SRX Services Gateway
Highlighted
SRX Services Gateway

I am not able to access my protected resources via Dyn VPN from public remote site.

[ Edited ]
‎12-17-2017 11:55 PM

Hi There,

 

I am having issue with my dynamic vpn using pulse secure. i am able to connected and getting IP, but not able to ping the resoureces. The starnge is that i cannot even ping my SRX LAN IP as well.

below is my configuration.

 

# show security dynamic-vpn
access-profile SERVER;
clients {
    all {
        remote-protected-resources {
            10.2.72.0/28;
        }
        remote-exceptions {
            0.0.0.0/0;
        }
        ipsec-vpn DYN_VPN;
        user {
            client1;
        }
    }
}

[edit]
 show security ike
policy SERVER_IKE {
    mode aggressive;
    proposal-set standard;
    pre-shared-key ascii-text "$9$n-3d9t0EhrMWxz3hyleXxjHqfF/tp0BEc0Odb"; ## SECRET-DATA
}
gateway SERVER_GW {
    ike-policy SERVER_IKE;
    dynamic {
        hostname DYNVPN;
        connections-limit 10;
        ike-user-type group-ike-id;
    }
    external-interface ge-0/0/0.0;
    xauth access-profile SERVER;
}

[edit]
 show security ipsec
vpn-monitor-options {
    interval 10;
    threshold 10;
}
policy IPSEC_DYN_POLICY {
    proposal-set standard;
}
vpn DYN_VPN {
    ike {
        gateway SERVER_GW;
        ipsec-policy IPSEC_DYN_POLICY;
    }
}

[edit]
 show access address-assignment    
pool SERVER_POOL {
    family inet {
        network 10.10.10.0/24;
        xauth-attributes {
            primary-dns 4.4.4.2/32;
        }
    }
}

[edit]

 

 

C:\Users\MRS-5>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection* 15:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::c03f:be5d:4968:bd12%17
   IPv4 Address. . . . . . . . . . . : 10.10.10.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

 

 

hope someone can help me with many thanks in advance

7 REPLIES 7
Highlighted
SRX Services Gateway

Re: I am not able to access my protected resources via Dyn VPN from public remote site.

‎12-18-2017 12:45 AM

It may help : https://kb.juniper.net/InfoCenter/index?page=content&id=KB17660&actp=METADATA

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: I am not able to access my protected resources via Dyn VPN from public remote site.

‎12-18-2017 12:50 AM

Thanks brother. i already checked it but still not able to ping even the LAN IP in SRX

Highlighted
SRX Services Gateway

Re: I am not able to access my protected resources via Dyn VPN from public remote site.

‎12-19-2017 02:33 AM

Can you share your security policy config and IP address on ge-0/0/0.0

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: I am not able to access my protected resources via Dyn VPN from public remote site.

[ Edited ]
‎12-19-2017 03:07 AM

hi Suraj,

 

i cannot share my ge-0/0/0 as it is public IP. but below is my configuration :

 

