Hi,
I have a number of SRX100 linked by static VPNs in a hub-and-spoke pattern, works fine. It's configured as a multidrop, and spokes can also access each other by passing through the hub.
I also have a dynamic VPN configured on the hub itself. Via this DynVPN I can access two different zones on the hub SRX100 itself, but I can't get it to allow access to other SRX100s and their respective local nets through the hub.
I created policies according to KB23954 for the DynVPN. The zone "vpn" has the st0.0 multidrop interface for the static tunnels. The SRXs are all running Junos 12.1X44-D30.4. The policies I have on the hub related to the DynVPN are:
from-zone untrust to-zone servers {
policy dynvpn-to-servers {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn wizard_dyn_vpn;
}
}
}
}
}
from-zone untrust to-zone trust {
policy dynvpn-to-trust {
match {
source-address dynvpn-ipnumbers;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone vpn {
policy dynvpn-to-vpn {
match {
source-address dynvpn-ipnumbers;
destination-address any;
application any;
}
then {
permit;
}
}
}
Before I go deep-diving into all this, my question is: is this even possible? Anyone know of a configuration example covering this?