SRX

last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX220 dynamic VPN and access to addresses over IPSEC VPN

    Posted 06-02-2015 09:13

    I have an SRX220 configured to accept dynamic VPN users, and with an IPSEC VPN tunnel to another network. Dynamic VPN users can access the SRX's internal network of 10.0.0.0/16 fine (network ranges are under remote-protected-resources), but they can't access any resources on the network across the VPN (192.168.0.0/16), which is generally available to clients on the SRX220's local network.

     

    interfaces {
    st0 {
...
        unit 3 {
            family inet {
                address 10.12.3.2/24;
            }
        }
}
    helpers {
        bootp {
            description "Global DHCP Relay Service";
            server 10.0.0.17;
            maximum-hop-count 4;
            interface {
                vlan.1014;
                ge-0/0/4;
            }
        }
    }
}
protocols {
    ospf {
        export ospf_export;
        import ospf_import;
        area 0.0.0.10 {
            network-summary-import ospf_import;
            interface st0.0;
            interface vlan.1001;
            interface st0.3;
            interface st0.1;
            interface st0.2;
        }
    }
}
policy-options {
    policy-statement ospf_export {
        term term1 {
            from {
                route-filter 10.0.0.0/8 orlonger;
            }
            then accept;
        }
        term term2 {
            then reject;
        }
    }
    policy-statement ospf_import {
        term term1 {
            from {
                route-filter 192.168.0.0/16 orlonger;
            }
            then accept;
        }
        term term2 {
            then reject;
        }
    }
    policy-statement vpn-balancing-policy {
        from protocol ospf;
        then {
            load-balance per-packet;
        }
    }
}
security {
    ike {
        respond-bad-spi 5;
        policy ike-policy {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "xxxxxx"; ## SECRET-DATA
        }
        policy pulse-ike-policy {
            mode aggressive;
            description "Test Client-LAN VPN Phase1 Policy";
            proposal-set compatible;
            pre-shared-key ascii-text "xxxxxx"; ## SECRET-DATA
        }
        gateway ipsec-a {
            ike-policy ike-policy;
            address xxx.xxx.xxx.xxx;
            dead-peer-detection;
            external-interface lo0.2;
        }
        gateway pulse-gateway {
            ike-policy pulse-ike-policy;
            dynamic {
                hostname xxxxxxxxx;
                connections-limit 2;
                ike-user-type group-ike-id;
            }
            external-interface lo0.2;
            xauth access-profile pulse-ldap;
        }
    }
    ipsec {
        vpn-monitor-options {
            interval 15;
            threshold 15;
        }
        policy vpn-policy1 {
            proposal-set standard;
        }
        policy pulse-ipsec-policy {
            description "Test Client-LAN VPN Phase2 Policy";
            perfect-forward-secrecy {
                keys group5;
            }
            proposal-set standard;
        }
        vpn ipsec-vpn-a {
            bind-interface st0.3;
            ike {
                gateway ipsec-a;
                ipsec-policy vpn-policy1;
            }
        }
        vpn pulse-client-vpn {
            inactive: vpn-monitor {
                optimized;
            }
            ike {
                gateway pulse-gateway;
                ipsec-policy pulse-ipsec-policy;
            }
            establish-tunnels immediately;
        }
    }
    dynamic-vpn {
        force-upgrade;
        access-profile LDAP;
        clients {
            all {
                remote-protected-resources {
                    10.0.0.0/8;
                    192.168.6.0/24;
                    192.168.0.0/24;
                    192.168.7.0/24;
                }
                remote-exceptions {
                    0.0.0.0/0;
                }
                ipsec-vpn pulse-client-btn-vpn;
                user {
                    user1;
                    user2;
                }
            }
        }
    }
    policies {
        traceoptions {
            flag rules;
        }
...
            policy pulse-vpn {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn pulse-client-btn-vpn;
                        }
                    }
                }
            }
        from-zone trust to-zone vpn {
            policy vpn-tr-vpn {
                match {
                    source-address 10.0.0.0/16;
                    destination-address 192.168.0.0/16;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone vpn to-zone trust {
            policy vpn-vpn-tr {
                match {
                    source-address 192.168.0.0/16;
                    destination-address 10.0.0.0/16;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    zones {
        security-zone trust {
...
        }
        security-zone untrust {
...
        }
        security-zone vpn {
            host-inbound-traffic {
                system-services {
                    ping;
                }
                protocols {
                    ospf;
                }
            }
            interfaces {
                inactive: st0.0;
                inactive: st0.1;
                inactive: st0.2;
                st0.3;
                inactive: st0.4;
                inactive: st0.5;
                inactive: st0.6;
                inactive: st0.7;
            }
        }
access {
    profile LDAP {
...
    }
    address-assignment {
        pool pulse-vpn-pool {
            family inet {
                network 10.0.0.0/16;
                range dvpn-range {
                    low 10.0.13.100;
                    high 10.0.13.200;
                }
                xauth-attributes {
                    primary-dns 10.0.0.53/32;
                    secondary-dns 10.0.0.54/32;
                }
            }
        }
    }
    firewall-authentication {
        pass-through {
            default-profile pulse-ldap;
        }
        web-authentication {
            default-profile pulse-ldap;
        }
    }
}

    Any ideas why this doesn't work for the dynamic VPN client?

