SRX

Good Afternoon Everyone,

 

I've had a deal of success on the Juniper forums in the past so I thought I would reach out for help once again.

 

First let me just say that even after a year I am still very much a Juniper newb and still learning the ins and outs as I only visit my networking gear when I need to configure something new.

 

So, this month's task has me trying to set up our company VPN for external users. The best document I could find is here: https://www.juniper.net/documentation/en_US/junos12.1/topics/example/vpn-security-dynamic-example-configuring.html#jd0e38

 

I pretty much followed that document to the letter minus the specifics to our network. I currently have three addresses configured on ge-0/0/0.0 Two of them are for Citrix (going away soon) and our PBX. The third is the address I want to use with the VPN. The address I want to use is pingable from outside of the network, but that's about all I get. I've downloaded and installed Pulse Secure 5.1 and when I try to connect to the IP address it fails with the general 1453 Network Error. While I eventually want to get a purchased certificate, use RADIUS, and an external DHCP server currently I am using everything built in to the firewall. There are currently no external components that the VPN configuration is using.

 

I guess I am asking for networking assistance 101 because after setting everything up I can't connect and am not even sure where to start looking.

 

If it is advantageous I can post my configuration if needed.

 

I appreciate any and all help!

 

Thank you,

Michael

Michael,

 

Are you using Windows 7 by any chance? Please check:

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB32401&pmv=print&actp=METADATA&searchid=&type=currentpaging

 

I am not, this is a Windows 10 1903 box. I will load up Wireshark in the morning though to see if I can get more details from a packet capture.

Please also check:

 

1. Is HTTPS and IKE allowed as host-inbound-traffic?

 

> show interfaces externsive ge-0/0/0 | find security

 

2. No firewall filter is applied on the loopback interface nor the ge-0/0/0 that might be blocking the connection.

3. No NAT rules are using the address of the ge-0/0/0 that you want to use for connecting to the SRX, else the HTTPS and IKE traffic might be redirected to a different host.

 

I checked the security this morning and here is the output:

 

Allowed host-inbound traffic : dhcp tftp https ike ping ssh

 

I've not created any firewall rules or filters for the public IP address.

 

The only NATs are for the other two IP addresses on that interface directing Citrix and/or PBX traffic.

 

The most I have done with the third IP address is assigned it to the interface. I'm working on Wireshark now. More to come.

 

Thanks.

With Wireshark I see the initial connection attempt, while waiting on a response from the SRX I do get 4 TCP retransmissions, but I am not sure if that is relavant.

 

After about 15 seconds I get a RST, ACK flag of Reset: Set from the public IP address I am trying to connect to.

 

I don't spend too much time with Wireshark, but my thought is that the SRX is resetting the connection, though I have no idea why.

Hi Michael,

 

Do you have Destination NAT or Static NAT on port 443 for the public IP address to which you're connecting the VPN?

 

Open browser, type https://<public ip address> and let me know whether you're getting Dynamic VPN page or any other page. 

I do not. To be honest, looking at some videos I thought I would get the login to download the Pulse Secure client (based on a video a found while searching the web), but after a few seconds it just comes back with "Page could not be found."

 

To be honest, looking at the configuration I originally linked I thought it would work after the configuration was complete. There is no static or destination NAT set for the public IP address I am intending to use.

 

Thank you.

Hi Michael,

 

Can you please share your configuration in display-set format so that I can take a look?

Certainly, please find the requested configuration attached. I have gone through and replaced any network\naming configurations with <    > to obfuscate any specific data, but if there is something you need let me know.

 

The only configuration that sticks out to me as a potential problem is "set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0" more because I am just looking for a problem and I may just be grasping at straws.

 

If you need anything else let me know and thank you for taking the time to look at this.

Yes,

 

No destination nor static NAT rule are affecting the traffic.

