SRX

Hi all, I got SRX220H with JUNOS10.4R1.9, currently still under configuration, dynamic vpn with radius server. However, at this stage, I use local database for a quick dynamic vpn testing. The setting is working fine with Junos pulse and access manager, able to ping and access protected resource. However, the tracert is weird.

 

In MS ISA, once I connect to it via dynamic vpn, the traffic will go through Internet will pass through ISA gateway but not my original default gateway. But in SRX220H, once dynamic vpn is connected, seems like the traffic is still go through the original gateway but not the SRX gateway. I am sorry for my poor English, here is the example which may make it easier to understand.

 

Say like, I am in internal network with default gateway 192.168.10.1/24 (MS ISA), and public IP address: public_ip1. I connect to SRX device (with public IP address: public_ip2) using dynamic vpn. Once it connected, and I do a tracert, the traffic is still going through 192.168.20.1 and public_ip1.

 

How do I make the traffic go through the srx device's IP address once the dynamic vpn is connected? I want to make other people know I am coming from public_ip2 but not public_ip1.

How do I make the traffic go through the srx device's IP address once the dynamic vpn is connected? I want to make other people know I am coming from public_ip2 but not public_ip1.

 

So basically you want to disable split tunneling then right?  If this is the case, I think you should try to tunnel all traffic, or use a zero dot in your dynamic-vpn remote protected resources....

 

Haven't test this but in essance, you would be doing centralized internet; hopefully at this point traffic destined to the internet would still tunnel to the SRX over the VPN, and out the SRX using it's IP2 address.

 

Again, would have to test, but THINK? this is what you are asking for?

 

dynamic-vpn {
    access-profile remote_access_profile;
    clients {
        wizard-dyn-group {
            remote-protected-resources {
                0.0.0.0/0;
            }
            ipsec-vpn wizard_dyn_vpn;
            user {
                Test;
            }
        }
    }
}

 Tried this and it doesn't seem to work with latest PULSE client or whatever...  Read below. 

 

Also noticed that after I upgraded my SA to 7.0R3 and changed a user realm that I had "Centralized Internet" working on to use 1.4 PULSE users could no longer access the internet through my office WAN.  Don't know if this is a PULSE version thing, or SA version thing.

 

I need to figure both out though so Ill post when I get working.

 

EDIT

 

While migrating my wireless off of a 210 and onto a 650 / securing networks I dorked up the source NAT on my firewall for the IP pool that SA users were being dropped into...  I removed the 0.0.0.0/0 and locked it down to the internal subnet.  Had to add a rule under the rule-set from trust to untrust for the Pool associated with the SA. 

 

Nothing wrong with Pulse 1.4 or SA 7.0R1,2,3,4...

 

HOWEVER...  Still batteling with the SRX using PULSE and a "Centralized Internet", Im sure Im missing something so Ill post when I find it.  Just wanted to clear up that I broke the SA, it wasn't code or the PULSE revision.  Thanks.

Thanks a lot for your testing colemtb. Just back from work.

 

"traffic destined to the internet would still tunnel to the SRX over the VPN, and out the SRX using it's IP2 address" this is what i am trying to do.

 

"Had to add a rule under the rule-set from trust to untrust for the Pool associated with the SA" this gave me some idea and would try it out shortly.

 

Also, I tried the method you first post, the dynamic vpn is still able to established, and in juniper network agent virtual adapter, the default gateway change from none to the same IP address it assigned from srx device. Able to access protected resouce but unable to access Internet.

 

For this issue, I tried to search the related information, but seems no one discuss about it, will continue working on it. Thanks again colemtb 🙂

Got it working with the help of a co-worker! 

 

My setup is as follows. 

 

My protected resources is a 0/0.

 

My IP pool range for X-Auth falls into the subnet of the interface on my trust zone.

 

Proxy ARP for enabled for X-Auth IPs.

 

I HAD TO add a SOURCE nat, untrust to untrust...  I won't even go into details as to what happens without this.  😉

 

Config below.

 

security {
    ike {
        policy ike_pol_wizard_dyn_vpn {
            mode aggressive;
            proposal-set standard;
            pre-shared-key ascii-text BLANK