     

    Thanks



  • 2.  RE: SRX220 dynamic VPN and access to addresses over IPSEC VPN

     
    Posted 06-02-2015 10:30

    You should do something like below:

     

     

    You need to add the vpn 192.168.0.0/16 to the remote-protected-resources

     

     

    • Configure a new address book entry in the untrust zone for dynamic-vpnusers/24, which is the subnet that is allocated for the VPN users:

     

    zones {
    security-zone untrust {
    address-book {
    address dynamic-vpnusers 10.10.10.0/24;
    }

     

    • Configure security policies for the user to access both the trust and vpn networks:

     

    policies {
    from-zone untrust to-zone trust {
    policy dyn-policy-trust {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit {
    tunnel {
    ipsec-vpn dyn-vpn;
    }
    }
    }
    }
    }
    from-zone untrust to-zone vpn {
    policy dyn-policy-vpn {
    match {
    source-address dynamic-vpnusers;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    }
     
     
     
    Hope this helps a bit


  • 3.  RE: SRX220 dynamic VPN and access to addresses over IPSEC VPN

    Posted 06-02-2015 12:34

    Unfortunately that isn't going to work as there is a global address book defined, and if I try to use that, then it complains

     

    # show | compare
[edit security address-book global]
+    address dynamic-vpn-clients {
+        range-address 10.0.13.100 {
+            to {
+                10.0.13.200;
+            }
+        }
+    }
[edit security policies]
     from-zone untrust to-zone untrust { ... }
+    from-zone untrust to-zone vpn {
+        policy dyn-policy-vpn {
+            match {
+                source-address dynamic-vpn-clients;
+                destination-address any;
+                application any;
+            }
+            then {
+                permit;
+            }
+        }
+    }

# commit check
[edit security policies from-zone untrust to-zone vpn]
  'policy dyn-policy-vpn'
    Source address or address_set (dynamic-vpn-clients) is invalid for policy.
error: configuration check-out failed

    I had a search for this error but didn't find anything, and would rather avoid redoing the entire address book if it can be avoided; is there another way or would I need to split it into per-zone ones?



  • 4.  RE: SRX220 dynamic VPN and access to addresses over IPSEC VPN
    Best Answer

     
    Posted 06-02-2015 14:32
    You Can put it in the global addressbook instead of in the zone address book


  • 5.  RE: SRX220 dynamic VPN and access to addresses over IPSEC VPN

    Posted 06-03-2015 07:16

    Got it working, the issue with the global address book was that the JunOS version on the SRX didn't support range-address.

     