 

Chances are that packets from your PC are not reaching the SRX or that a device in between is dropping them and replying instead. Please check that the traffic is reaching the SRX

-Confirm if there is any session during the connection test

    show security flow session destination-prefix [SRX_External_IP] source-prefix [PC_Public_IP] destination-port 443

-Apply a counter on the external interface of the SRX

    set firewall family inet filter FILTER term 1 from source-address [PC_Public_IP]
    set firewall family inet filter FILTER term 1 from destination-address [SRX_Public_IP]
    set firewall family inet filter FILTER term 1 from destination-port 443
    set firewall family inet filter FILTER term 1 then count COUNTER
    set firewall family inet filter FILTER term 1 then accept
    set firewall family inet filter FILTER term ALLOW_ELSE then accept

    set interfaces ge-0/0/0 unit 0 family inet filter input FILTER

    commit

    [try the test]

    >show firewall

-Perform a packet capture on the external interface of the SRX:

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB11709

 

 

Could you add ge-0/0/0 under web-management and try a commit full?

 

# set system services web-management https interface ge-0/0/0

# commit full

 

Can you provide a "show version" and a "show system license" as well?

 

 

Depending on your version, you might want to change the following line:

 

set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile

 

With the following

 

set security ike gateway dyn-vpn-local-gw aaa access-profile dyn-vpn-access-profile

 

Ref: https://forums.juniper.net/t5/SRX-Services-Gateway/SRX-IPsec-client-VPN/td-p/320612

 

 

 

Thanks for the responses everyone. I will be working through these and providing my results. It will likely be Monday before I have anything, but once I do I will be sure to post them. Thanks again for the direction and giving me something to work with!

Good morning,

 

I'll start by saying....I'm an idiot. Thank you lpaniagua for the following statement:

 

Chances are that packets from your PC are not reaching the SRX or that a device in between is dropping them and replying instead. Please check that the traffic is reaching the SRX

 

This is exactly what was going on, I assume because the Dynamic VPN configuration takes into account untrust to trust only? I was testing from inside the network and I'm guessing that the configuration (taken from the web) doesn't account for trust to trust VPN connections?

 

Anyway, I worked on this over the weekend and I am getting somewhere, though it still doesn't work properly.

 

First off I am able to hit the dynamic vpn index from offsite, but the SRX no longer houses the pulse client and directs you to downloading it from the pulse website. This is fine, I just wanted to see if I could connect to it.

 

When I launch the pulse client I get a response that the certificate is invalid, this is expected. I give my local username and firewall and get data back on 4 sessions using:

 

show security flow session destination-prefix [SRX_External_IP] source-prefix [PC_Public_IP] destination-port 443

 

All are ins/outs from the Client I am connecting from and the SRX.

 

At this point the Pulse Secure client just sits and spins on connecting.

 

The following commands show no connections:

 

show security ike security-associations

show security ike active-peer

show security ipsec security-associations

show security dynamic-vpn users

 

I have not set up the packet captures yet since I am not sure it is needed now that I am pivoting from my original issue. If that would still be beneficial then I can set it up.

 

The version is an older one and I need to upgrade it:

Model: srx340
Junos: 15.1X49-D70.3
JUNOS Software Release [15.1X49-D70.3]

 

I haven't added the additional licenses yet. Figured I would get it working before adding the 60 of them.

 

Licenses Licenses Licenses Expiry
Feature name used installed needed
dynamic-vpn 0 2 0 permanent

 

I looked at swapping from xauth to aaa, but since xauth wasn't depricated until a later release than we are on aaa isn't an option in the ike gateway.

 

Anyway, this is where I am now and appreciate any additional thoughts. Thanks again for all of the help so far.

 

Michael

 

Michael,

 

Nice, we are one step closer; and yes, the SRX assumes that the packets will come from the untrust zone.

 

Dynamic VPN has 2 stages:

 

    1. User authentication and downloading of the VPN parameters to the PC. This is done over HTTPs.

    2. VPN establishment. This works over UDP 500 (IKE)

 

Just to double check, you are getting prompted for username and password right? once or twice? (the very first time you connect you could get prompted twice)

 

On the pulse client you are choosing SRX option/connection?

 

Can you add the following command:

 

set access profile dyn-vpn-access-profile authentication-order password

 

I believe the problem is with the authentication instead of the VPN establishment. Lets gather general-authentication traceoptions:

 

# set system processes general-authentication-service file AUTH
# set system processes general-authentication-service flag all
# commit

[try connecting]

> show log AUTH

 

When connecting try to confirm if the Pulse client has downloaded any VPN parameters from the SRX:

         

          Open Pulse

          Press "Ctrl + F2"

          Go to "Active Connections" and choose the connection to the SRX. Then look for "Tunnel Configuration" Tab.

