SRX Services Gateway
Reply
Highlighted
Contributor
Posts: 82
Registered: ‎07-10-2010
0

setup dynamic vpn as non-split vpn tunnel

[ Edited ]

Hi JNet experts,

 

I am trying to setup the dynamic vpn as non-split vpn.  All user traffics will forward through the vpn tunnel and then route to internet from the SRX.  Is it possible to do that?

 

Thanks,

 

rotearc

 

 

Contributor
Posts: 82
Registered: ‎07-10-2010
0

Re: setup dynamic vpn as non-split vpn tunnel

I got it to work, it is quite interesting..  I have the vpn terminated at vpn zone, and I need to setup a NAT and firewall policy to allow from untrust zone to untrust zone.  Also, the remote resource is 0.0.0.0/0 in my case.

 

        from-zone untrust to-zone vpn {
            policy policy_in_wizard_dyn_vpn {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn wizard_dyn_vpn;
                        }
                    }
                }
            }
        }
        from-zone untrust to-zone untrust {
            policy stupid-vpn-poilicy {
                match {
                    source-address 10.10.3.248/29;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }

Contributor
Posts: 34
Registered: ‎10-31-2012
0

Re: setup dynamic vpn as non-split vpn tunnel

What client were you using when you did this?

I'm on a path to do the same thing -- but isn't split tunneling decided on the client? (or am I to assume your example above has the SRX *AS* the client?)

Thanks,

 

 -Ben

Contributor
Posts: 34
Registered: ‎10-31-2012
0

Re: setup dynamic vpn as non-split vpn tunnel

Nevermind -- I got it working.

I don't have a VPN zone -- so the setup is a little different.

To any other readers:

you need to:

  • Make your protected resources 0.0.0.0/0
  • Add a source nat rule for the IPs assigned to DVPN users (I have them go out a separate IP address than than the address assigned to the untrusted interface)
  • Add a policy from Zone Untrust to Zone Untrust  that allows the IPs assigned to the DVPN users to flow back out the untrusted interface
  • Add a Proxy ARP entry for the IP addresses both for the source NAT address (the external IP I used) on the untrust interface
    (and really, if this a is VPN user, they need a Proxy ARP entry for the internal network they are assigned to and want to talk with)

    now the users on DVPN can talk to internal and external hosts with no split tunneling.

 

Cheers.

 

Copyright© 1999-2015 Juniper Networks, Inc. All rights reserved.