    > show system rollback compare 1 0 | no-more
[edit security address-book global]
+    address dynamic-vpn-100 10.0.13.100/32;
+    address dynamic-vpn-101 10.0.13.101/32;
+    address dynamic-vpn-102 10.0.13.102/32;
+    address dynamic-vpn-103 10.0.13.103/32;
+    address dynamic-vpn-104 10.0.13.104/32;
+    address dynamic-vpn-105 10.0.13.105/32;
+    address dynamic-vpn-106 10.0.13.106/32;
+    address dynamic-vpn-107 10.0.13.107/32;
+    address dynamic-vpn-108 10.0.13.108/32;
+    address dynamic-vpn-109 10.0.13.109/32;
+    address dynamic-vpn-110 10.0.13.110/32;
+    address dynamic-vpn-111 10.0.13.111/32;
+    address dynamic-vpn-112 10.0.13.112/32;
+    address dynamic-vpn-113 10.0.13.113/32;
+    address dynamic-vpn-114 10.0.13.114/32;
+    address dynamic-vpn-115 10.0.13.115/32;
+    address dynamic-vpn-116 10.0.13.116/32;
+    address dynamic-vpn-117 10.0.13.117/32;
+    address dynamic-vpn-118 10.0.13.118/32;
+    address dynamic-vpn-119 10.0.13.119/32;
+    address dynamic-vpn-120 10.0.13.120/32;
+    address dynamic-vpn-121 10.0.13.121/32;
+    address dynamic-vpn-122 10.0.13.122/32;
+    address dynamic-vpn-123 10.0.13.123/32;
+    address dynamic-vpn-124 10.0.13.124/32;
+    address dynamic-vpn-125 10.0.13.125/32;
+    address dynamic-vpn-126 10.0.13.126/32;
+    address dynamic-vpn-127 10.0.13.127/32;
+    address dynamic-vpn-128 10.0.13.128/32;
+    address dynamic-vpn-129 10.0.13.129/32;
+    address dynamic-vpn-130 10.0.13.130/32;
+    address dynamic-vpn-131 10.0.13.131/32;
+    address dynamic-vpn-132 10.0.13.132/32;
+    address dynamic-vpn-133 10.0.13.133/32;
+    address dynamic-vpn-134 10.0.13.134/32;
+    address dynamic-vpn-135 10.0.13.135/32;
+    address dynamic-vpn-136 10.0.13.136/32;
+    address dynamic-vpn-137 10.0.13.137/32;
+    address dynamic-vpn-138 10.0.13.138/32;
+    address dynamic-vpn-139 10.0.13.139/32;
+    address dynamic-vpn-140 10.0.13.140/32;
+    address dynamic-vpn-141 10.0.13.141/32;
+    address dynamic-vpn-142 10.0.13.142/32;
+    address dynamic-vpn-143 10.0.13.143/32;
+    address dynamic-vpn-144 10.0.13.144/32;
+    address dynamic-vpn-145 10.0.13.145/32;
+    address dynamic-vpn-146 10.0.13.146/32;
+    address dynamic-vpn-147 10.0.13.147/32;
+    address dynamic-vpn-148 10.0.13.148/32;
+    address dynamic-vpn-149 10.0.13.149/32;
+    address dynamic-vpn-150 10.0.13.150/32;
+    address dynamic-vpn-151 10.0.13.151/32;
+    address dynamic-vpn-152 10.0.13.152/32;
+    address dynamic-vpn-153 10.0.13.153/32;
+    address dynamic-vpn-154 10.0.13.154/32;
+    address dynamic-vpn-155 10.0.13.155/32;
+    address dynamic-vpn-156 10.0.13.156/32;
+    address dynamic-vpn-157 10.0.13.157/32;
+    address dynamic-vpn-158 10.0.13.158/32;
+    address dynamic-vpn-159 10.0.13.159/32;
+    address dynamic-vpn-160 10.0.13.160/32;
+    address dynamic-vpn-161 10.0.13.161/32;
+    address dynamic-vpn-162 10.0.13.162/32;
+    address dynamic-vpn-163 10.0.13.163/32;
+    address dynamic-vpn-164 10.0.13.164/32;
+    address dynamic-vpn-165 10.0.13.165/32;
+    address dynamic-vpn-166 10.0.13.166/32;
+    address dynamic-vpn-167 10.0.13.167/32;
+    address dynamic-vpn-168 10.0.13.168/32;
+    address dynamic-vpn-169 10.0.13.169/32;
+    address dynamic-vpn-170 10.0.13.170/32;
+    address dynamic-vpn-171 10.0.13.171/32;
+    address dynamic-vpn-172 10.0.13.172/32;
+    address dynamic-vpn-173 10.0.13.173/32;
+    address dynamic-vpn-174 10.0.13.174/32;
+    address dynamic-vpn-175 10.0.13.175/32;
+    address dynamic-vpn-176 10.0.13.176/32;
+    address dynamic-vpn-177 10.0.13.177/32;
+    address dynamic-vpn-178 10.0.13.178/32;
+    address dynamic-vpn-179 10.0.13.179/32;
+    address dynamic-vpn-180 10.0.13.180/32;
+    address dynamic-vpn-181 10.0.13.181/32;
+    address dynamic-vpn-182 10.0.13.182/32;
+    address dynamic-vpn-183 10.0.13.183/32;
+    address dynamic-vpn-184 10.0.13.184/32;
+    address dynamic-vpn-185 10.0.13.185/32;
+    address dynamic-vpn-186 10.0.13.186/32;
+    address dynamic-vpn-187 10.0.13.187/32;
+    address dynamic-vpn-188 10.0.13.188/32;
+    address dynamic-vpn-189 10.0.13.189/32;
+    address dynamic-vpn-190 10.0.13.190/32;
+    address dynamic-vpn-191 10.0.13.191/32;
+    address dynamic-vpn-192 10.0.13.192/32;
