SRX Services Gateway
SRX Services Gateway

DYN-VPN - No traffic from intern to VPN-Client

05.11.17   |  
‎05-11-2017 03:43 AM

Hello,

 

i have configure my SRX 320 for DYN-VPN. The Client can connect to intern resources in the same zone und with L3 to other zones, so all works fine. For example, ICMP between 5.1.1.12 (DYN-VPN Client) to ( intern Client) 5.1.1.5 works fine.

 

But Traffic generated from the intern client trough the DYN-VPN Client doesn´t work/flow. I have read and try very much but i doesn´t find my issue.

 

In the attachement i upload my config from my Test-SRX und the outpu from a flow debug.

 

Regardes

 

Andre 

Attachments

3 REPLIES
SRX Services Gateway
Solution
Accepted by topic author a.schwarzer@brillux.de
‎05-11-2017 05:00 AM

Re: DYN-VPN - No traffic from intern to VPN-Client

05.11.17   |  
‎05-11-2017 04:10 AM

Hi André,

 

dynamic VPN only supports traffic sessions initiated from the dynamic vpn client. Traffic initiated from the inside to the vpn client will not work.

 

For this to work you will need to upgrade to 15.1X49-D80 and use the new remote access vpn client solution. Information about configuring this solution can be found here: http://forums.juniper.net/t5/Security/SSL-VPN-configuration-on-SRX-running-15-1X49-D80-4-or-higher/t...

 

...but please note that the new solution requires the NCP which is a client you need to buy.

--
Best regards,

Jonas Hauge Jensen
Systems Engineer, SEC Datacom A/S (Denmark)
Highlighted
SRX Services Gateway

Re: DYN-VPN - No traffic from intern to VPN-Client

05.11.17   |  
‎05-11-2017 04:16 AM

Hi Andre,

 

This is by design and traffic in case of Dynamic-VPN works only from client to SRX side.

Traffic from the Dyn_VPN towards intern client will work without any issues however vise versa will not becasue of the dynamic VPN design.

 

regards,

Guru Prasad

 

SRX Services Gateway

Re: DYN-VPN - No traffic from intern to VPN-Client

05.11.17   |  
‎05-11-2017 05:02 AM

Thx @ Jonas and Guru