 

If it is possible to upgrade to the recommended code it will be advisable: 15.1X49-D170  https://kb.juniper.net/KB21476

 

 

I am getting prompted for a username and password, however, while the expected behavior is twice, I am only getting it once and then it just hangs on connecting. I never get the second expected prompt.

 

The Pulse Client is set to Firewall (SRX) with the IP address of the Firewall.

 

I get the certificate warning and then a prompt. I provide the credentials and then it just sits and spins.

 

Since entering the first set of credentials I am not prompted again when connecting to the SRX, it just sits on the connecting screen with a cancel option.

 

I have downoaded the latest recommended release of JunOS for the SRX and will get it upgraded after business hours tonight.

 

The auth log is attached. I see lots of successes, but lots of failed too....

 

It looks like the client has downloaded the VPN parameters as the information below matches what was configured initially:

 

Configuration: <Public SRX IP> (Public SRX IP)

Tunnel Endpoint IP . . . . . . . . . . . . . : Public SRX IP
Tunnel Virtual Adapter IPv4. . . . . . . . . : 0.0.0.0
Tunnel Virtual Adapter IPv6. . . . . . . . . : N/A
Tunnel Type. . . . . . . . . . . . . . . . . : VPN
Tunnel Transport . . . . . . . . . . . . . . : ESP

IKE parameters:
Encryption . . . . . . . . . . . . . . . : Match Gateway
Authentication . . . . . . . . . . . . . : Match Gateway
Rekey (secs) . . . . . . . . . . . . . . : 0

IPSec parameters:
Encryption . . . . . . . . . . . . . . . : Match Gateway
Authentication . . . . . . . . . . . . . : Match Gateway
Rekey (secs) . . . . . . . . . . . . . . : 3600

Protected networks (IPSec):
IP Address . . . . . . . . . . . . . . . : 192.0.0.0
Subnet Mask. . . . . . . . . . . . . . . : 255.0.0.0
Option . . . . . . . . . . . . . . . . . : route

IP Address . . . . . . . . . . . . . . . : 0.0.0.0
Subnet Mask. . . . . . . . . . . . . . . : 0.0.0.0
Option . . . . . . . . . . . . . . . . . : passthrough

 

The fact that you can see the VPN parameters on Pulse means that the client is authenticated properly and provided with those parameters, however I believe that we might be seeing a DHCP issue and Im not sure why becuase I think the configuration is fine so lets see what happens after the upgrade. Im mentioning the DHCP problem becuase in the traceoptions I can see Address Allocation failed messages. Do you recognize the highlighted MAC address?

 

Sep  9 18:04:01.757296 Processing address request in default:default network 192.168.0.1 mac 54:33:CB:48:70:8F
.
.
.
Sep  9 18:04:01.759948 Framework: auth result is 15. Performing post-auth operations
Sep  9 18:04:01.759976 Framework: result is 15.
Sep  9 18:04:01.760008 authd_auth_send_answer: conn=289d000, reply-code=14 (ADDRALLOC FAIL), result-subopcode=15 (INTERNAL_ERROR), session-id:7436, cookie=96381, rply_len=28, num_tlv_blocks=0

Unfortunately the upgrade has to wait until this evening. Our office is on a deadline and I was unable to take down the network last night. I have this scheduled for this evening though and should be able to move ahead.

 

Very interesting on that MAC address....it is my cell phone.

Evening,

 

So, new day, same problem, but hopefully this will be helpful.....

 

The upgrade to the SRX is complete and I am now on the recommended version. I also modified the configuration from xauth to aaa as per the deprecation mentioned previously.

 

Once all that was said and done I attempted the connection to the VPN and gathered the new auth log. You can find it attached. To be honest, I am not sure what else needs to be changed (if there is anything that needs to be changed other than the xauth in security).

 

I'm still seeing the same behavior. I get the initial connection, allow the certificate, authenticate the first time, get the IKE policy from phase I, but if I am understanding things correctly I am never getting to phase II or the VPN tunnel.

