SRX

Hello,

I've been strugging to set up dynamic vpn on my SRX220H2 for many weeks now. My Pulse Secure client is on a Windows 7 laptop. When I try to log in with Pulse Secure, it says "Connection Requested", then "Connecting", and then "Error 1453: Network error. Network errors can be caused by temporary conditions such as an invalid URL, a server not available, and so on. " 

We would like to be able to connect to our network through a dynamic VPN. Ideally, we would like VPN users to be in the same subnet as the rest of our internal network (192.168.254.0/24), and we would like to be able to access the internet through the VPN. 

For immediate purposes, though, we would just like to get a response from our SRX. 

This is what my licensing looks like. 

admin@mrp-srx220> show system license
License usage:
                                 Licenses     Licenses    Licenses    Expiry
  Feature name                       used    installed      needed
  dynamic-vpn                           0            2           0    permanent
  ax411-wlan-ap                         0            2           0    permanent

Licenses installed: none

My Junos software version is 12.1X46-D45.4. 

Our SRX has two active interfaces: 

ge-0/0/0 - untrust interface, IP address 198.27.134.230/28, configured in zone called "Internet"

ge-0/0/4 - trust interface, in vlan.0, IP address 192.168.254.254, configured in zone called "Trust" 

I'm attaching my full configuration, but here are the parts that I think are of particular interest. (Note: I replaced all of the password fields with elipses.) 

System services

system {
...
services {
        ssh {
            root-login deny;
        }
    web-management {
            https {
                system-generated-certificate;
                interface [ ge-0/0/0.0 vlan.0 ];
            }
        session {
                idle-timeout 60;
            }
        }
    }

External Interface:

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                filter {
		    /* This line is for VOIP QoS*/
                    output voice-term;
                }
                address 198.27.134.230/28;
            }
        }
    }

Security: 

security {

    ike {
        /* Phase 1 */

        proposal Dynamic-VPN-P1-Proposal {
            description "Dynamic P1 Proposal";
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 1200;
        }
        
        policy Dynamic-VPN-P2-Policy {
            mode aggressive;
            description "Dynamic P2 Policy";
            proposals Dynamic-VPN-P1-Proposal;
            pre-shared-key ascii-text ...; ## SECRET-DATA
        }
        
        gateway Dynamic-VPN-P1-Gateway {
            ike-policy Dynamic-VPN-P2-Policy;
            dynamic {
                hostname pacificmortgagecompany.com;
                connections-limit 5;
                ike-user-type shared-ike-id;
            }
            external-interface ge-0/0/0.0;
            xauth access-profile Dynamic-XAuth;
        }
    }

    /* Phase 2 */

    ipsec {
        proposal Dynamic-P2-Proposal {
            description Dynamic-VPN-P2-Proposal;
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 3600;
        }

        policy Dynamic-P2-Policy {
            perfect-forward-secrecy {
                keys group5;
            }
            proposals Dynamic-P2-Proposal;
        }

        vpn Dynamic-VPN {

            /* fragment TCP packets */
            df-bit copy;
        ike {
                gateway Dynamic-VPN-P1-Gateway;
                ipsec-policy Dynamic-P2-Policy;
            }
            establish-tunnels immediately;
        }
    }

    . . .
    /* Dynamic VPN */
dynamic-vpn {
        force-upgrade;
        access-profile Dynamic-XAuth;
        clients {
            all {
                remote-protected-resources {
                    192.168.254.0/24;
                }
                remote-exceptions {
                    0.0.0.0/0;
                }
                ipsec-vpn Dynamic-VPN;
                user {
                    jklein;
                    mikem;
                }
            }
        }
    }
    
    . . .
    /* Policies */
policies {

        /* Trust to Untrust */
    from-zone Trust to-zone Internet {
            policy All_Trust_Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }

            /* This is an unrelated access rule for our VOIP provider */
        policy NextivaOutbound {
                match {
                    source-address any;
                    destination-address [ NextivaInbound NextivaInbound2 ];
                    application any;
                }
                then {
                    permit;
                }
            }
        }

