SRX Services Gateway
SRX Services Gateway

Dynamic VPN Configuration (SRX 340)

2 weeks ago

Good Afternoon Everyone,

 

I've had a deal of success on the Juniper forums in the past so I thought I would reach out for help once again.

 

First let me just say that even after a year I am still very much a Juniper newb and still learning the ins and outs as I only visit my networking gear when I need to configure something new.

 

So, this month's task has me trying to set up our company VPN for external users. The best document I could find is here: https://www.juniper.net/documentation/en_US/junos12.1/topics/example/vpn-security-dynamic-example-co...

 

I pretty much followed that document to the letter minus the specifics to our network. I currently have three addresses configured on ge-0/0/0.0 Two of them are for Citrix (going away soon) and our PBX. The third is the address I want to use with the VPN. The address I want to use is pingable from outside of the network, but that's about all I get. I've downloaded and installed Pulse Secure 5.1 and when I try to connect to the IP address it fails with the general 1453 Network Error. While I eventually want to get a purchased certificate, use RADIUS, and an external DHCP server currently I am using everything built in to the firewall. There are currently no external components that the VPN configuration is using.

 

I guess I am asking for networking assistance 101 because after setting everything up I can't connect and am not even sure where to start looking.

 

If it is advantageous I can post my configuration if needed.

 

I appreciate any and all help!

 

Thank you,

Michael

33 REPLIES 33
SRX Services Gateway

Re: Dynamic VPN Configuration (SRX 340)

2 weeks ago

Michael,

 

Are you using Windows 7 by any chance? Please check:

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB32401&pmv=print&actp=METADATA&searchid=&ty...

 

SRX Services Gateway

Re: Dynamic VPN Configuration (SRX 340)

2 weeks ago

I am not, this is a Windows 10 1903 box. I will load up Wireshark in the morning though to see if I can get more details from a packet capture.

SRX Services Gateway

Re: Dynamic VPN Configuration (SRX 340)

[ Edited ]
2 weeks ago

Please also check:

 

1. Is HTTPS and IKE allowed as host-inbound-traffic?

 

> show interfaces externsive ge-0/0/0 | find security

 

2. No firewall filter is applied on the loopback interface nor the ge-0/0/0 that might be blocking the connection.

3. No NAT rules are using the address of the ge-0/0/0 that you want to use for connecting to the SRX, else the HTTPS and IKE traffic might be redirected to a different host.

 

SRX Services Gateway

Re: Dynamic VPN Configuration (SRX 340)

2 weeks ago

I checked the security this morning and here is the output:

 

Allowed host-inbound traffic : dhcp tftp https ike ping ssh

 

I've not created any firewall rules or filters for the public IP address.

 

The only NATs are for the other two IP addresses on that interface directing Citrix and/or PBX traffic.

 

The most I have done with the third IP address is assigned it to the interface. I'm working on Wireshark now. More to come.

 

Thanks.

SRX Services Gateway

Re: Dynamic VPN Configuration (SRX 340)

[ Edited ]
2 weeks ago

With Wireshark I see the initial connection attempt, while waiting on a response from the SRX I do get 4 TCP retransmissions, but I am not sure if that is relavant.

 

After about 15 seconds I get a RST, ACK flag of Reset: Set from the public IP address I am trying to connect to.

 

I don't spend too much time with Wireshark, but my thought is that the SRX is resetting the connection, though I have no idea why.

SRX Services Gateway

Re: Dynamic VPN Configuration (SRX 340)

2 weeks ago

Hi Michael,

 

Do you have Destination NAT or Static NAT on port 443 for the public IP address to which you're connecting the VPN?

 

Open browser, type https://<public ip address> and let me know whether you're getting Dynamic VPN page or any other page. 



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Dynamic VPN Configuration (SRX 340)

[ Edited ]
2 weeks ago

I do not. To be honest, looking at some videos I thought I would get the login to download the Pulse Secure client (based on a video a found while searching the web), but after a few seconds it just comes back with "Page could not be found."

 

To be honest, looking at the configuration I originally linked I thought it would work after the configuration was complete. There is no static or destination NAT set for the public IP address I am intending to use.

 

Thank you.

SRX Services Gateway

Re: Dynamic VPN Configuration (SRX 340)

2 weeks ago

Hi Michael,

 

Can you please share your configuration in display-set format so that I can take a look?