 

Hopefully the new log provides some insight to someone who can decode it better than myself.

 

Let me know what else I can provide and thank you again. (side note, no idea what is up with the timestamps in the log file)

Did you change the username you are using with "user" in the uploaded file?

 

Sep 11 00:00:56.879189 ###################################################################
Sep 11 00:00:56.879219 ########################### AUTH REQ RCVD #########################
Sep 11 00:00:56.879244 ###################################################################
Sep 11 00:00:56.879269 Auth-FSM: Process Auth-Request for session-id:9256304617720733588
Sep 11 00:00:56.879311 Framework: Starting authentication
Sep 11 00:00:56.879345 authd_advance_module_for_aaa_request_msg: result:0
Sep 11 00:00:56.879379 Authd module start session-id:9256304617720733588
Sep 11 00:00:56.879414 Local : authd_local_start_auth: got params  profile=dyn-vpn-access-profile, username= <user>
Sep 11 00:00:56.879441 Local : start authd_local_lookup
Sep 11 00:00:56.879467 Local : profile dyn-vpn-access-profile found
Sep 11 00:00:56.879493 Local : client  <user> found
Sep 11 00:00:56.879519 Local : passwords matched
Sep 11 00:00:56.879544 authd_auth_module_start: session-id:9256304617720733588 result = 2 start_auth; state = 0
Sep 11 00:00:56.879582 REQUEST: AUTHEN - module_index 0 module(password) return: SUCCESS
Sep 11 00:00:56.879615 authd_auth_update_local_server_address Searching access profile dyn-vpn-access-profile for local DNS Server
Sep 11 00:00:56.879644 Framework: auth result is 1. Performing post-auth operations
Sep 11 00:00:56.879672 (authd_update_session_options) num_tlv_blocks:0
Sep 11 00:00:56.879697 Framework: Initialising response list
Sep 11 00:00:56.879735 Framework: Updating session timeout (599999940) in response for user ' <user>' from profile 'dyn-vpn-access-profile'
Sep 11 00:00:56.879764 Framework: length of first client-group if already present = 0
Sep 11 00:00:56.879790 Framework: result is 1.
Sep 11 00:00:56.879817 authd_auth_send_answer: conn=2924000, reply-code=1 (OK), result-subopcode=1 (ACCESS_OK), session-id:9256304617720733588, cookie=3, rply_len=4476, num_tlv_blocks=1
Sep 11 00:00:56.880473 sess_timeout: 599999940
Sep 11 00:00:56.880511 authd_auth_send_answer,tlv_begin:800 tot_tlv_buf_len:0 num_tlv_blocks:0
Sep 11 00:00:56.880539 authd_auth_send_answer, rply_len:4476
Sep 11 00:00:56.880565 authd_auth_send_answer: conn is 2924000 response is 2941000 result is 1, cookie = 3 rply_len:4476 num_tlv_block = 0

 

At this point the authentication doesnt seems to be the problem, besides you are receiving the VPN parameters. During the IKE negotiation there is another authentication phase (AAA/XAUTH), this is why you should be prompted again for user and password, maybe this is failing?

 

Lets confirm if your PC is trying to establish the VPN against the SRX. When trying to connect run:

 

> show security flow session protocol udp destination-prefix [SRX_External_IP] source-prefix [PC_Public_IP] destination-port 500

> show security flow session protocol udp destination-prefix [SRX_External_IP] source-prefix [PC_Public_IP] destination-port 4500

 

The idea is to confirm if we see the IKE negotiation being triggered by the Pulse client. If so, the lets try IKE traceoptions:

 

# set security ike traceoptions file IKE-TRACE
# set security ike traceoptions flag all
# commit

> request security ike debug-enable local [SRX_External_Address] remote [PC_Public_IP] level 10
> show security ike debug-status

> run clear log IKE-TRACE

[try the connection]

> show log IKE-TRACE

 

Yes, I just tried to obfuscate as much specific information as I could. The <user> is actually the one I attempted to connect with. Maybe I’m just overly paranoid.

As soon as I get in in the morning I will provide you with the output you are requesting.

