SRX

Greetings,

I've been attempting to setup a route-based VPN between a Juniper and a Netgear.  While the VPN tunnels establish properly, and traffic from thet Netgear subnet (192.168.2.0/24) traverses to the Juniper (192.168.1.0/24) traffic doesn't go in the other direction.  Searching on the forums results in my creating a static NAT rule but I still can't get to 192.168.2.0/24 from a 192.168.1.0/24 computer.

Any ideas?

interfaces {
    st0 {
        unit 0 {
            family inet {
                address 10.10.10.10/32;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 12.12.12.12;
        route 192.168.2.0/24 next-hop st0.0;
    }
}
security {
    ike {
        policy site-to-site {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "supersecretpassword"; ## SECRET-DATA
        }
        gateway site-to-site {
            ike-policy site-to-site;
            address 13.13.13.13;
            external-interface fe-0/0/0.0;
        }
    }
    ipsec {
        policy site-to-site {
            proposal-set standard;
        }
        vpn site-to-site {
            bind-interface st0.0;
            ike {
                gateway site-to-site;
                ipsec-policy site-to-site;
            }
            establish-tunnels immediately;
        }
    }
    nat {
        source {
            pool 12.12.12.13 {
                address {
                    12.12.12.13/32;
                }
            }
            rule-set jsrx-to-netgear {
                from zone trust;
                to zone vpn;
                rule vpn-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule trust-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            pool {
                                12.12.12.13;
                            }
                        }
                    }
                }
            }
        }
    }
    zones {
        security-zone vpn {
            interfaces {
                st0.0;
            }
        }
    }
    policies {
        from-zone vpn to-zone trust {
            policy vpn {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-close;
                    }
                }
            }
        }
        from-zone trust to-zone vpn {
            policy vpn {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-close;
                    }
                }
            }
        }
    }
}    

Thanks,

mawr

I think by doing source NAT on the traffic as it leaves the SRX, it's going to require some rule changes on the Netgear side, since it will no longer be getting traffic from 192.168.1.0/24, it will be getting all traffic from 12.12.12.x (whatever your fe-0.0.0.0 address is).

You said "static NAT" but your config shows source NAT.

Do your policy logs show anything being dropped?  What about a flow traceoptions?  Any logging on the Netgear side that might indicate if the packets are reaching that device and being dropped, or not getting there at all?

There might have been a few things against me which have been corrected after reading the big SRX to ASA VPN thread.

1) Use policy based VPNs instead of route based VPNs

2) Place the VPN policies at the top of the zone policy list

3) Create a source nat rule disabling NAT for the destination address(es) of the remote subnet

4) Only use one address per VPN policy (i.e., not multi-address entries or address-sets)

Now traffic flows in both directions and either side can establish the tunnel.  The next step is to setup tunnels for two different subnets on the Juniper side.  I believe the tunnel IDs may come into play here but I'm not exactly sure how to proceed.  Any ideas?

Thanks,

mawr