+    address dynamic-vpn-193 10.0.13.193/32;
+    address dynamic-vpn-194 10.0.13.194/32;
+    address dynamic-vpn-195 10.0.13.195/32;
+    address dynamic-vpn-196 10.0.13.196/32;
+    address dynamic-vpn-197 10.0.13.197/32;
+    address dynamic-vpn-198 10.0.13.198/32;
+    address dynamic-vpn-199 10.0.13.199/32;
+    address dynamic-vpn-200 10.0.13.200/32;
[edit security address-book global]
+    address-set dynamic-vpn-users {
+        address dynamic-vpn-100;
+        address dynamic-vpn-101;
+        address dynamic-vpn-102;
+        address dynamic-vpn-103;
+        address dynamic-vpn-104;
+        address dynamic-vpn-105;
+        address dynamic-vpn-106;
+        address dynamic-vpn-107;
+        address dynamic-vpn-108;
+        address dynamic-vpn-109;
+        address dynamic-vpn-110;
+        address dynamic-vpn-111;
+        address dynamic-vpn-112;
+        address dynamic-vpn-113;
+        address dynamic-vpn-114;
+        address dynamic-vpn-115;
+        address dynamic-vpn-116;
+        address dynamic-vpn-117;
+        address dynamic-vpn-118;
+        address dynamic-vpn-119;
+        address dynamic-vpn-120;
+        address dynamic-vpn-121;
+        address dynamic-vpn-122;
+        address dynamic-vpn-123;
+        address dynamic-vpn-124;
+        address dynamic-vpn-125;
+        address dynamic-vpn-126;
+        address dynamic-vpn-127;
+        address dynamic-vpn-128;
+        address dynamic-vpn-129;
+        address dynamic-vpn-130;
+        address dynamic-vpn-131;
+        address dynamic-vpn-132;
+        address dynamic-vpn-133;
+        address dynamic-vpn-134;
+        address dynamic-vpn-135;
+        address dynamic-vpn-136;
+        address dynamic-vpn-137;
+        address dynamic-vpn-138;
+        address dynamic-vpn-139;
+        address dynamic-vpn-140;
+        address dynamic-vpn-141;
+        address dynamic-vpn-142;
+        address dynamic-vpn-143;
+        address dynamic-vpn-144;
+        address dynamic-vpn-145;
+        address dynamic-vpn-146;
+        address dynamic-vpn-147;
+        address dynamic-vpn-148;
+        address dynamic-vpn-149;
+        address dynamic-vpn-150;
+        address dynamic-vpn-151;
+        address dynamic-vpn-152;
+        address dynamic-vpn-153;
+        address dynamic-vpn-154;
+        address dynamic-vpn-155;
+        address dynamic-vpn-156;
+        address dynamic-vpn-157;
+        address dynamic-vpn-158;
+        address dynamic-vpn-159;
+        address dynamic-vpn-160;
+        address dynamic-vpn-161;
+        address dynamic-vpn-162;
+        address dynamic-vpn-163;
+        address dynamic-vpn-164;
+        address dynamic-vpn-165;
+        address dynamic-vpn-166;
+        address dynamic-vpn-167;
+        address dynamic-vpn-168;
+        address dynamic-vpn-169;
+        address dynamic-vpn-170;
+        address dynamic-vpn-171;
+        address dynamic-vpn-172;
+        address dynamic-vpn-173;
+        address dynamic-vpn-174;
+        address dynamic-vpn-175;
+        address dynamic-vpn-176;
+        address dynamic-vpn-177;
+        address dynamic-vpn-178;
+        address dynamic-vpn-179;
+        address dynamic-vpn-180;
+        address dynamic-vpn-181;
+        address dynamic-vpn-182;
+        address dynamic-vpn-183;
+        address dynamic-vpn-184;
+        address dynamic-vpn-185;
+        address dynamic-vpn-186;
+        address dynamic-vpn-187;
+        address dynamic-vpn-188;
+        address dynamic-vpn-189;
+        address dynamic-vpn-190;
+        address dynamic-vpn-191;
+        address dynamic-vpn-192;
+        address dynamic-vpn-193;
+        address dynamic-vpn-194;
+        address dynamic-vpn-195;
+        address dynamic-vpn-196;
+        address dynamic-vpn-197;
+        address dynamic-vpn-198;
+        address dynamic-vpn-199;
+        address dynamic-vpn-200;
+    }
[edit security policies]
     from-zone untrust to-zone untrust { ... }
+    from-zone untrust to-zone vpn {
+        policy dyn-policy-vpn {
+            match {
+                source-address dynamic-vpn-users;
+                destination-address 192.168;
+                application any;
+            }
+            then {
+                permit;
+            }
+        }
+    }

    Kind of messy, but it works.