Thanks,
Michael

Good Morning,

 

Calling a show security on the flow sessions I see a connection on port 500, but nothing on port 4500 when attempting to connect via Pulse.

 

Attached you will find the trace log you requested. I'm seeing a lot of "no proposal chosen" errors for IKE phase I, though I don't really know why. Since I literally copy\pasted the configuration from the link I originally posted I thought I had that covered. You might can tell I am learning as I go, so I'm not really sure what the logs are telling me....well at least not in a manner I know how to fix it.

 

Much appreciated,

Michael

At this point the problem is the VPN establishment but I cant tell why. It looks like the SRX is not able to find VPN configuration related to the peers in question. It looks like it first tries to look for VPN configuration based on an address configured under [edit security ike gateway] however there is no address configured there due to the Dyn VPN implementation. Then it tries to look for VPN configuration based on ID (hostname under security ike gateway) and because we are using "ike-user-type group-ike-id" it also performs a partial match.

 

[Sep 11 14:55:18][<SRX> <-> <Remote PC>]  Search for a tunnel matching the IKE peers, local:<SRX>, remote:<Remote PC> IKEv1
[Sep 11 14:55:18][<SRX> <-> <Remote PC>]  iked_pm_phase1_sa_cfg_lookup_by_addr: Address based phase 1 SA-CFG lookup failed for local:<SRX>, remote:<Remote PC> IKEv1
[Sep 11 14:55:18][<SRX> <-> <Remote PC>]  iked_pm_phase1_sa_cfg_lookup_by_id called with id type 2
[Sep 11 14:55:18][<SRX> <-> <Remote PC>]  iked_pm_sa_cfg_lookup_by_id partial match type 2
[Sep 11 14:55:18][<SRX> <-> <Remote PC>]  iked_pm_dynamic_gw_local_addr_based_lookup: called with local ip:<SRX>
[Sep 11 14:55:18][<SRX> <-> <Remote PC>]  Not doing MM check since initiator=FALSE and exch_type=4
[Sep 11 14:55:18][<SRX> <-> <Remote PC>]  dynamic gateway match unsuccessful:
[Sep 11 14:55:18][<SRX> <-> <Remote PC>]  iked_pm_ike_spd_select_ike_sa: Setting tunnel-event IKE gateway configuration lookup failed during negotiation for P1-SA 7353657
[Sep 11 14:55:18][<SRX> <-> <Remote PC>]  iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
[Sep 11 14:55:18][<SRX> <-> <Remote PC>]  ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg efd800)

 

Can you run the following command when setting the connection?

 

     > show security ipsec inactive-tunnels

 

Can you also delete and re-configure the IKE, IPsec and Dyn VPN configuration?

 

# delete security ike
# delete security ipsec
# delete security dynamic-vpn
# delete security policies from-zone untrust to-zone trust policy dyn-vpn-policy
# commit full
# rollback 1
# commit full

 

Try also placing the dyn vpn security-policy on top of the policy chain:

 

# edit security policies from-zone untrust to-zone trust
# insert policy dyn-vpn-policy before policy citrix-connections
# show
[confirm the dyn vpn policy is the first one]

# top
# commit

 

If the problem persists, try changing to share-ike-id:

 

# delete security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id
# set security ike gateway dyn-vpn-local-gw dynamic ike-user-type share-ike-id
# commit

 

Good morning,

 

Here is the output requested:

 

>show security ipsec inactive-tunnels
Total inactive tunnels: 1
Total inactive tunnels with establish immediately: 0
ID Port Gateway Tunnel Down Reason
2 500 Dynamic tunnel configuration is ready. Waiting for peer(s) to initiate negotation (1 times)

 

Wiped the IKE, IPSec, and Dyn VPN connections and rolledback with full commits in between.

 

Put the dyn-vpn-policy at the top of the security policies.

 

Attempted the connection and had the same result.

 

Changed the ike gateway from group-ike-id to share-ike-id and attempted the connection again.

 

This time the Pulse Secure clinet fails to connect at all with Reason: Cannot process configuration provided by the firewall.

 

Thanks.

 

EDIT: By moving the policy dyn-vpn-policy to the top of the security policies it broke both our Citrix and PBX connections so I have put these back into the original order since it didn't seem to make a difference when it was at the top. Though maybe this speaks more to why this isn't working, but I am unsure if this is the case.

