SRX

Hello Frnds,

I am facing one issue in Juniper SRX240 remote access vpn,

my scenario is like:

ISP-->Router-->Firewall-->DMZServer

I have done natting in cisco router towards firewall external-interface.

I have created Remote access vpn in juniper firewall with following attached configurations. 

But 

when i tried https://publicip from outside of network

i am getting juniper login page and also downloaded junos plus software successfully,

my problem is junos-puls showing "connecting" all the time but not going further steps.

Please some one help me out 

Thanks in advance.

Attachment(s)

junipersupport.txt   5 KB 1 version

Hi Abdul,

Could you please add below command and check ?

set access profile dyn-vpn-access-profile authentication-order password

If it dont work ,please enable IKE and auth traceoptions as below and check for errors / attach the debug files.

set security ike traceoptions file ike-debug
set security ike traceoptions flag all
set security ipsec traceoptions flag all
set system processes general-authentication-service traceoptions file xauthtrace
set system processes general-authentication-service traceoptions flag all

-CK

Hello ckishor,

First of all thanks for your comments here.

i have small doubt, i am not having public ip on juniper srx firewall's  external interface. Is it ok for vpn ???

secondly i have some logs which is generated by "show log kmd" command

"IKEv1 Error : Timeout"

The above error i am getting for every time when user requesting throgh juniper - pulse software.

Thanks for your comments,

i enabled debug commands as you told and find below attachement for log files

Please suggest me..........

Attachment(s)

ike-debug.txt   100 KB 1 version

Hello,

Thanks for the details.

IKE Phase 1 not gettting completed.

Hope you have NAT device in between,could you please commit below command and test.

set security ike gateway dyn-vpn-local-gw local-identity inet 10.40.40.1

Can you get the packet capture collected just before SRX  ?

After many changes, finally  i got vpn access from outside.

but...........

after 2 days it stoped working and showing with "IKE negotiation failed. (Error:1419)"

any comments........

I have got one question, are you trying to vpn on the same external wan ip address ?

Hi.

I have a problem about remote vpn on SRX240. On SRX240, I have three zones- untrust, trust and VPN-Zone. After establishing remote vpn, I can only ping from my laptop to a host in trust zone OR in VPN-Zone, cannot ping two zone at the same time, althought I have two polices like that

from-zone untrust to-zone trust {
policy VPN-POLICY-TEST {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn IPSEC-VPN;
}
}
}
}
}
from-zone untrust to-zone VPN-ZONE {
policy VPN-POLICY-TEST-01 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn IPSEC-VPN;
}
}
}
}
}

My configuration is wrong???

Take a look at this and verify that you have all the necessary options configured

http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/dynamic-vpn-appnote-junos10.4-v21.pdf

And then refer to the troubleshooting guide if still no success

http://kb.juniper.net/InfoCenter/index?page=content&id=KB17220