SRX

Dear friends,

I made configuration of Dynamic VPN, as shown in the below link :

http://www.juniper.net/documentation/en_US/junos12.1/topics/example/vpn-security-dynamic-example-configuring.html

Something interesting is happening. I see this problem with 2 different locations.

I can set up VPN while I'm in the same IP subnet

I cannot set up VPN when SRX100 is outside.

I made deep search relating with this, I see that I'm stucked at Phase1 authentication 

============================================================

SRX100> show security ike security-associations

Index State Initiator cookie Responder cookie Mode Remote Address
14663 DOWN dcaf7cb8a56e1eed 0e6ff5dedfcffbd3 Aggressive 212.156.137.10

============================================================

SRX100> show log kmd-logs
Jun 17 10:59:25 SRX100 clear-log[3983]: logfile cleared
Jun 17 10:59:25 SRX100 kmd[1371]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: dyn-vpn Gateway: dyn-vpn-local-gw, Local: 192.168.1.50/500, Remote: 212.156.137.106/54379, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0

============================================================

I can make status UP (and also VPN establishes) when I'm in the same IP subnet.

I made required port forwardings on remote router : (in fact I forward all ports to Juniper's ethernet IP)

TCP & UDP

1701

500

4500

443

Please help me.

Thanks in advance,

Ugur

Hi,

Can you share the juniper configs with us also ?  You need to  forward IP protocols ESP and AH, with most routers this can only be done by putting the device behind it in the dmz zone.

Why not putting the srx directly connected to the internet and removing the other router ?

Hi Mark,
It's not my own devices. It's remote client's machines, I'm just trying to set up remote connection (dynamic VPN). So that it's not possible to connect SRX directly to DSL.

Also, I put SRX in DMZ zone. Applications such as telnet, https are successfully forwarding, I tested.

Here is the config. Any help will be appreciated.