xxx> show configuration security | display set |no-more
set security ike policy SERVER_IKE mode aggressive
set security ike policy SERVER_IKE proposal-set standard
set security ike policy SERVER_IKE pre-shared-key ascii-text "$9$n-3d9t0EhrMWxz3hyleXxjHqfF/tp0BEc0Odb"
set security ike gateway SERVER_GW ike-policy SERVER_IKE
set security ike gateway SERVER_GW dynamic hostname DYNVPN
set security ike gateway SERVER_GW dynamic connections-limit 10
set security ike gateway SERVER_GW dynamic ike-user-type group-ike-id
set security ike gateway SERVER_GW external-interface ge-0/0/0.0
set security ike gateway SERVER_GW xauth access-profile SERVER
set security ipsec vpn-monitor-options interval 10
set security ipsec vpn-monitor-options threshold 10
set security ipsec policy IPSEC_DYN_POLICY proposal-set standard
set security ipsec vpn DYN_VPN ike gateway SERVER_GW
set security ipsec vpn DYN_VPN ike ipsec-policy IPSEC_DYN_POLICY
set security address-book global address FINGER-PRINT 10.2.73.7/32
set security dynamic-vpn access-profile SERVER
set security dynamic-vpn clients all remote-protected-resources 10.0.0.0/8
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn DYN_VPN
set security dynamic-vpn clients all user client1
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security nat destination pool FNGR-PRNT address 10.2.73.7/32
set security nat destination pool SER_DESK address 10.2.73.8/32
set security nat destination rule-set FNGR-PRNT from zone untrust
set security nat destination rule-set FNGR-PRNT rule 1 then destination-nat pool FNGR-PRNT
set security nat destination rule-set FNGR-PRNT rule 2 then destination-nat pool SER_DESK
set security nat static rule-set BLOCK_utube from zone untrust
set security nat static rule-set BLOCK_utube rule 1 match destination-address 216.58.210.238/32
set security nat static rule-set BLOCK_utube rule 1 then static-nat prefix 127.0.0.1/32
set security nat static rule-set BLOCK_utube rule 2 match destination-address 216.58.210.206/32
set security nat static rule-set BLOCK_utube rule 2 then static-nat prefix 127.0.0.2/32
set security nat proxy-arp interface ge-0/0/1.0 address 10.2.72.19/28 to 10.2.72.22/32
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone untrust to-zone trust policy FNGR-PRNT match source-address any
set security policies from-zone untrust to-zone trust policy FNGR-PRNT match destination-address FINGER-PRINT
set security policies from-zone untrust to-zone trust policy FNGR-PRNT match application any
set security policies from-zone untrust to-zone trust policy FNGR-PRNT then permit
set security policies from-zone untrust to-zone trust policy BLK_UTUBE match source-address any
set security policies from-zone untrust to-zone trust policy BLK_UTUBE match destination-address any
set security policies from-zone untrust to-zone trust policy BLK_UTUBE match application junos-http
set security policies from-zone untrust to-zone trust policy BLK_UTUBE match application junos-https
set security policies from-zone untrust to-zone trust policy BLK_UTUBE then permit application-services idp
set security policies from-zone untrust to-zone trust policy BLK_UTUBE then log session-close
set security policies from-zone untrust to-zone trust policy DYN_VPN match source-address any
set security policies from-zone untrust to-zone trust policy DYN_VPN match destination-address any
set security policies from-zone untrust to-zone trust policy DYN_VPN match application any
set security policies from-zone untrust to-zone trust policy DYN_VPN then permit tunnel ipsec-vpn DYN_VPN
set security policies from-zone untrust to-zone trust policy DEFAULT match source-address any
set security policies from-zone untrust to-zone trust policy DEFAULT match destination-address any
set security policies from-zone untrust to-zone trust policy DEFAULT match application any
set security policies from-zone untrust to-zone trust policy DEFAULT then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic protocols all
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic protocols all

 

 

but now i can see i can reach my resources over the internet when in the same subnet. Advertising any other pool is not pining

Highlighted
SRX Services Gateway

Re: I am not able to access my protected resources via Dyn VPN from public remote site.

‎12-20-2017 12:55 AM

For testing, can you try moving dynamic VPN policy to the top?

 

edit security policies from-zone untrust to-zone trust
insert policy DYN_VPN before policy FNGR-PRNT
commit

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: I am not able to access my protected resources via Dyn VPN from public remote site.

‎12-23-2017 11:45 PM

Hi Suraj,

 

Thanks for dedication. I tried moving the policy up . but it was not successful.

 

i found that issue was in proxy arp since they were in the same nertwork. Since everytime the IP was increasing form /24 subnet.

Meaning, when i get IP 192..168.1.1 from pool it starts working. but after reconnecting again, i get the IP .2 from the pool and again the protected resource are not reaching.

 

What is did, i made a very specif pool of 192.168.1.0/30 so that the only IP's i get from the pool are .1 and .2 and then specifically permitted proxy arp from .1 and .2 in the security nat. For since then things are working fine with my customer.

 

somehow i closed the ticket with my customer that is why i cannot do anything at the moment untill customer opens new ticket for any issue.

 

PLeae let me know more clarification is required.

Highlighted
SRX Services Gateway

Re: I am not able to access my protected resources via Dyn VPN from public remote site.

‎12-26-2017 07:13 PM

Proxy ARP is required only when your remote protected resources and address assignment pool are on same subnet. As per the initial configuration you have shared, below given are the protected resources and the pool which are in diffrent subnets. In this scenario we dont need proxy ARP.

 

remote-protected-resources 10.2.72.0/28;

 address-pool 10.10.10.0/24;

 

One of the latest update from you shows remote protected resources as '10.0.0.0/8', did you made this change as part of troubleshooting or this is the correct value?

If so can you share the address pool cooresponding to this?

 

If thats also in 10/8 subnet we need proxy arp, and we can do proxy arp for whole subnet (pool) or use a different subnet for address assignment.

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too