I have an SRX220 configured to accept dynamic VPN users, and with an IPSEC VPN tunnel to another network. Dynamic VPN users can access the SRX's internal network of 10.0.0.0/16 fine (network ranges are under remote-protected-resources), but they can't access any resources on the network across the VPN (192.168.0.0/16), which is generally available to clients on the SRX220's local network.
interfaces {
st0 {
...
unit 3 {
family inet {
address 10.12.3.2/24;
}
}
}
helpers {
bootp {
description "Global DHCP Relay Service";
server 10.0.0.17;
maximum-hop-count 4;
interface {
vlan.1014;
ge-0/0/4;
}
}
}
}
protocols {
ospf {
export ospf_export;
import ospf_import;
area 0.0.0.10 {
network-summary-import ospf_import;
interface st0.0;
interface vlan.1001;
interface st0.3;
interface st0.1;
interface st0.2;
}
}
}
policy-options {
policy-statement ospf_export {
term term1 {
from {
route-filter 10.0.0.0/8 orlonger;
}
then accept;
}
term term2 {
then reject;
}
}
policy-statement ospf_import {
term term1 {
from {
route-filter 192.168.0.0/16 orlonger;
}
then accept;
}
term term2 {
then reject;
}
}
policy-statement vpn-balancing-policy {
from protocol ospf;
then {
load-balance per-packet;
}
}
}
security {
ike {
respond-bad-spi 5;
policy ike-policy {
mode main;
proposal-set standard;
pre-shared-key ascii-text "xxxxxx"; ## SECRET-DATA
}
policy pulse-ike-policy {
mode aggressive;
description "Test Client-LAN VPN Phase1 Policy";
proposal-set compatible;
pre-shared-key ascii-text "xxxxxx"; ## SECRET-DATA
}
gateway ipsec-a {
ike-policy ike-policy;
address xxx.xxx.xxx.xxx;
dead-peer-detection;
external-interface lo0.2;
}
gateway pulse-gateway {
ike-policy pulse-ike-policy;
dynamic {
hostname xxxxxxxxx;
connections-limit 2;
ike-user-type group-ike-id;
}
external-interface lo0.2;
xauth access-profile pulse-ldap;
}
}
ipsec {
vpn-monitor-options {
interval 15;
threshold 15;
}
policy vpn-policy1 {
proposal-set standard;
}
policy pulse-ipsec-policy {
description "Test Client-LAN VPN Phase2 Policy";
perfect-forward-secrecy {
keys group5;
}
proposal-set standard;
}
vpn ipsec-vpn-a {
bind-interface st0.3;
ike {
gateway ipsec-a;
ipsec-policy vpn-policy1;
}
}
vpn pulse-client-vpn {
inactive: vpn-monitor {
optimized;
}
ike {
gateway pulse-gateway;
ipsec-policy pulse-ipsec-policy;
}
establish-tunnels immediately;
}
}
dynamic-vpn {
force-upgrade;
access-profile LDAP;
clients {
all {
remote-protected-resources {
10.0.0.0/8;
192.168.6.0/24;
192.168.0.0/24;
192.168.7.0/24;
}
remote-exceptions {
0.0.0.0/0;
}
ipsec-vpn pulse-client-btn-vpn;
user {
user1;
user2;
}
}
}
}
policies {
traceoptions {
flag rules;
}
...
policy pulse-vpn {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn pulse-client-btn-vpn;
}
}
}
}
from-zone trust to-zone vpn {
policy vpn-tr-vpn {
match {
source-address 10.0.0.0/16;
destination-address 192.168.0.0/16;
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone trust {
policy vpn-vpn-tr {
match {
source-address 192.168.0.0/16;
destination-address 10.0.0.0/16;
application any;
}
then {
permit;
}
}
}
zones {
security-zone trust {
...
}
security-zone untrust {
...
}
security-zone vpn {
host-inbound-traffic {
system-services {
ping;
}
protocols {
ospf;
}
}
interfaces {
inactive: st0.0;
inactive: st0.1;
inactive: st0.2;
st0.3;
inactive: st0.4;
inactive: st0.5;
inactive: st0.6;
inactive: st0.7;
}
}
access {
profile LDAP {
...
}
address-assignment {
pool pulse-vpn-pool {
family inet {
network 10.0.0.0/16;
range dvpn-range {
low 10.0.13.100;
high 10.0.13.200;
}
xauth-attributes {
primary-dns 10.0.0.53/32;
secondary-dns 10.0.0.54/32;
}
}
}
}
firewall-authentication {
pass-through {
default-profile pulse-ldap;
}
web-authentication {
default-profile pulse-ldap;
}
}
}
Any ideas why this doesn't work for the dynamic VPN client?
Thanks