==============================================================
## Last changed: 2015-06-17 16:25:36 EEST
version 12.1X44-D35.5;
system {
 host-name SRX100;
 time-zone Europe/Istanbul;
 root-authentication {
 encrypted-password "$1$jTUjYTt8$H/qXKRdM5lAVrtbZIE5xH1"; ## SECRET-DATA
 }
 name-server {
 208.67.222.222;
 208.67.220.220;
 }
 login {
 user vestek {
 uid 2000;
 class super-user;
 authentication {
 encrypted-password "$1$Fxu6eQAY$lghUsuXL4HfE9Evdlldeo/"; ## SECRET-DATA
 }
 }
 }
 services {
 ssh;
 telnet;
 web-management {
 http;
 https {
 system-generated-certificate;
 interface fe-0/0/0.0;
 }
 session {
 idle-timeout 60;
 }
 }
 }
 syslog {
 archive size 100k files 3;
 user * {
 any emergency;
 }
 file messages {
 any critical;
 authorization info;
 }
 file interactive-commands {
 interactive-commands error;
 }
 file kmd-logs {
 daemon info;
 match KMD;
 }
 }
 max-configurations-on-flash 5;
 max-configuration-rollbacks 5;
 license {
 autoupdate {
 url https://ae1.juniper.net/junos/key_retrieval;
 }
 }
 ntp {
 server 23.101.187.68;
 }
}
interfaces {
 fe-0/0/0 {
 unit 0 {
 family inet {
 address 192.168.1.50/24;
 }
 }
 }
 fe-0/0/1 {
 unit 0 {
 family ethernet-switching {
 vlan {
 members vlan1;
 }
 }
 }
 }
 fe-0/0/2 {
 unit 0 {
 family ethernet-switching {
 vlan {
 members vlan1;
 }
 }
 }
 }
 fe-0/0/3 {
 unit 0 {
 family ethernet-switching {
 vlan {
 members vlan1;
 }
 }
 }
 }
 fe-0/0/4 {
 unit 0 {
 family ethernet-switching {
 vlan {
 members vlan1;
 }
 }
 }
 }
 fe-0/0/5 {
 unit 0 {
 family ethernet-switching {
 vlan {
 members vlan1;
 }
 }
 }
 }
 fe-0/0/6 {
 unit 0 {
 family ethernet-switching {
 vlan {
 members vlan1;
 }
 }
 }
 }
 fe-0/0/7 {
 unit 0 {
 family ethernet-switching {
 vlan {
 members vlan1;
 }
 }
 }
 }
 vlan {
 unit 0 {
 family inet {
 dhcp;
 }
 }
 unit 1 {
 family inet {
 address 10.0.0.254/16;
 }
 }
 }
}
routing-options {
 static {
 route 0.0.0.0/0 next-hop 192.168.1.1;
 }
}
protocols {
 stp;
}
security {
 ike {
 traceoptions {
 file ike-debug;
 flag all;
 }
 policy ike-dyn-vpn-policy {
 mode aggressive;
 proposal-set standard;
 pre-shared-key ascii-text "$9$huzSKMLxNbYg"; ## SECRET-DATA
 }
 gateway dyn-vpn-local-gw {
 ike-policy ike-dyn-vpn-policy;
 dynamic {
 hostname dynvpn;
 connections-limit 10;
 ike-user-type group-ike-id;
 }
 external-interface fe-0/0/0.0;
 xauth access-profile dyn-vpn-access-profile;
 }
 }
 ipsec {
 traceoptions {
 flag all;
 }
 policy ipsec-dyn-vpn-policy {
 proposal-set standard;
 }
 vpn dyn-vpn {
 ike {
 gateway dyn-vpn-local-gw;
 ipsec-policy ipsec-dyn-vpn-policy;
 }
 }
 }
 dynamic-vpn {
 access-profile dyn-vpn-access-profile;
 clients {
 all {
 remote-protected-resources {
 10.0.0.0/16;
 }
 remote-exceptions {
 0.0.0.0/0;
 }
 ipsec-vpn dyn-vpn;
 user {
 vestektest;
 vestekvpn;
 }
 }
 }
 }
 screen {
 ids-option untrust-screen {
 icmp {
 ping-death;
 }
 ip {
 source-route-option;
 tear-drop;
 }
 tcp {
 syn-flood {
 alarm-threshold 1024;
 attack-threshold 200;
 source-threshold 1024;
 destination-threshold 2048;
 timeout 20;
 }
 land;
 }
 }
 }
 nat {
 source {
 rule-set nsw_srcnat {
 from zone IPTV;
 to zone Internet;
 rule nsw-src-interface {
 match {
 source-address 0.0.0.0/0;
 destination-address 0.0.0.0/0;
 }
 then {
 source-nat {
 interface;
 }
 }
 }
 }
 }
 }
 policies {
 from-zone IPTV to-zone Internet {
 policy All_IPTV_Internet {
 match {
 source-address IPTV;
 destination-address any;
 application any;
 }
 then {
 permit;
 }
 }
 }
 from-zone Internet to-zone IPTV {
 policy dyn-vpn-policy {
 match {
 source-address any;
 destination-address any;
 application any;
 }
 then {
 permit {
 tunnel {
 ipsec-vpn dyn-vpn;
 }
 }
 }
 }
 }
 }
 zones {
 security-zone IPTV {
 address-book {
 address IPTV 10.0.0.0/16;
 address Server1 10.0.0.251/32;
 address Server2 10.0.0.252/32;
 address TestPC 10.0.0.100/32;
 address-set 10.0.0.0/16 {
 address IPTV;
 }
 address-set 10.0.0.251/32 {
 address Server1;
 }
 address-set 10.0.0.252/32 {
 address Server2;
 }
 address-set 10.0.0.100/32 {
 address TestPC;
 }
 }
 host-inbound-traffic {
 system-services {
 all;
 }
 protocols {
 all;
 }
 }
 interfaces {
 vlan.1 {
 host-inbound-traffic {
 system-services {
 ping;
 dhcp;
 http;
 https;
 ssh;
 telnet;
 }
 }
 }
 }
 }
 security-zone Internet {
 host-inbound-traffic {
 system-services {
 all;
 }
 protocols {
 all;
 }
 }
 interfaces {
 fe-0/0/0.0 {
 host-inbound-traffic {
 system-services {
 all;
 }
 protocols {
 all;
 }
 }
 }
 }
 }
 }
}
access {
 profile dyn-vpn-access-profile {
 client vestektest {
 firewall-user {
 password "$9$/5hF90IXxdw2adV.fTQn6ylK8-biHmPQn"; ## SECRET-DATA
 }
 }
 client vestekvpn {
 firewall-user {
 password "$9$xf67wgPfzn9pzFSlKvLXGDi.Q3REyrvL"; ## SECRET-DATA
 }
 }
 address-assignment {
 pool dyn-vpn-address-pool;
 }
 }
 address-assignment {
 pool dyn-vpn-address-pool {
 family inet {
 network 10.10.10.0/24;
 xauth-attributes {
 primary-dns 4.2.2.2/32;
 }
 }
 }
 }
 firewall-authentication {
 web-authentication {
 default-profile dyn-vpn-access-profile;
 }
 }
}
applications {
 application RDP {
 protocol tcp;
 destination-port 3389;
 }
 application PPTP-VPN {
 protocol tcp;
 destination-port 1723;
 }
}
vlans {
 vlan1 {
 vlan-id 3;
 l3-interface vlan.1;
 }
}
 

