SRX

I set Dyn-Vpn and Junos Pulse Connect normaly but my remote ip didnot work

my pc got address in from dynamic address pool for example 10.10.10.2/29 ip address but i can not telnet or ping

 

any remote pc in my local network list but JunosPulse status is connected

 

i my mind problem in routes or security zones please help me on my message bellow is configuration please help

Thanks and Regards,

Razmik

 

###Config

set interface ge-0/0/5 unit 0 family inet address 222.22.42.22/29
set routing-instances dynvpn1 instance-type virtual-router
set routing-instances dynvpn1 interface ge-0/0/5
set routing-instances static route 0.0.0.0/0 next-hop 222.22.42.21/29

set access profile dynvpnaccessprofile client user1 firewall-user password XXX
set access profile dynvpnaccessprofile client user2 firewall-user password XXX
set access profile dynvpnaccessprofile address-assignment pool dynvpnadminpool
set access address-assignment pool dynvpnadminpool family inet network 10.10.10.0/29
set access address-assignment pool dynvpnadminpool family inet xauth-attributes primary-dns 10.10.10.1/32
set access firewall-authentication web-authentication default-profile dynvpnaccessprofile

set security ike policy ikedynvpnpolicy mode aggressive
set security ike policy ikedynvpnpolicy proposal-set standard
set security ike policy ikedynvpnpolicy pre-shared-key ascii-text XXX
set security ike gateway ikedynvpngw ike-policy ikedynvpnpolicy
set security ike gateway ikedynvpngw dynamic hostname HOST_dynvpn
set security ike gateway ikedynvpngw dynamic connections-limit 2
set security ike gateway ikedynvpngw dynamic ike-user-type group-ike-id
set security ike gateway ikedynvpngw external-interface ge-0/0/5.0
set security ike gateway ikedynvpngw xauth access-profile dynvpnaccessprofile

set security ipsec policy ipsecdynvpnpolicy proposal-set standard
set security ipsec vpn dynvpn ike gateway ikedynvpngw
set security ipsec vpn dynvpn ike ipsec-policy ipsecdynvpnpolicy

set security zones security-zone dynvpn interfaces ge-0/0/3.0 host-inbound-traffic system-services ike
set security zones security-zone dynvpn interfaces ge-0/0/3.0 host-inbound-traffic system-services https
set security zones security-zone dynvpn interfaces ge-0/0/3.0 host-inbound-traffic system-services ping
set security zones security-zone dynvpn interfaces ge-0/0/3.0 host-inbound-traffic system-services ssh

set security policies from-zone dynvpn to-zone trust policy dynvpn_POLICY_TO_trust match source-address any
set security policies from-zone dynvpn to-zone trust policy dynvpn_POLICY_TO_trust match destination-address any
set security policies from-zone dynvpn to-zone trust policy dynvpn_POLICY_TO_trust match application any
set security policies from-zone dynvpn to-zone trust policy dynvpn_POLICY_TO_trust then permit tunnel ipsec-vpn dynvpn

set security policies from-zone trust to-zone dynvpn policy dynvpn_POLICY_FROM_trust match source-address any
set security policies from-zone trust to-zone dynvpn policy dynvpn_POLICY_FROM_trust match destination-address any
set security policies from-zone trust to-zone dynvpn policy dynvpn_POLICY_FROM_trust match application any
set security policies from-zone trust to-zone dynvpn policy dynvpn_POLICY_FROM_trust then permit

set security dynamic-vpn access-profile dynvpnaccessprofile
set security dynamic-vpn clients all remote-protected-resources 0.0.0.0/0
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn dynvpn
set security dynamic-vpn clients all user user1
set security dynamic-vpn clients all user user2

Hi,

 

What is the IP of the remote PC or resource you are trying to access?

Is it in the same subnet as the pool IP? if in the same subnet use proxy-arp on the internal interface connected to remote resource.

Also check if you have the right policies permiting traffic.

Also ensure that the remote resources send the reply back to the firewall for the dvpn clients.