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Dynamic VPN Configuration (SRX 340)

2 weeks ago

Certainly, please find the requested configuration attached. I have gone through and replaced any network\naming configurations with <    > to obfuscate any specific data, but if there is something you need let me know.

 

The only configuration that sticks out to me as a potential problem is "set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0" more because I am just looking for a problem and I may just be grasping at straws.

 

If you need anything else let me know and thank you for taking the time to look at this.

Attachments

SRX Services Gateway

Re: Dynamic VPN Configuration (SRX 340)

2 weeks ago

Yes,

 

No destination nor static NAT rule are affecting the traffic.

 

Chances are that packets from your PC are not reaching the SRX or that a device in between is dropping them and replying instead. Please check that the traffic is reaching the SRX


-Confirm if there is any session during the connection test


    show security flow session destination-prefix [SRX_External_IP] source-prefix [PC_Public_IP] destination-port 443


-Apply a counter on the external interface of the SRX


    set firewall family inet filter FILTER term 1 from source-address [PC_Public_IP]
    set firewall family inet filter FILTER term 1 from destination-address [SRX_Public_IP]
    set firewall family inet filter FILTER term 1 from destination-port 443
    set firewall family inet filter FILTER term 1 then count COUNTER
    set firewall family inet filter FILTER term 1 then accept
    set firewall family inet filter FILTER term ALLOW_ELSE then accept


    set interfaces ge-0/0/0 unit 0 family inet filter input FILTER

    commit


    [try the test]

    >show firewall


-Perform a packet capture on the external interface of the SRX:


    https://kb.juniper.net/InfoCenter/index?page=content&id=KB11709

 

 

SRX Services Gateway

Re: Dynamic VPN Configuration (SRX 340)

[ Edited ]
2 weeks ago

Could you add ge-0/0/0 under web-management and try a commit full?

 

# set system services web-management https interface ge-0/0/0

# commit full

 

Can you provide a "show version" and a "show system license" as well?

 

 

SRX Services Gateway

Re: Dynamic VPN Configuration (SRX 340)

[ Edited ]
2 weeks ago

Depending on your version, you might want to change the following line:

 

set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile

 

With the following

 

set security ike gateway dyn-vpn-local-gw aaa access-profile dyn-vpn-access-profile

 

Ref: https://forums.juniper.net/t5/SRX-Services-Gateway/SRX-IPsec-client-VPN/td-p/320612

 

 

 

SRX Services Gateway

Re: Dynamic VPN Configuration (SRX 340)

2 weeks ago

Thanks for the responses everyone. I will be working through these and providing my results. It will likely be Monday before I have anything, but once I do I will be sure to post them. Thanks again for the direction and giving me something to work with!

SRX Services Gateway

Re: Dynamic VPN Configuration (SRX 340)

2 weeks ago

Good morning,

 

I'll start by saying....I'm an idiot. Thank you 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

SRX Services Gateway

Re: Dynamic VPN Configuration (SRX 340)

[ Edited ]
2 weeks ago

Michael,

 

Nice, we are one step closer; and yes, the SRX assumes that the packets will come from the untrust zone.

 

Dynamic VPN has 2 stages:

 

    1. User authentication and downloading of the VPN parameters to the PC. This is done over HTTPs.

    2. VPN establishment. This works over UDP 500 (IKE)

 

Just to double check, you are getting prompted for username and password right? once or twice? (the very first time you connect you could get prompted twice)

 

On the pulse client you are choosing SRX option/connection?

 

Can you add the following command:

 

set access profile dyn-vpn-access-profile authentication-order password

 

I believe the problem is with the authentication instead of the VPN establishment. Lets gather general-authentication traceoptions:

 

# set system processes general-authentication-service file AUTH
# set system processes general-authentication-service flag all
# commit

[try connecting]

> show log AUTH

 

When connecting try to confirm if the Pulse client has downloaded any VPN parameters from the SRX:

         

          Open Pulse

          Press "Ctrl + F2"

          Go to "Active Connections" and choose the connection to the SRX. Then look for "Tunnel Configuration" Tab.

 

If it is possible to upgrade to the recommended code it will be advisable: 15.1X49-D170  https://kb.juniper.net/KB21476

 

 

SRX Services Gateway

Re: Dynamic VPN Configuration (SRX 340)

2 weeks ago

I am getting prompted for a username and password, however, while the expected behavior is twice, I am only getting it once and then it just hangs on connecting. I never get the second expected prompt.

