Screen OS

Hi,

 

My current dial-up VPN configuration gives out IP addresses in a subnet which is not accessible from other parts of our network. To resolve this, and as only a few users use the VPN, I'd like to change this pool to give out IP addresses which are a part of one of our internal subnets.

 

Looking through the documentation (http://kb.juniper.net/kb/documents/public/resolution_path/J_FW_VPN_Config_or_Trblsh.htm) I cannot find an example of this..

 

Does anyone know if this is possible and how I go about achieving it?

 

Testing is proving somewhat annoying as i'm not sure how to remove currently reserved IP addresses ('get xauth active').

 

Thanks for any help.

There are two ways to achieve this:

 

1. You can continue to use present set of IP Pools and just enable source nat on Dynamic VPN policy , so that outgoing traffic is natted to IP of internal interface and that will solve the problem of IP Pool subnets not reachable from some internal networks.

 

2. You can assign few available IPs from your internal subnet ( Subnet configured on LAN facing interface of FW) in IP Pool. However then to resolve L2 issues in your LAN,  you have to configure a DIP for that subnet on the internal interface so that it can do a proxy arp for that subnet.

 

Sarab
------------------------------------------------------------------------------------

[If it helped please mark it as "Accepted Solution". Kudos will be appreciated too.]

 

 

Hi Sarab,

 

I haven't tried the NAT option yet but am in the process of testing with your 2nd suggestion, although I'm still not able to get to this one internal subnet. Here is what I've done so far.

 

1. Found a spare /29 range in my Internal LAN and created a new VPN Pool. Assigned this VPN pool to one XAUTH User.

2. Set the policies on the FW to allow this traffic

3. Added a route on the firewall to send this traffic to a tunnel interface (not sure why it's configured like this but it is)
4. Added a route on the internal L3 switch to forward traffic for this /29 subnet to the FW

5. Added a network route for 172.19.98.0/24 to my VPN Client

 

At this point I am able to browse to all internal subnets except this one which I need. If I trace route to an IP in this subnet (172.19.98.0/24) when the client is connected to the VPN every hop times out and I cannot see any logs on the firewall for this traffic. The firewall is able to ping and trace route to all devices in 172.19.98.0/24 so I don't think there is a problem beyond the firewall.

 

Any ideas on what else I can try? Failing this I might have to go with the NAT method but would need to find some documentation on this and read over it first.

Hi WarNox,

Could you please describe the network overview i.e. where is this subnet that you mentioned lies and how is the firewall reachability to this subnet.

And also which subnet have you assigned to VPN IP Pool.

Sure, attached is a simplified diagram.  Hopefully I haven't forgotten anything vital.

Are you able to ping this remote subnet 172.19.98.0/24 from firewall ?

 

If yes, then could you please try using a source nat on 'untrust to trust' policy so that traffic

from remote clienst while going to internal networks goes out with firewalls interface IP hence

this will confirm if there is any routing related issue in the path.

Yes, the firewall can ping the remote subnet (picture 1).

 

I enabled source NAT on the untrust to trust policy, and can confirm it's working by looking at the log, but still having the same issue with this one remote subnet (picture 2). Other subnets are working fine.

 

What I find strange is that if I do a trace route from the remote PC I cannot even see the first hop (picture 3) but if I do a trace route to the other subnets it works fine (picture 3). Also, any traffic I'm trying to send to 172.19.98.0/24 doesn't show up in the log for this policy, even if I put it as the 1st policy in the list.

 

The local routing table looks fine to me (picture 4), the Dial-Up VPN subnet is 10.45.60.0/24.

Please correct me if I am wrong,

so far we have concluded :

 

+ Even after enabling source nat on untrust to trust policy , VPN clienst are unable to ping problamatic subnet. Though with this we are able to see the policy logs while you are sending this traffic.

 

+ However when there is no NAT enabled then you don't even see this traffic in policy logs.

 

If above understanding is correct the could you please help to collect debug flow basic using source and destination IP filters.

 

Could you please take a wireshark on the end machine which you are trying to reach from your VPN client and see if traffic from VPN client reaches there ?

 

Please capture above data for both the cases i.e. with and without NAT enabled on untrust to trust policy.

 

Regards

Sarab

Hi Sarab,

 

At no point am I able to see traffic going to the problematic subnet in the logs, regardless of the configuration. It's as if the VPN client is not sending traffic for this subnet to the firewall, but I've tried it with multiple machines.

 

I will run wireshark on the remote system just in case but I doubt anything will arrive 🙂 Report back shortly.

 

Cheers.

Just as I thought, no traffic is getting from the VPN client (via the firewall) to the machine on the problematic subnet, using source NAT.

Turns out the problem was related to the Proxy ID setting under the AutoKey IKE configuration.

 

The 172 subnet was not added to the list and for some reason each subnet had it's own IKE set up. I combined them all into one and added the 172 subnet which fixed the issue.

 

Thanks for all the help Sarab!