 

this is very useful :

http://kb.juniper.net/KB17220

 

 

Regards,
C_R
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

I my mind problem is in route becaucse when  I delete default route and sighn client dynamic real ip for that time in this way vpn works perfectly

 

 

 

Hi Razmik,

 

I am not sure if deleting default route for dynamic VPN is a good idea . Can you try below steps,

 

add the default route back

 

Replace 0.0.0.0/0 with your local subnet IP?

set security dynamic-vpn clients all remote-protected-resources 0.0.0.0/0

 

for example

delete security dynamic-vpn clients all remote-protected-resources 0.0.0.0/0

set security dynamic-vpn clients all remote-protected-resources 192.168.1.0/24  --> Assuming this your local sumnet IP

Commit

 

If your local subnet is same as 10.10.10.0/29, then you need additional configuration as in http://kb.juniper.net/InfoCenter/index?page=content&id=KB21489

 

I set no my local subnet i another range and another ip addreses but i changed

 

delete security dynamic-vpn clients all remote-protected-resources 0.0.0.0/0
set security dynamic-vpn clients all remote-protected-resources 10.20.1.0/26

 

 

but result is same Pulse connect and got address for example this one 10.10.10.7 but i cant connect , ping, trace to the local ip

Hi Razmik,

 

Please apply flow traceoptions as in below KB. Use source IP as dynamic-VPN client Ip (eg,10.10.10.7) and destination as local LAN machine IP.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16110

 

The flow trace will tell us if SRX is dropping the packet or not.

Hi Rsuraj ,

thanks for help please view log debug file if you can please help me

 

Regards,

Razmik

 

As per the debug srx is not droping the packet, we can see the session created successfully. But we dont see reply from 10.20.20.198. Can you check this device and confirm there is a route for 10.10.10.5 pointing to srx lan interface?

I confirm that 10.20.20.198 have route to SRX lan interface

 

but in SRX device when i run  traceroute 10.10.10.5 goes to another external ip address which is configured in my primary deafult gatway  but i have two primary address one for our web site  and another interface is dyn vpn and in that case i create this

 

set interface ge-0/0/5 unit 0 family inet address 222.22.42.22/29
set routing-instances dynvpn1 instance-type virtual-router
set routing-instances dynvpn1 interface ge-0/0/5
set routing-instances static route 0.0.0.0/0 next-hop 222.22.42.21/29

 

 

this is traceroute

 

root@lopez# run traceroute 10.10.10.5
traceroute to 10.10.10.5 (10.10.10.5), 30 hops max, 40 byte packets
 1  88.139.8.177 (88.139.8.177)  16.308 ms  19.311 ms  18.965 ms
 2  88.139.0.166 (88.139.0.166)  18.435 ms  12.257 ms  19.904 ms
 3  88.139.0.26 (88.139.0.26)  18.195 ms  11.778 ms  19.139 ms
 4  host-88-241-177-193.customer.co.ge (88.241.177.193)  28.401 ms  11.500 ms  19.157 ms
 5  *

 

 

 

in my mind that  10.10.10.5 route go to my vpn interface my problem will solve but when i add route

set routing-options static route 10.10.10.0/29 next-hop 222.22.42.22 but srx didnot recognize this route and packet go to another ext interface

 

Can you share "srx> show route 10.10.10.5 " and "srx> show route 10.20.20.198"?

root@srx# run show route 10.10.10.5
inet.0: 147 destinations, 149 routes (147 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 3w6d 00:30:25
                    > to 88.139.8.177 via ge-0/0/12.0

dynvpn1.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 02:03:44
                    > to 222.22.42.21 via ge-0/0/5.0

 

root@srx# run show route 10.20.20.198

inet.0: 147 destinations, 149 routes (147 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.20.20.192/26     *[Direct/0] 1w4d 03:55:29
                    > via ge-0/0/15.0

dynvpn1.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 02:06:09
                    >to 222.22.42.21 via ge-0/0/5.0

 

Your dynamic vpn is terminated on routing instance dynvpn1, but on this there is no route for 10.20.20.198. Please add a route for this subnet under routing instance dynvpn1. You can try below option. If tjis doesnt work you need to import interface routes to dynvpn1 instance

#set routing-instance dynvpn1 routing-options static route 10.20.20.192/26 next-table inet.0
#commit

Thanks  A lot for your support

 

i add this

#set routing-instance dynvpn1 routing-options static route 10.20.20.192/26 next-table inet.0
#commit

 

but doesnt work and i don't now how to import interface routes to dynvpn1 instance.