Michael,

 

Could you gather again IKE traceoptions in order to confirm if the error messages still the same?

 

Also try the connection from another PC and if possible with a different version of Junos Pulse and/or different Windows version.

 

I believe that having the dyn VPN security-policy on top should not have disrupted your PBX/Citrix traffic, this is weird. Please gather:

 

> show security policies from-zone untrust to-zone trust policy dyn-vpn-policy extensive
> show security policies from-zone untrust to-zone trust policy dyn-vpn-policy detail

 

Lets make sure the policy is aware that there is a VPN action related to it.

 

Good morning Andres,

 

I will get the traceoptions collected momentarily and post them (Edited to include the traceoptions file. I don't see any partial matches, but still seeing a lot of "no proposal chosen" messages.

 

I can use my machine on a hotspot and see if the behavior is any different. It is a different windows version, but I only have the latest Pulse client (I'll check to see if Juniper makes older ones available, I can't remember if they do or not). (Edited: same result coming from a different machine, but using the same Pulse client version)

 

I too found that having the order breaking traffic to be odd. I put it back in the original order (Citrix/PBX/VPN) and Citrix and PBX connections were restored.

 

It doesn't appear that extensive is an available option on this release, but detail provides the following (side note: what is the formatting to make Juniper output appear in the grey boxes, I see it all the time, but not sure what the formatting is, would probably make my responses more streamlined):

 

>run show security policies from-zone untrust to-zone trust policy-name dyn-vpn-policy detail
Policy: dyn-vpn-policy, action-type: permit, State: enabled, Index: 8, Scope Policy: 0
Policy Type: Configured
Sequence number: 3
From zone: untrust, To zone: trust
Source vrf group:
any
Destination vrf group:
any
Source addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Destination addresses:
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No
Tunnel: dyn-vpn, Type: IPSec, Index: 2

Thanks for the info, however I believe the traceoptions level was not set. Please set  the traces to level 15 with the procedure below:

 

# set security ike traceoptions file IKE-TRACE
# set security ike traceoptions flag all
# commit

> request security ike debug-enable local [SRX_External_Address] remote [PC_Public_IP] level 15
> show security ike debug-status

> run clear log IKE-TRACE

[try the connection]

> show log IKE-TRACE

 

 

Apologies. Please find attached the requested trace.

 

Thanks.

Michael,

 

At this point Im not sure what else we could try, it looks to me like a SW bug or there is something not sync properly within the SRX. The firewall continues unable to find VPN configuration related to the peers in question but everything seems to be properly configured:

 

 

[Sep 16 17:32:25][<SRX> <-> <Remote PC>]  Search for a tunnel matching the IKE peers, local:<SRX>, remote:<Remote PC> IKEv1
[Sep 16 17:32:25][<SRX> <-> <Remote PC>]  iked_pm_phase1_sa_cfg_lookup_by_addr: Address based phase 1 SA-CFG lookup failed for local:<SRX>, remote:<Remote PC> IKEv1
[Sep 16 17:32:25][<SRX> <-> <Remote PC>]  iked_pm_phase1_sa_cfg_lookup_by_id called with id type 2
[Sep 16 17:32:25][<SRX> <-> <Remote PC>]  ikev2_fb_idv2_to_idv1: Converting the IKEv2 payload ID IDa(type = fqdn (2), len = 15, value = <USER>dynvpn) to IKEv1 ID
[Sep 16 17:32:25][<SRX> <-> <Remote PC>]  ikev2_fb_idv2_to_idv1: IKEv2 payload ID converted to IKEv1 payload ID fqdn(any:0,[0..14]=<USER>dynvpn)  [userdynvpn will be the hostname used by the PC due to group-ike-id option]
[Sep 16 17:32:25][<SRX> <-> <Remote PC>]  iked_pm_sa_cfg_lookup_by_id partial match type 2
[Sep 16 17:32:25][<SRX> <-> <Remote PC>]  iked_pm_dynamic_gw_local_addr_based_lookup: called with local ip:<SRX>
[Sep 16 17:32:25][<SRX> <-> <Remote PC>]  Not doing MM check since initiator=FALSE and exch_type=4
[Sep 16 17:32:25][<SRX> <-> <Remote PC>]  dynamic gateway match unsuccessful:
[Sep 16 17:32:25][<SRX> <-> <Remote PC>]  iked_pm_ike_spd_select_ike_sa: Setting tunnel-event IKE gateway configuration lookup failed during negotiation for P1-SA 7353743
[Sep 16 17:32:25][<SRX> <-> <Remote PC>]  iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen

