SRX

Hi,

I have a remote VPN setup and connect successfully with Junos Pulse.   On the SRX100, there is a site-to-site VPN active to a remote Cisco ASA.    I am able to connect from remote to a local machine, and from there connect to machines on the other side of the s2s VPN.    I cannot route directly from remote to the other side of the s2s VPN.

Is this something possible?    

srx100 using policy-based VPN.    The connection looks something like this:

PC -ipaddr 192.168.3.120

      - remote VPN assigned ipaddr 172.16.9.8

SRX100 - external 50.58.28.x

                   vlan.0    192.168.168.254

Cisco ASA - external 64.x.x.x

                      intrnal 10.249.6.0

If possible, what is this called and what routing protocols are needed?

Thanks,

Paul

Attachment(s)

srxfw-exceptSecretData.txt   19 KB 1 version

The manual at this address talks about pushing routes to dynamic VPN clients:

http://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/security/security-vpn-dynamic.pdf

Chapter 5, page 24, 3b 

b.Configure the clients who can use the dynamic VPN. Specify protected resources
(traffic to the protected resource travels through the specified dynamic VPN tunnel
and is therefore protected by the firewall’s security policies) or exceptions to the
protected resources list (traffic that does not travel through the dynamic VPN
tunnel and is sent in cleartext). These options control the routes that are pushed
to the client when the tunnel is up, therefore controlling the traffic that is send
through the tunnel. Use the clients configuration statement at the [edit security
dynamic-vpn] hierarchy level.

I believe this is what I was searching for.    I have not yet tested, but will report back if I have success.

Paul

Hi,

I see that you want the dvpn users to conenct to srx and route directly into s2s vpn to machines on the remote side behind ASA.

This is indeed possible. But you would need to migrate the existing policy based vpn to a route based vpn.Then write a route pointing towards remote subnet behind asa towrds st (tunnel interfcae)

Now in the remote protected resource of the dvpn configure asa subnets as well as your local subnets, to enable dvpn users accesible  to both sites.

Also modify your proxy-id acordingly to bring the tunnel up 

Hope this helps!

Regards,

c_r

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

Hi,

thank you for the details.   I was able to push the routes to the client, but it did not provide access to the remote subnets, as c_r noted.

I chose to do a policy-based vpn, because the remote device is cisco asa.     I chose policy-based because of this kb, http://kb.juniper.net/InfoCenter/index?page=content&id=KB15745

Anyway, I converted the config to route-based using kb28120 as a guide.   It still doesn't work, but I suspect the issue is with the proxy-identity.    The dynamic vpn gives out addresses from 172.16.9.0/24 pool, but the proxy-identity has this.   I need the local 192.168.168.0/24 info, so that the site-to-site tunnel gets setup.

How would I change this to get the dynamic vpn traffic into the site-to-site tunnel?

Thanks,

Paul

vpn ike-vpn-dallas-asa {
bind-interface st0.0;
ike {
gateway gw-dallas-asa;
proxy-identity {
local 192.168.168.0/24;
remote 10.249.6.0/24;
service any;
}
ipsec-policy ipsec-phase2-policy;
}
establish-tunnels immediately;
}

Attachment(s)

srxfw-exceptSecretData.txt   20 KB 1 version

Hi,

I really need help with the routing.   It seems okay, but if I had something to read, I would be making progress again.   Should I do some static routes or OSPF?

The path I want to accomplish is from the dyn-vpn address 172.16.9.x to 10.249.6.x.   Here is what routes the SRX knows about.

Paul

> show route

inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 4d 21:54:00
> to 50.58.28.177 via fe-0/0/0.0
10.249.6.0/24 *[Static/5] 00:04:27
> via st0.0
50.58.28.176/28 *[Direct/0] 4d 21:54:01
> via fe-0/0/0.0

Here is a flow trace.   It shows packet gets dropped because there is no untrust to untruct policy...    This is a route-based vpn now, so I am not sure what to do with that.

Thanks, Paul

srxfirewall% cat flow.trace

Aug 28 12:33:02 12:33:01.729500:CID-0:RT:dec vector=829912c. rc 0x0

Aug 28 12:33:02 12:33:01.729500:CID-0:RT: fe-0/0/0.0:174.73.4.183->50.58.28.182, 50

Aug 28 12:33:02 12:33:01.729500:CID-0:RT: find flow: table 0x44d637b0, hash 33745(0xffff), sa 174.73.4.183, da 50.58.28.182, sp 56128, dp 4962, proto 50, tok 7

Aug 28 12:33:02 12:33:01.729500:CID-0:RT: flow got session.