        /* Untrust to Trust */
    from-zone Internet to-zone Trust {

            /* This is an unrelated access rule for our VOIP provider */
            policy NextivaInbound {
                match {
                    source-address [ NextivaInbound NextivaInbound2 ];
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }

            policy Dynamic-VPN {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn Dynamic-VPN;
                        }
                    }
                }
            }
        }
    }
    /* Zones */
zones {

        /* Trust */
    security-zone Trust {
            address-book {
                address Michael 192.168.254.0/24;
            }
            host-inbound-traffic {
                system-services {
                    ping;
                    http;
                    https;
                    ike;
                }
            }
            interfaces {
                vlan.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            https;
                            ssh;
                            http;
                            ike;
                        }
                    }
                }
            }
        }

        /* Untrust ("Internet") */
    security-zone Internet {
            address-book {
                address Nextiva {
                    range-address 208.73.144.1 {
                        to {
                            208.73.151.254;
                        }
                    }
                }
                address NextivaInbound 208.73.144.0/21;
                address NextivaInbound2 208.89.108.0/22;
                address Untrust_interface 198.27.134.0/28;
            }
            host-inbound-traffic {
                system-services {
                    ping;
                    http;
                    https;
                    ike;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            http;
                            https;
                            ike;
                        }
                    }
                }
            }
        }
        /* Loopback interface. */
    security-zone lo0 {
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
        }

        security-zone junos-host;
    }
}

Access profile 

access {
    /* Dynamic X-Auth */
profile Dynamic-XAuth {

        authentication-order password;
        /* User 1 */
        client jklein {
            firewall-user {
                password ...; ## SECRET-DATA
            }
        }
        /* User 2 */
        client mikem {
            firewall-user {
                password ...; ## SECRET-DATA
            }
        }

        address-assignment {
            pool Dynamic-VPN-Pool;
        }
    }

    address-assignment {

        pool Dynamic-VPN-Pool {

            family inet {
                network 192.168.254.0/24;

                xauth-attributes {
                    primary-dns 192.168.254.221/24;
                }
            }
        }

    }
    firewall-authentication {

        web-authentication {
            default-profile Dynamic-XAuth;
        }
    }
}

Some additional things to note: 

- When we tried to use a Macbook (Yosemite 10.10.5) as our Pulse Secure client, we got the error "No HTTP Response".

- I cannot ping my SRX's external interface, so it's possible it isn't responding to HTTP either. Is there anything I should add to my config that would make sure it responds to HTTP? 

Thank you very much, and I would greatly appreciate a response. 

Attachment(s)

configuration.pdf   20 KB 1 version

Hello ,

This issue looks similar to a know issue

PR 1135780 - DVPN cannot connect due to fail to get HTTP Response

This issue is fixed in version  : 12.1X47-D35 12.3X48-D25 15.1X49-D30

Try upgrading to any of the versions

Hello,

Thank you for replying to my post. I upgraded the firmware to 12.1X47-D35.2 last night, and I'm still getting the same error, however.

I attached some photos of my Pulse client.

I was following a number of tutorials online. What I have is mostly based off of these two:

http://www.mustbegeek.com/configure-dynamic-remote-access-vpn-in-juniper-srx/

http://chimera.labs.oreilly.com/books/1234000001633/ch10.html

Hello ,

This issue should have a fix on pulse 5.1R5.1 . Can you try  pulse 5.1R5  ( yours is 5.1R1)

Thank you joses,

That didn't fix the problem either. 

Could this be related to the fact that I can't ping by public IP address? Is there any reason I wouldn't be able to ping by public IP based on the config above? 

Thank you,

Hello ,

I see that you have enabled ICMP on ge-0/0/0 and it should be pingable . Also I do not see any NAT configuration so NAT is also not messing the HTTPS request or ICMP request . Can you confirm your conectivity towards the public IP ?

How should I confirm connectivity towards the public ip?

Google tells me that it is, in fact, my public IP (see public_ip picture). 

I also tried using the VPN wizard in the Web GUI, but I'm getting the same error. 