 

 

SRX looks the gateway/VPN/Phase 1 configuration based on the address configured under [edit security ike gateway] but there is none, which is correct. Then it looks based on the hostname being used by the user trying to connect; this hostname is derived from the username and the hostname configured under [edit security ike gateway] and we can see this is correct becuase the SRX shows "<user>dynvpn".

 

I would expect to see something something similar to:

 

[Jun 30 22:32:18][125.63.65.91 <-> 157.49.69.233] iked_pm_phase1_sa_cfg_lookup_by_id called with id type 2
[Jun 30 22:32:18][125.63.65.91 <-> 157.49.69.233] iked_pm_sa_cfg_lookup_by_id partial match type 2
[Jun 30 22:32:18][125.63.65.91 <-> 157.49.69.233] iked_pm_remote_id_pattern_match: Remote IKE-ID <user>dynvpn Configured IKE-ID dynvpn
[Jun 30 22:32:18][125.63.65.91 <-> 157.49.69.233] iked_pm_remote_id_pattern_match: FQDN IKE-ID matched
[Jun 30 22:32:18][125.63.65.91 <-> 157.49.69.233]  Gateway dyn-vpn-local-gw: number of connections=0, limit=10
[Jun 30 22:32:18][125.63.65.91 <-> 157.49.69.233]  id based lookup successful: Sa_cfg:INSTANCE-dyn-vpn_0005_0009_0000 Gateway:dyn-vpn-local-gw

[Jun 30 22:32:18][125.63.65.91 <-> 157.49.69.233] ssh_ikev2_sav1_select: Proposals match

 

We have 3 IPs on ge-0/0/0, are they on the same subnet? Can you try the following command:

 

   set security ike gateway dyn-vpn-local-gw local-address <Public VPN IP Address>

   set interfaces ge-0/0/0 unit 0 family inet address <Public VPN IP Address> primary

   set interfaces ge-0/0/0 unit 0 family inet address <Public VPN IP Address> preferred

 

Also try re-installing the Pulse client and changing the hostname under [edit security ike gateway]:

 

    set security ike gateway dyn-vpn-local-gw dynamic hostname [testhostname]

 

Finally gather again the IKE traces with level 15.

 

 

 

Would you share again SRX's configuration? I would like to double-check that nothing funny was configured/introduced during recent changes while troubleshooting this problem.

 

Try also to connect with a different user, just remenber that it has to be added under [edit access] and [edit security dynamic-vpn] hierarchies.

 

Also give a try to the following command:

 

set security ike gateway dyn-vpn-local-gw general-ikeid

 

It for bypassing the IKE-IDs authentication in phase 1 negotiation.

 

Good Afternoon Andres,

 

I wanted to get a response out today with something to look over so I am supplying you with my config as it currently sits.

 

I've been swamped today and was unable to run the tests you requested, but I will try to have this done tomorrow with my results posted.

 

In the meantime please find attached my current configuration. Everything that is <text> is just internal users/networks/ports obfuscated, but if you need these details please let me know and I can PM you.

 

Let me know if anything glaringly stands out as wrong and I will look to correct it tomorrow as well.

 

Have a great night and I will post again in the morning.

 

Michael.

Good Morning,

 

Please find attached the latest trace after the configuration changes you requested.

 

Additionally I was not able to set the general-ikeid, checkout failed with the following information:

 

[edit security ike gateway dyn-vpn-local-gw]
'general-ikeid'
general-ikd-id option is not available for dynamic peer.

error: commit failed: (statements constraint check failed)

 

With your changes I went to connect from the existing machine\installation and it worked (the log file should have connection to disconnection in it). I guess the question now is what made it work and what changes do I need to make in order clean up what we have done.

