Hi,
I've configured dynamic VPN on a SRX210. Junos Pulse can connect and ike/ipsec is up, so the VPN is working fine.
My problem is with routing in this scenario.
The network is very basic:
[VPN Client] --- [SRX210] --- [Internal router]
A computer with the Junos Pulse VPN client installed gets assigned IP adresses from 10.35.10.0/24. The client can ping the internal interface (10.10.10.2) on the SRX210, but not the internal router 10.10.10.1 on the internal side.
If I add a static route for 10.35.10.0/24 on the internal router, pointing towards the SRX210, routing works. VPN clients can ping 10.10.10.1. But I don't want to do that.
What I want is to export the 10.35.10.0/24 route into OSPF, which is running on the interfaces connecting the SRX210 and the internal router. Problem is that I can't figure out how to do it in this scenario.
I could keep the static route on the internal router, and write a routing policy on the internal router that exports the 10.35.10.0/24 route into OSPF. But I'd rather not do that. I'd like to do this on the SRX210 instead.
I've tried a few different ways to do this on the SRX210, but it all boils down to that the 10.35.10.0/24 isn't a real connected network, I think.
I hope my question is clear. 🙂
I've attached my SRX210 config with minor edits:
version 12.1X44-D35.5;
system {
host-name foo;
domain-name bar.com;
services {
web-management {
https {
system-generated-certificate;
}
}
}
}
interfaces {
ge-0/0/0 {
description ”INTERNAL INTERFACE”
unit 0 {
family inet {
address 10.10.10.2/30;
}
}
}
ge-1/0/0 {
description ”EXTERNAL INTERFACE”
unit 0 {
family inet {
address 1.1.1.2/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 192.168.1.2/32;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 1.1.1.1;
}
router-id 192.168.1.2;
}
protocols {
ospf {
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface ge-0/0/0.0 {
authentication {
md5 1 key XXXXXXXXXXXXX
}
}
}
}
}
security {
ike {
policy ike-dyn-vpn-policy {
mode aggressive;
proposal-set standard;
pre-shared-key ascii-text XXXXXXXXXXXXX
}
gateway dyn-vpn-local-gw {
ike-policy ike-dyn-vpn-policy;
dynamic {
hostname dynvpn;
connections-limit 2;
ike-user-type group-ike-id;
}
external-interface ge-1/0/0.0;
xauth access-profile dyn-vpn-access-profile;
}
}
ipsec {
policy ipsec-dyn-vpn-policy {
proposal-set standard;
}
vpn dyn-vpn {
ike {
gateway dyn-vpn-local-gw;
ipsec-policy ipsec-dyn-vpn-policy;
}
}
}
dynamic-vpn {
access-profile dyn-vpn-access-profile;
clients {
test {
remote-protected-resources {
10.0.0.0/8;
}
remote-exceptions {
0.0.0.0/0;
}
ipsec-vpn dyn-vpn;
user {
test;
}
}
}
}
policies {
from-zone internet to-zone trusted {
policy dyn-vpn-user-test {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn dyn-vpn;
}
}
}
}
}
}
zones {
security-zone internet {
interfaces {
ge-1/0/0.0 {
host-inbound-traffic {
system-services {
ping;
traceroute;
ike;
https;
}
}
}
}
}
security-zone trusted {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
traceroute;
ssh;
}
protocols {
ospf;
}
}
}
}
}
}
}
access {
profile dyn-vpn-access-profile {
client test {
xauth {
ip-address 10.35.10.10/32;
}
firewall-user {
password XXXXXXXXXXX
}
}
address-assignment {
pool dyn-vpn-address-pool;
}
}
address-assignment {
pool dyn-vpn-address-pool {
family inet {
network 10.35.10.0/24;
xauth-attributes {
primary-dns 8.8.8.8/32;
}
}
}
}
firewall-authentication {
web-authentication {
default-profile dyn-vpn-access-profile;
}
}
}