I'm gonna be captain obvious here, but it sounds like you're worrying about the VPN config when it sounds like you've got a gateway or netmask problem keeping basic networking from happening if you off of the local subnet. Any chance you've been so deep in the weeds looking at VPN settings that you missed the fact that ping isn't working?

--tc

Hi,

you need to do the following if you are behind nat

set security ike gateway dyn-vpn-local-gw local-identity x.x.x.x <---------- this is your public internet ip that is on your dsl connection.

so if your public ip is 212.156.137.10 then you do

set security ike gateway dyn-vpn-local-gw local-identity 212.156.137.10

commit

and test the vpn connection again from the internet

@MarcTB

Thank you Marc, the command "local-identity" worked for me, I passed Phase1 and Phase2 and established VPN.

However, a new problem appeared. 

1. Let's say, I have a dynamic VPN pool 192.168.5.0/24
2. My protected resources behind SRX is 10.0.0.0/16

I cannot ping anywhere, including Juniper's local interface (10.0.0.254) If I solve this, everything will be allright.

Thanks in advance,

Ugur

Hi,

IF you have your vpn up can you ping from an inside host towards the ip of the dynamic vpn client ?

you can see how the session is established

show security ike active-peer

to see a security session

show security match-policies source-ip <> destination-ip<>  destination-port <> source-port <> protocol tcp

vestek@SRX100# run show security ike active-peer
Remote Address Port Peer IKE-ID XAUTH username Assigned IP
212.156.137.106 27400 vestekvpndynvpn vestekvpn 192.168.5.2

 Hi Marc,

Active peer output is above. I cannot ping either from inside host or directly from SRX. Interesting.

First open a continous ping from your dyn-vpn client towards something behind the srx

then do the following ( you have to change the source and destination ip) to the ones your are using

show security match-policies source-ip 192.168.5.2 destination-ip 10.10.10.1 protocol icmp

Can you paste the output in the forum thread ?

Hi Marc,

I created an extra policy named "After_VPN" but nothing changed.

from-zone IPTV to-zone Internet {
policy All_IPTV_Internet {
match {
source-address IPTV;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Internet to-zone IPTV {
policy After_VPN {
match {
source-address 192.168.5.0/24;
destination-address any;
application any;
}
then {
permit;
}
}
policy dyn-vpn-policy {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn dyn-vpn;
}
}
}
}
}