SRX

Hello,

I configure the policy-based VPN between to site A and Site B. Unfortunately, it have some issue for that. Site A' PC can ping/remote to site B' PC, but the site B' PC can't ping/remote to site A' PC.

The some details is below:

Site A :

SRX240 FW: 10.10.1.0/28

Checkpoint FW: 172.25.10.0/23 (under the SRX240)

PC: 172.25.10.104/23 (under the checkpoint)

Site B:

SRX100 FW: 192.168.8.0/24

PC:192.168.8.151/24

I checked the Checkpoint have access  route to 192.168.8.0/24. Could anyone help to solve the issue?!

Many Thanks!!! 

Hello,

Please confirm if you have the security policies configured on site B and site A SRX firewall to allow the traffic initiated from site B to site A. if not then please configure the security policies on both the SRX accordingly.

For more information on configuring security policies on SRX to allow traffic in both the directions in policy based VPN please refer the following document:

http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/example/ipsec-policy-based-vpn-configuring.html (Please refer Configuring security Polcies section)

Hello, 

I confirmed the security policies on both SRX. But it doesn't work.  Do I need to configure NAT ?

Hi ,

Can you apply flow trace on the site B srx and check if the correct security policy ( which has the ipsec-vpn called) is being used to allow the traffic. If some other security policy is being used then traffic will not be sent to the VPN but will be passed plain text.

Also check if there is any nat being involved in the process of initiating traffic from site B to site A

Regards

Hemant

just one VPN connect to SITE A. and site B no any configure to NAT 

Hi,

Can you paste the config from both sites to the post.

Also can you run the flow traceoption from site B to site A and attach it to the post.

Please paste the output of the below command too:

>show security match-policies from-zone <zone> to-zone <zone> source-ip x.x.x.x destination-ip x.x.x.x protocol <protocol number> source-port 23234 destination-port <dport>

Regards

Hemant

Hi, 

According to your command, I tired this: >show security match-policies from-zone internal to-zone internet source-ip 192.168.8.1 destination-ip 172.25.10.1 protocol tcp source-port 23234 destination-port 23234, but no any information display, Did I correct to type the command?!

Hi,

Can you please cross check that the destination port on which traffic has been sent is 23234 ( I believe it should be a well know port like 80,443 , 22 etc depending upon your application) , unless the application you are trying to reach is a custom application.

Note: Use the destination port as the one defined in the security policy where ipsec-vpn has been called.

Regards

Hemant

Hi Hemant, 

Sorry for late reply, I have no way to solve the issue. I upload the site B configure. Would you like to help me verify the setting ? Many thanks!!!

Best regards,

THE-O

Attachment(s)

siteB_configure.txt   7 KB 1 version

Hello,

In the attached configuration from site B I do not see the any policies from zone internal to zone internet which is calling the VPN MM_MCO_VPN.

As you have the policy from zone internet to zone internal for vpn MM_MCO_VPN, similarly you also need to have the policy in the reverse direction from zone internal to to zone internet.

Policy you already have in the configuration on site B:-

set security policies from-zone Internet to-zone Internal policy MCO_MM_VPN match source-address MCO_LAN_Seg
set security policies from-zone Internet to-zone Internal policy MCO_MM_VPN match destination-address local-net
set security policies from-zone Internet to-zone Internal policy MCO_MM_VPN match application any
set security policies from-zone Internet to-zone Internal policy MCO_MM_VPN then permit tunnel ipsec-vpn MM_MCO_VPN
set security policies from-zone Internet to-zone Internal policy MCO_MM_VPN then log session-init
set security policies from-zone Internet to-zone Internal policy MCO_MM_VPN then log session-close

Policy that you need to add in the configruation on site B:-

set security policies from-zone Internal to-zone Internet policy MCO_MM_VPN-1 match source-address MCO_LAN_Seg
set security policies from-zone Internal to-zone Internet policy MCO_MM_VPN-1 match destination-address local-net
set security policies from-zone Internal to-zone Internet policy MCO_MM_VPN-1 match application any
set security policies from-zone Internal to-zone Internet policy MCO_MM_VPN-1 then permit tunnel ipsec-vpn MM_MCO_VPN
set security policies from-zone Internal to-zone Internet policy MCO_MM_VPN-1 then permit tunnel pair-policy MCO_MM_VPN
set security policies from-zone Internal to-zone Internet policy MCO_MM_VPN-1 then log session-init
set security policies from-zone Internal to-zone Internet policy MCO_MM_VPN-1 then log session-close

Also you need to add the below command more to the already existing policy:-

set security policies from-zone Internet to-zone Internal policy MCO_MM_VPN then permit tunnel pair-policy MCO_MM_VPN-1

Similarly if the revers policy to allow this traffic is not configured on site A as well then you need to configure on site A as well.

The currenlty existing policies will allow traffic only when it is initiated from site A to site B as you are seeing. But once the above is configured the vice versa traffic should also work.

Thanks,
Pulkit Bhandari

Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too.

Hi,

Sorry, site B can't still ping to Site A. please let me the NAT is need to config or not?!

Many Thanks!!!

Attachment(s)

siteB.txt   19 KB 1 version

I can not see your address book but you need to move your source NAT policy up. Something like:

insert security nat source rule-set NAT_Internet rule Source_NO_NAT before rule Source_NAT_Trust_Any

Thsi is because the source NAT is performed before the policy match so the source address of the packet will no longer match the source address of the policy that directs traffic through the VPN tunnel.

Hi,

add the NAT but still not working. Do you have any suggest ?!

Could you please attach the config again now that you have made the change?

Hi, 

Could I set source NAT or Destination NAT?

Enclosed the Site B config.

Attachment(s)

siteB.txt   25 KB 1 version

I have had a look through and cannot see a problem with the config. The only thing is you do not need to put fe-0/0/0 thru fe-0/0/3 into a security zone as they a layer 2 interfaces and you have put the vlan interface into the zone. I dont think this would cause your problem though. The only thin I can suggest is that you attach the config of site A also and I will have a look through that but I am away for a few days.

It's some missing setting for my mistake. 

Thanks for all your help!!!