Policy base VPN

    Posted 07-27-2013 15:07

    it seems like the main reason for placing the tunnel interface in its own zone is to apply a different set of policies for that "interesting" traffic. Say you already have lots of restrictive policies for your trust to untrust and untrust to trust, then you can define a more open set of policies for your vpn connection or simply just allo different applications, traffic etc for the vpn tunnel. If the st0 interface is in the trust zone, no additional policies need to be deifned. I wondered that myself about it and pondered for  awhile till I looked back at the training guide to see the justification.