        }
        gateway gw_wizard_dyn_vpn {
            ike-policy ike_pol_wizard_dyn_vpn;
            dynamic {
                hostname srxlab;
                connections-limit 50;
                ike-user-type group-ike-id;
            }
            external-interface vlan.120;
            xauth access-profile remote_access_profile;
        }
    }
    ipsec {
        policy ipsec_pol_wizard_dyn_vpn {
            perfect-forward-secrecy {
                keys group2;
            }
            proposal-set standard;
        }
        vpn wizard_dyn_vpn {
            ike {
                gateway gw_wizard_dyn_vpn;
                ipsec-policy ipsec_pol_wizard_dyn_vpn;
            }
        }
    }
    nat {
        source {
            rule-set VPN-nat-test {
                from zone untrust;
                to zone untrust;
                rule VPN-nat {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        proxy-arp {
            interface vlan.172 {
                address {
                    172.31.34.200/32 to 172.31.34.210/32;
                }
            }
        }
    }
    policies {
            policy policy_in_wizard_dyn_vpn {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn wizard_dyn_vpn;
                        }
                    }
                }
            }
        }
        from-zone untrust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    dynamic-vpn {
        access-profile remote_access_profile;
        clients {
            wizard-dyn-group {
                remote-protected-resources {
                    0.0.0.0/0;
                }
                ipsec-vpn wizard_dyn_vpn;
                user {
                    user;
                }                      
            }
        }
    }
}
access {
    profile remote_access_profile {
        client user {
            firewall-user {
                password BLANK
            }
        }
        address-assignment {
            pool dyn-vpn-address-pool;
        }
    }
    address-assignment {
        pool dyn-vpn-address-pool {
            family inet {
                network 172.31.34.0/24;
                range XAuthIPs {
                    low 172.31.34.200;
                    high 172.31.34.210;
                }
                xauth-attributes {
                    primary-dns 8.8.8.8/32;
                }
            }
        }
    }
    firewall-authentication {
        web-authentication {
            default-profile remote_access_profile;
        }
    }
}

Hi colemtb, I really appreciate that. However, seems like configuration does not work for me. Maybe I still missing something in my setting, I post some config below. I confuse some parts which have been highlighted.

 

SRX220H, using pppoe connection, protected resource: 192.168.200.0/24, srx gateway: 192.168.200.254

 

-----------------------------------------------------------

rule-set dyn-vpn-nat {
                from zone untrust;
                to zone untrust;
                rule vpn-nat {
                    match {
                        source-address 0.0.0.0/0;     ##what source address here mean? the protected resources, the ip address assigned to connected vpn client or should be 0/0 ?
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }

------------------------------------------------

proxy-arp {
            interface pp0.0 {    ## using pppoe
                address {
                    192.168.10.201/32 to 192.168.10.240/32;  ## these 40ip address is for dynamic vpn clients
                }
            }
        }

------------------------------------------------

access
    profile remote_access_profile {
        client vpn1 {
            firewall-user {
                password "$9$t6BT0EyreW-VYMW";
            }
        }
        client vpn2 {
            firewall-user {
                password "$9$jak5F36A1RSAt";
            }
        }
        address-assignment {
            pool dyn-vpn-address-pool;
        }
    }
    address-assignment {
        pool dyn-vpn-address-pool {
            family inet {
                network 192.168.10.0/24;  ## should this network address be the same as protected resource?
                range XAuthIPs {
                    low 192.168.10.201;
                    high 192.168.10.240;
                }
                xauth-attributes {
                    primary-dns 203.12.160.35/32;
                }
            }
        }
    }
    firewall-authentication {
        web-authentication {
            default-profile remote_access_profile;
        }
    }
}

------------------------------------

On my phone so short. 0/0 source could be your pool range, you will appear as you are coming from 192.168.10.x but I just used 0.0.0.0/0 to catch all.

Proxy arp on your internal interface that has the xauth pool, I suspect pp0.0 is your external isp interface.

Correct network should be same as protected resource.

Make sure you have untrust to untrust policy permit as well.

sadly, once again it seems does not work for me 😞 , followed the configuration you provided, but no luck.

 

Yep, pp0.0 is the external ISP interface.

 

Now, I set my office internal network address as 192.168.200.0/24 (protected  resource), with srx gateway 192.168.200.254, dhcp enabled, ip distribute from 101 - 200. I assigned the dyn-vpn-address-pool as 192.168.200.201 - 192.168.200.240. So once dynamic vpn clients is connect, they assigned a IP address which is the same as intenal subnet address. Then, add a source NAT rule, allow untrust to untrust zone traffic. And lastly, add proxy-arp. (code as follow). Dynamic vpn works fine, able to connect, able to access protected resource and access Internet. Just the route path, never goes through srx gateway....

 

missing something ....??

 

---------------------------------------------------

            rule-set dyn-vpn-nat {
                from zone untrust;
                to zone untrust;
                rule vpn-nat {
                    match {
                        source-address 192.168.200.0/24;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }

-------------------------------------------

        proxy-arp {
            interface pp0.0 {
                address {
                    192.168.200.201/32 to 192.168.200.240/32;
                }
            }
        }
------------------------------------------

 

Yeah, dunno man.  You can send me an entire config to my email on my profile if you wish.

Hi colemtb, I have sent you my config to your email, thanks again for your help

Problem fixed, solution accepted, thanks colemtb~

Hello,

Are you able to ping pcs connected to dynamic vpn as well as for me dynamic vpn is working fine but I cannot ping or access pcs connected to dynamic vpn from srx or internal network/protected resources.