I configured Dyn VPN and I can connect to my local resources but cannot access the resources on remote VPN site.
I have two vpn sites : site A (172.16.4.0/24) and site B(10.36.4.0/24) both connected using route based policy .Clients ( gets IP from 192.168.239.0/24 pool) can connect to site A using Dyn VPN , however they cannot access vpn site B . Added both sites as protected resource for both site A and site B in dynamic vpn configuration . I have only two security zone in my juniper box (internal and internet).
In flow logs, i can see these, but it look like i need to create a policy from Internet to Internet ???
Feb 5 03:46:35 03:46:35.403799:CID-0:RT:Doing DESTINATION addr route-lookup
Feb 5 03:46:35 03:46:35.403799:CID-0:RT: routed (x_dst_ip 10.36.4.40) from Internet (ge-0/0/0.0 in 0) to st0.7, Next-hop: 10.36.4.40
Feb 5 03:46:35 03:46:35.403799:CID-0:RT:flow_first_policy_search: policy search from zone Internet-> zone Internet (0x0,0xd3240016,0x16)
External interface (ge-0/0/0) and st.x interfaces are part of same zone "Internet". Since the traffic is coming from ge-0/0/0 and going out via st0.7 (same zone), you have to create a intra-zone policy (Internet to Internet) to allow the traffic.
Thanks, Nellikka JNCIE x3 (SEC #321; SP #2839; ENT #790) Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Thanks for replying..Oh yes, it seemed odd to me to add a internet to internet policy, so that i learned that it is possoble.. i will try to create one.
By the way here s the output of interfaces :
Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 184.108.40.206/29 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet sp-0/0/0.16383 up up inet 10.0.0.1 --> 10.0.0.16 10.0.0.6 --> 0/0 220.127.116.11 --> 18.104.22.168 22.214.171.124 --> 0/0 ge-0/0/1 up up ge-0/0/1.0 up up inet 172.16.4.1/24 ge-0/0/2 up down ge-0/0/3 up down ge-0/0/4 up down ge-0/0/4.0 up down inet ge-0/0/5 up down ge-0/0/6 up down ge-0/0/7 up down ge-0/0/8 up down ge-0/0/9 up down ge-0/0/10 up down ge-0/0/11 up down ge-0/0/12 up down ge-0/0/13 up down ge-0/0/14 up down ge-0/0/15 up down fxp2 up up fxp2.0 up up tnp 0x1 gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 126.96.36.199 --> 0/0 188.8.131.52 --> 0/0 184.108.40.206 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up st0.0 up up inet st0.1 up up inet inet6 fe80::e86:100f:fcdb:e640/64 st0.2 up up inet st0.3 up down inet st0.4 up up inet st0.5 up up inet inet6 fe80::e86:100f:fcdb:e640/64 st0.6 up up inet st0.7 up up inet st0.8 up up inet tap up up vlan up up