Aug 28 12:33:02 12:33:01.729500:CID-0:RT: flow session id 10925

Aug 28 12:33:02 12:33:01.729500:CID-0:RT: flow_decrypt: tun 4482e7d0(flag 82), iif 74

Aug 28 12:33:02 12:33:01.729500:CID-0:RT:<174.73.4.183/0->50.58.28.182/0;50> :

Aug 28 12:33:02 12:33:01.729500:CID-0:RT:packet [120] ipid = 2905, @40944b22

Aug 28 12:33:02 12:33:01.729500:CID-0:RT: ----- flow_process_pkt rc 0xf (fp rc 0)

Aug 28 12:33:02 12:33:01.729500:CID-0:RT:<172.16.9.6/46849->10.249.6.132/768;1> :

Aug 28 12:33:02 12:33:01.729500:CID-0:RT:packet [60] ipid = 2904, @40944b4e

Aug 28 12:33:02 12:33:01.729500:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 1, common flag 0x0, mbuf 0x40944900, rtbl_idx = 0

Aug 28 12:33:02 12:33:01.729500:CID-0:RT: in_ifp <junos-self:.local..0>

Aug 28 12:33:02 12:33:01.729500:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 45469128

Aug 28 12:33:02 12:33:01.729500:CID-0:RT:pkt out of tunnel.Proceed normally

Aug 28 12:33:02 12:33:01.729500:CID-0:RT: fe-0/0/0.0:172.16.9.6->10.249.6.132, icmp, (8/0)

Aug 28 12:33:02 12:33:01.729500:CID-0:RT: find flow: table 0x44d637b0, hash 4844(0xffff), sa 172.16.9.6, da 10.249.6.132, sp 46849, dp 768, proto 1, tok 7

Aug 28 12:33:02 12:33:01.729500:CID-0:RT: no session found, start first path. in_tunnel - 1149429712, from_cp_flag - 0

Aug 28 12:33:02 12:33:01.729500:CID-0:RT: flow_first_create_session

Aug 28 12:33:02 12:33:01.729500:CID-0:RT: flow_first_in_dst_nat: in <fe-0/0/0.0>, out <N/A> dst_adr 10.249.6.132, sp 46849, dp 768

Aug 28 12:33:02 12:33:01.729500:CID-0:RT: chose interface N/A as incoming nat if.

Aug 28 12:33:02 12:33:01.729500:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 10.249.6.132(768)

Aug 28 12:33:02 12:33:01.729500:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 172.16.9.6, x_dst_ip 10.249.6.132, in ifp fe-0/0/0.0, out ifp N/A sp 46849, dp 768, ip_proto 1, tos 0

Aug 28 12:33:02 12:33:01.729500:CID-0:RT:Doing DESTINATION addr route-lookup

Aug 28 12:33:02 12:33:01.729500:CID-0:RT: routed (x_dst_ip 10.249.6.132) from untrust (fe-0/0/0.0 in 0) to st0.0, Next-hop: 10.249.6.132

Aug 28 12:33:02 12:33:01.729500:CID-0:RT: policy search from zone untrust-> zone untrust (0x0,0xb7010300,0x300)

Aug 28 12:33:02 12:33:01.729500:CID-0:RT: app 0, timeout 60s, curr ageout 60s

Aug 28 12:33:02 12:33:01.729500:CID-0:RT: packet dropped, denied by policy

Aug 28 12:33:02 12:33:01.729500:CID-0:RT: packet dropped, policy deny.

Aug 28 12:33:02 12:33:01.729500:CID-0:RT: flow find session returns error.

Aug 28 12:33:02 12:33:01.729500:CID-0:RT:flow_process_pkt_exception: Freeing lpak 3fdeda50 associated with mbuf 0x40944900

Aug 28 12:33:02 12:33:01.729500:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc 0)

I added a policy from-zone untrust to-zone untrust.    That got the packets out to the destination.

At that point, I had packets with source address 172.16.9.0/24 going through a tunnel that had proxy-id local 192.168.168.0/24.    At the destination Cisco ASA, these packets were dropped.

I added st0.1 and bound that to a second tunnel with proxy-d local 172.16.9.0/24.    It works.

The confusing part for me is that policy is everywhere, but this is still a route-based vpn.

Paul

Hello,

Recently I did this config as stated above and got it to work perfectly but I am trying to unterstand why a Policy based VPN does not work and a Route based VPN works instead, does any one have an explanation why?

Thanks in advance.

Graham