 

The Pulse Client is set to Firewall (SRX) with the IP address of the Firewall.

 

I get the certificate warning and then a prompt. I provide the credentials and then it just sits and spins.

 

Since entering the first set of credentials I am not prompted again when connecting to the SRX, it just sits on the connecting screen with a cancel option.

 

I have downoaded the latest recommended release of JunOS for the SRX and will get it upgraded after business hours tonight.

 

The auth log is attached. I see lots of successes, but lots of failed too....

 

It looks like the client has downloaded the VPN parameters as the information below matches what was configured initially:

 

Configuration: <Public SRX IP> (Public SRX IP)

Tunnel Endpoint IP . . . . . . . . . . . . . : Public SRX IP
Tunnel Virtual Adapter IPv4. . . . . . . . . : 0.0.0.0
Tunnel Virtual Adapter IPv6. . . . . . . . . : N/A
Tunnel Type. . . . . . . . . . . . . . . . . : VPN
Tunnel Transport . . . . . . . . . . . . . . : ESP

IKE parameters:
Encryption . . . . . . . . . . . . . . . : Match Gateway
Authentication . . . . . . . . . . . . . : Match Gateway
Rekey (secs) . . . . . . . . . . . . . . : 0

IPSec parameters:
Encryption . . . . . . . . . . . . . . . : Match Gateway
Authentication . . . . . . . . . . . . . : Match Gateway
Rekey (secs) . . . . . . . . . . . . . . : 3600

Protected networks (IPSec):
IP Address . . . . . . . . . . . . . . . : 192.0.0.0
Subnet Mask. . . . . . . . . . . . . . . : 255.0.0.0
Option . . . . . . . . . . . . . . . . . : route

IP Address . . . . . . . . . . . . . . . : 0.0.0.0
Subnet Mask. . . . . . . . . . . . . . . : 0.0.0.0
Option . . . . . . . . . . . . . . . . . : passthrough

 

Attachments

SRX Services Gateway

Re: Dynamic VPN Configuration (SRX 340)

2 weeks ago

The fact that you can see the VPN parameters on Pulse means that the client is authenticated properly and provided with those parameters, however I believe that we might be seeing a DHCP issue and Im not sure why becuase I think the configuration is fine so lets see what happens after the upgrade. Im mentioning the DHCP problem becuase in the traceoptions I can see Address Allocation failed messages. Do you recognize the highlighted MAC address?

 

Sep  9 18:04:01.757296 Processing address request in default:default network 192.168.0.1 mac 54:33:CB:48:70:8F
.
.
.
Sep  9 18:04:01.759948 Framework: auth result is 15. Performing post-auth operations
Sep  9 18:04:01.759976 Framework: result is 15.
Sep  9 18:04:01.760008 authd_auth_send_answer: conn=289d000, reply-code=14 (ADDRALLOC FAIL), result-subopcode=15 (INTERNAL_ERROR), session-id:7436, cookie=96381, rply_len=28, num_tlv_blocks=0
SRX Services Gateway

Re: Dynamic VPN Configuration (SRX 340)

a week ago

Unfortunately the upgrade has to wait until this evening. Our office is on a deadline and I was unable to take down the network last night. I have this scheduled for this evening though and should be able to move ahead.

 

Very interesting on that MAC address....it is my cell phone.

SRX Services Gateway

Re: Dynamic VPN Configuration (SRX 340)

a week ago

Evening,

 

So, new day, same problem, but hopefully this will be helpful.....

 

The upgrade to the SRX is complete and I am now on the recommended version. I also modified the configuration from xauth to aaa as per the deprecation mentioned previously.

 

Once all that was said and done I attempted the connection to the VPN and gathered the new auth log. You can find it attached. To be honest, I am not sure what else needs to be changed (if there is anything that needs to be changed other than the xauth in security).

 

I'm still seeing the same behavior. I get the initial connection, allow the certificate, authenticate the first time, get the IKE policy from phase I, but if I am understanding things correctly I am never getting to phase II or the VPN tunnel.

 

Hopefully the new log provides some insight to someone who can decode it better than myself.

 

Let me know what else I can provide and thank you again. (side note, no idea what is up with the timestamps in the log file)

Attachments