I tried whitelisting an address and pinging from that address, but I still got no ping. 

set firewall family inet filter ICMP_Whitelist term term_1 from source-address 208.73.147.142/32 

set firewall family inet filter ICMP_Whitelist term term_1 from destination-address 198.27.134.230/32

set firewall family inet filter ICMP_Whitelist term term_1 from protocol icmp

set firewall family inet filter ICMP_Whitelist term term_1 then accept

set firewall family inet filter ICMP_Whitelist term term_2 then accept

set interface ge-0/0/0 unit 0 family inet filter input ICMP_Whitelist

I'm pretty sure you shouldn't have to whitelist an address in order to use Dynamic VPN from that address, but I will try just about anything at this point. 

I was following advice from this post: https://forums.juniper.net/t5/SRX-Services-Gateway/SRX240H-Ping-Untrust-interface-from-Internet/td-p/219641

Hello ,

As per the configuration , I see that the host inbound services as ICMP on ge-0/0/0 . This should take care of the ping . Since your ICMP from the machine is not working , it seems to be connectivity issue between the Clinet machine and SRx interface .

Thank you. I'll see if I can find anything wrong with the connection. 

It seems that the external interface isn't receiving my ping when I try to ping it from the Trust zone. 

I followed the instructions here to display the number of pings received on an interface: https://kb.juniper.net/InfoCenter/index?page=content&id=KB21872&actp=search

I created the firewall filter ICMP_Count 

filter ICMP_Count {
    term 1 {
        from {
            source-address {
                192.168.254.7/32
                192.168.254.0/24
                198.27.134.230/32
            }
            destination-address {
                198.27.134.230/32
            }
            protocol icmp;
        }
        then {
            count icmp-counter;
            accept;
        }
    }
    term default {
        then accept;
    }
}

I then applied this to my external interface, like I applied the ICMP_Whitelist filter earlier. I did not see any ping increases when I pinged it. 

I then applied a similar filter (though just source address 192.168.254.7/32) to my vlan 0 interface, my default gateway, which is responding to ping. I saw it receive exactly the expected number of pings. 

This seems to suggest that my pings to the external interface aren't being received at all. 

However, for the external interface, when I set the source-address to 0.0.0.0/0, destination to 198.27.134.230/32, it's receiving a constant amount of pings. (about 4 every couple of seconds) 

My next test will be to see if it logs any pings from a specific ip address in the untrust zone. 

I confirmed that it is receiving pings from specified external IP addresses. 

This means that it is receiving my pings, but it isn't responding to them. 

Can you share "input lo-filter" config or try deactivatning for testing and then check the VPN?

Make sure there is a specific term for HTTPS allowing access..

Deleting the lo-filter filter from lo0 did it. I get a new error message with Pulse, and I can ping my ip address. 

I put that filter there to limit management access to the device. I didn't want people to be able to run constant ssh attempts until they could remotely manage our device. I was following this page: https://kb.juniper.net/InfoCenter/index?page=content&id=KB21265&actp=search

However, it looks like that's what was blocking Pulse connection as well. 

Thank you very much. 

Here is the config for the lo-filter I was using. 

...

interfaces {
    ...
    lo0 {
        unit 0 {
            family inet {
                filter {
                    input lo-filter;
                }
            }
        }
    }

...

firewall {
    ....
    filter lo-filter {
        term limited-ip {
            from {
                source-prefix-list {
                    manager-ip;
                }
            }
            then accept;
        }
    }
}
...

policy-options {
    prefix-list manager-ip {
        192.168.254.0/24;
    }
}

...

You may try below options.

1. Create seperate management URL for j-web , so that even if you dont restrict access to HTTPS port, people cannot reach j-web

http://kb.juniper.net/InfoCenter/index?page=content&id=KB19411&actp=search

2. On lo0 filter, you need to create a specific terms allowing connections to "HTTPS/UDP(500)/ESP" for every one , you may block everything else.

3. Similar way, if we have OSPF/BGP comes into picture these protocols will also needs to be added to allow, list. We may use specific neighbor address and allow them.

Or in other words the Lo0 filter needs to be more modular, 1 term to allow SSH/Telnet access another term to allow routing protocols and so on.

Below document may be helpful.

http://kb.juniper.net/InfoCenter/index?page=content&id=TN226&actp=search

Hello,

For anyone who may also run into this issue, the following fixed it for me (I had the same exact error "Pulse Secure Error 1453")

I was missing "set system services web-management management-url admin" (you can define whatever URL instead of ADMIN) 

and then everything worked.

Regards,

Zubair