SRX Services Gateway
Highlighted
SRX Services Gateway

Dynamic VPN and routing

‎10-24-2014 02:10 AM

Hi,

 

I've configured dynamic VPN on a SRX210. Junos Pulse can connect and ike/ipsec is up, so the VPN is working fine.

 

My problem is with routing in this scenario.

 

The network is very basic:

 

[VPN Client] --- [SRX210] --- [Internal router]

 

A computer with the Junos Pulse VPN client installed gets assigned IP adresses from 10.35.10.0/24. The client can ping the internal interface (10.10.10.2) on the SRX210, but not the internal router 10.10.10.1 on the internal side.

 

If I add a static route for 10.35.10.0/24 on the internal router, pointing towards the SRX210, routing works. VPN clients can ping 10.10.10.1. But I don't want to do that.

 

What I want is to export the 10.35.10.0/24 route into OSPF, which is running on the interfaces connecting the SRX210 and the internal router. Problem is that I can't figure out how to do it in this scenario.

 

I could keep the static route on the internal router, and write a routing policy on the internal router that exports the 10.35.10.0/24 route into OSPF. But I'd rather not do that. I'd like to do this on the SRX210 instead.

 

I've tried a few different ways to do this on the SRX210, but it all boils down to that the 10.35.10.0/24 isn't a real connected network, I think.

 

I hope my question is clear. 🙂

 

I've attached my SRX210 config with minor edits:

 

version 12.1X44-D35.5;
system {
    host-name foo;
    domain-name bar.com;
    services {
        web-management {
            https {
                system-generated-certificate;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        description ”INTERNAL INTERFACE”
        unit 0 {
            family inet {
                address 10.10.10.2/30;
            }
        }
    }
    ge-1/0/0 {
        description ”EXTERNAL INTERFACE”
        unit 0 {
            family inet {
                address 1.1.1.2/30;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 192.168.1.2/32;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 1.1.1.1;
    }
    router-id 192.168.1.2;
}
protocols {
    ospf {
        area 0.0.0.0 {
            interface lo0.0 {
                passive;
            }
            interface ge-0/0/0.0 {
                authentication {
                    md5 1 key XXXXXXXXXXXXX
                }
            }
        }
    }
}
security {
    ike {
        policy ike-dyn-vpn-policy {
            mode aggressive;
            proposal-set standard;
            pre-shared-key ascii-text XXXXXXXXXXXXX
        }
        gateway dyn-vpn-local-gw {
            ike-policy ike-dyn-vpn-policy;
            dynamic {
                hostname dynvpn;
                connections-limit 2;
                ike-user-type group-ike-id;
            }
            external-interface ge-1/0/0.0;
            xauth access-profile dyn-vpn-access-profile;
        }
    }
    ipsec {
        policy ipsec-dyn-vpn-policy {
            proposal-set standard;
        }
        vpn dyn-vpn {
            ike {
                gateway dyn-vpn-local-gw;
                ipsec-policy ipsec-dyn-vpn-policy;
            }
        }
    }
    dynamic-vpn {
        access-profile dyn-vpn-access-profile;
        clients {
            test {
                remote-protected-resources {
                    10.0.0.0/8;
                }
                remote-exceptions {
                    0.0.0.0/0;
                }
                ipsec-vpn dyn-vpn;
                user {
                    test;
                }
            }
        }
    }
    policies {
        from-zone internet to-zone trusted {
            policy dyn-vpn-user-test {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn dyn-vpn;
                        }
                    }
                }
            }
        }
    }
    zones {
        security-zone internet {
            interfaces {
                ge-1/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            traceroute;
                            ike;
                            https;
                        }
                    }
                }
            }
        }
        security-zone trusted {
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            traceroute;
                            ssh;
                        }
                        protocols {
                            ospf;
                        }
                    }
                }
            }
        }
    }
}
access {
    profile dyn-vpn-access-profile {
        client test {
            xauth {
                ip-address 10.35.10.10/32;
            }
            firewall-user {
                password XXXXXXXXXXX
            }
        }
        address-assignment {
            pool dyn-vpn-address-pool;
        }
    }
    address-assignment {
        pool dyn-vpn-address-pool {
            family inet {
                network 10.35.10.0/24;
                xauth-attributes {
                    primary-dns 8.8.8.8/32;
                }
            }
        }
    }
    firewall-authentication {
        web-authentication {
            default-profile dyn-vpn-access-profile;
        }
    }
}

 

3 REPLIES 3
Highlighted
SRX Services Gateway

Re: Dynamic VPN and routing

‎10-24-2014 04:39 AM

An alternative to injecting a route into OSPF would be to have the vpn hand out addresses on the internal network (would need to make it larger than 10.10.10.0/30) and have the SRX do proxy-arp.

Highlighted
SRX Services Gateway
Solution
Accepted by topic author joeld
‎08-26-2015 01:27 AM

Re: Dynamic VPN and routing

‎10-24-2014 05:18 AM

Since 10.35.10.0/24 is dedicated subnet for dynamic VPN clients can you add a static route on SRX as below and then export that into OSPF?

 

set routing-options static route 10.35.10.0/24 next-hop 1.1.1.1

 

Thanks,

Suraj

 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: Dynamic VPN and routing

‎10-24-2014 11:43 AM

That fixed. it. Thanks.

Feedback