 

Thanks in advance

Razmik

 

Please follow the below kb to import direct/interface routes between routing instances
http://kb.juniper.net/InfoCenter/index?page=content&id=KB19787

Below kb explains vpn on routing instances

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16453

If you still face issue ,please apply traces again

Dear Freind when i add

 

set routing-instances dynvpn1 instance-type virtual-router interface reth15.0

 

this

 

My nod1 is resarted after commit and i see that Yellow alarm  but VPN IS WORKING!!!

Thats great.. Yeah putting reth15 in routing instance is the easiest way compared to route imports. Glad that everything is working.

Dear freind , but when i but reth15 in routing instance which is off our office local interface i cant connect another local servers on differnt subnet our office in my mind becase traffic is going via vpn it is problem becuse we connect  some web apllications where is not in local subnet 

 

what do you think about it ?

 

Thanks,

Razmik

Yeah, this may happen. Please do the interface route import as in KB19787.

 

Please apply below configuration to do the route import.

 

set routing-options rib-groups To-Dynvpn1 import-rib inet.0
set routing-options rib-groups To-Dynvpn1 import-rib dynvpn1.inet.0
set routing-options interface-routes rib-group inet To-Dynvpn1
set routing-instances dynvpn1 routing-options interface-routes rib-group inet To-Dynvpn1

commit

 

 

 

HI Suraj ,

Thanks for answer,

 

and before i can do route import need i delete this, or not ?

 

delete routing-instances dynvpn1 instance-type virtual-router interface reth15.0

commit

 

 

P.C.

I want to inform that i delete this(delete routing-instances dynvpn1 instance-type virtual-router interface reth15.0), because in this time in our office is working time and our employer's is working.

 

Thanks,

Razmik

Yes, please do that, eventhough it wont cause an issue if the route-import is suuccessfull. It will helpus to get into original design/configure

 

 

Suraj please  confirm before commit configuration please view friend

 

delete routing-instances dynvpn1 instance-type virtual-router interface reth15.0

set routing-options rib-groups To-Dynvpn1 import-rib inet.0
set routing-options rib-groups To-Dynvpn1 import-rib dynvpn1.inet.0
set routing-options interface-routes rib-group inet To-Dynvpn1
set routing-instances dynvpn1 routing-options interface-routes rib-group inet To-Dynvpn1

commit

 

 

and add this or not ?

set routing-instance dynvpn1 routing-options static route 10.20.20.192/26 next-table inet.0

 

 

Thanks,

Razmik

 

We can delete the static route pointing to next-table inet.0.

 

delete routing-instances dynvpn1 instance-type virtual-router interface reth15.0

delete routing-instance dynvpn1 routing-options static route 10.20.20.192/26 next-table inet.0

set routing-options rib-groups To-Dynvpn1 import-rib inet.0
set routing-options rib-groups To-Dynvpn1 import-rib dynvpn1.inet.0
set routing-options interface-routes rib-group inet To-Dynvpn1
set routing-instances dynvpn1 routing-options interface-routes rib-group inet To-Dynvpn1

commit

 

 

 

 

I do this but nothing result my local interface ca not responce :(((((

 

 

Thanks Razmik

 

 

In my mind i mistake configuration

i can add some routes srx for local network?

 

 

but when i view run show route table dynvpn1.inet.0

 

all my route in this i dont now why local interface did not responce : (((((

Please apply flow traceoptions as discussed earlier and check if srx is droping

Hi Suraj,

 

Please see log file 

 

In my mind it is nor route to the host or no nat ?

 

Thanks In advance,

Razmik