 

Granted I only just got connected and haven't looked much further, but it appears I don't have access to internal resources, but that might be a topic that needs to be addressed in a new thread. I am very interested to know what made this work that wasn't working initially.

 

Thank you!

Just a quick follow-up from the weekend.

 

Firstly, I came in this morning and completely wiped out the VPN configuration and rebooted the firewall. I am not convinced there isn't something wonky going on.

 

Over the weekend I successfully connected a machine to the VPN from Azure. I was able to find all of my network resources and even added it to the domain. On subsequent connections I got completely random behavior. The attempt that followed the first was unable to ping any network resource. When connecting from a different machine entirely I was given the wrong IP address (one of my test configurations was handing out a specific IP address to my user). When I deleted the connection from Pulse and reconfigured it I was given the correct address, but still couldn't ping any network addresses. At this point I decided I would come in and wipe the configuration and start again.

 

So, that's where I am today.

Good Evening!

 

What a ride, but I think I may finally have this sorted. Before I post my spiel let me first say a BIG THANK YOU to everyone who posted here and gave their advice. Without it I would not have gotten as far as I did.

 

I am posting this in hopes that maybe someone stumbles across this in the future and my pain can ease their configuration woes.

 

So, what did I do? I wiped the whole thing out is what I did, but you knew that already from my previous post.

 

After getting back to a pre Dynamic VPN configuration I once again followed this article to attempt the configuration again:

https://www.juniper.net/documentation/en_US/junos12.1/topics/example/vpn-security-dynamic-example-configuring.html

 

As expected, following that article led me back to the same result of an initial successful connection and a pull of the IKE phase I configuration. Then I was stuck. The client just sits there "Connecting" forever. So I began going back through this thread applying each recommendation and testing again. Let me also say that I removed each one as the connection failed to see if it was a combination of things or one thing in particular that fixed my issue.

 

set access profile dyn-vpn-access-profile authentication-order password - this made no difference so I removed it.

 

set security ike gateway dyn-vpn-local-gw dynamic ike-user-type share-ike-id - this one was intersting because I actually inadvertantly used share-ike-id to begin with and when I got to the end I still couldn't connect. Turns out it has to be set to group-ike-id. So this one is a nope.

 

set security ike gateway dyn-vpn-local-gw dynamic hostname [testhostname] - confirmed that no matter what hostname I gave it it never made a difference in connection.

 

set security ike gateway dyn-vpn-local-gw local-address <Public VPN IP Address> - and now we get to the resolution of the issue. I can only assume that since I have 3 different IP addresses on a single interface the firewall has to be told which address to be used for the ike gateway. Sure enough after lots of sets/deletes this is the only configuration change that made a difference.

 

Why things were acting weird Friday I don't know, but I have been testing all night and no matter what I do I see my changes represented when I connect to the Pulse client now. So, so far <knock on wood>, so good.

 

Because this configuration was relatively basic I wanted to expand on this post with some additional information/questions for the community.

 

From my understading the configuration linked above is a split tunnel configuration which, depending on your situation, may be a no no. As I read it you are only tunneling to the protected networks defined in remote-protected-resources and everything else uses the user's internet connection. I wanted 0.0.0.0/0 protected, but this was far easier said than done. You can put 0.0.0.0/0 but you aren't going to get very far if you want your users to be able to continue to use the internet while they are connected to your VPN. I dunno, typing that, maybe you do want that and you can simply stop there. For me though, I want users to still be able to connect to the internet to do their job.

 

That's where this video (https://www.youtube.com/watch?v=J1C4300zMBU) and my questions come into play.

 

Basically, am I correct with the following configurations?

 

• Security policies for untrust to untrust to permit any source\destination\application
• Source nat from zone untrust to zone untrust match 0.0.0.0/0 then source-nat interface

While this appears to have the result I am looking for I would just like confirmation that this is the proper configuration.

It wouldn't much do to try to secure the VPN only to open a hole somewhere else.

 

I apologize for the wall-o-text, but there was a lot going on here and if nothing else I hope this helps someone out down the road.

 

I know it was a lot, but if someone wouldn't mind confirming the above question or recommending a different configuration I would really appreciate it!

 

Thanks for reading,

Michael