SRX Services Gateway
Highlighted
SRX Services Gateway

SRX Dynamic VPN --- Cannot Make it Work at All

2 weeks ago

 

Hi all

 

I am pretty new to Juniper and having issues setting up dynamic VPN:

 

pair of SRX210HE2 --- running JUNOS 12.3X48-D75.4
client computer1: Windows 10 1709 -- Pulse Client 5.1.5 (61437)
client computer2: Windows 10 1803 -- Pulse Client 5.2.7 (1025)

 

Used this document as reference: https://www.juniper.net/documentation/en_US/junos12.1/topics/example/vpn-security-dynamic-example-co...

 

I can hit both:
https://PUBLIC-IP/dynamic-vpn
https://PUBLIC-IP/web


set access profile dyn-vpn-access-profile address-assignment pool dyn-vpn-address-pool
set access address-assignment pool dyn-vpn-address-pool family inet network 172.16.20.0/24
set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 8.8.8.8/32
set access profile dyn-vpn-access-profile authentication-order password
set access profile dyn-vpn-access-profile client user1.name firewall-user password "XXXXXXXXXXXXXXXXXXXXXXXXXX"
set access profile dyn-vpn-access-profile address-assignment pool dyn-vpn-address-pool
set web-authentication default-profile dyn-vpn-access-profile
set security ike policy ike-dyn-vpn-policy mode aggressive
set security ike policy ike-dyn-vpn-policy proposal-set standard
set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy
set security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn
set security ike gateway dyn-vpn-local-gw dynamic connections-limit 10
set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id
set security ike gateway dyn-vpn-local-gw external-interface reth0.XXXX
set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile
set security ipsec policy ipsec-dyn-vpn-policy proposal-set standard
set security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw
set security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy
set security policies from-zone UNTRUST to-zone TRUST policy dyn-vpn-policy match source-address any
set security policies from-zone UNTRUST to-zone TRUST policy dyn-vpn-policy match destination-address any
set security policies from-zone UNTRUST to-zone TRUST policy dyn-vpn-policy match application any
set security policies from-zone UNTRUST to-zone TRUST policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn
set security zones security-zone UNTRUST interfaces reth0.XXXX host-inbound-traffic system-services ike
set security zones security-zone UNTRUST interfaces reth0.XXXX host-inbound-traffic system-services https
set security zones security-zone UNTRUST interfaces reth0.XXXX host-inbound-traffic system-services ping

 

Created a VPN Profile on Pulse Client and connect:

Get the "certificate" chain is base on untrusted root warning
Connect
Type in:
user1.name
password

Pulse client keeps "connecting"

 

srx> show security flow session source-prefix MYCLIENTIP | refresh 5
Session ID: 21431, Policy name: AllowManagement/16, State: Active, Timeout: 1742, Valid
In: MYCLIENTIP/50396 --> SRX-IP/443;tcp, If: reth0.XXXX, Pkts: 10, Bytes: 1636
Out: SRX-IP/443 --> MYCLIENTIP/50396;tcp, If: .local..0, Pkts: 12, Bytes: 4809
Total sessions: 1
...

Configured following logs [ike-debug and kmd-logs] but nothing gets logged:

user@srx# set security ike traceoptions file ike-debug
user@srx# set security ike traceoptions flag all
user@srx# set security ipsec traceoptions flag all
user@srx# commit
user@srx# run clear log ike-debug

# set system syslog file kmd-logs daemon info
# set system syslog file kmd-logs match KMD
# commit


Pulse Client Log
'TM' Starting Phase 1 for reason = 'p_SRXIP_1_48666c8 IPSec Policy GroupSmiley Tongue_SRXIP_48666 IKE SA Rule'
'TM' SAAction performed - name = 'p_SRXIP_1_48666c8IKE Negotiation Action' type = 'Negotiated IKEv5'
'TM' Calculated Refresh Lifetime = 25866 security
'TM' Calculated Refresh Lifetime = 0 KB
'TM' Marshal P1 Encryption = 7, Keylength = 128, Hash = 2, Group = 2, Lifetime = 28740 sec, Lifetime = 0 KB
'TM' MyID = FQDN: 'user1.name':0:17
'TM' --> SendInitialPacket Phase 1 packet ID=base
'TM' --> SEND IKE Message Size 405 to SRXIP:500
'TM' New Phase 1 Session (I) Created UID=0000000b with Peer UID=00000001
'TM' C_IKEPolicyAndPeer2::IndicateIKETunnelStatus(): IKE_PHASE1_STARTSmiley FrustratedRXIP
'TM' onTMCallback(): no more status in the queue

 

I would really appreciate if anyone could point me in the right directions of tshoot this.

 

Thank you

4 REPLIES
SRX Services Gateway

Re: SRX Dynamic VPN --- Cannot Make it Work at All

2 weeks ago

I believe you're missing some commands (unless you just didn't include them in the original configuration snippet).  In the reference document that you linked, check the last section titled "Associate the Dynamic VPN with Remote Clients".

SRX Services Gateway

Re: SRX Dynamic VPN --- Cannot Make it Work at All

2 weeks ago

@cconley17 wrote:

I believe you're missing some commands (unless you just didn't include them in the original configuration snippet).  In the reference document that you linked, check the last section titled "Associate the Dynamic VPN with Remote Clients".


Apologies I have forgotten to add in the original post:

 

set security dynamic-vpn clients all remote-protected-resources 192.168.1.0/24
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn dyn-vpn
set security dynamic-vpn clients all user user1.name 

SRX Services Gateway

Re: SRX Dynamic VPN --- Cannot Make it Work at All

a week ago

Anyone can spot anything wrong with the config?

I am also looking at the Pulse Secure client for Windows 10 as a possible problem.

Comments are appreciated.

SRX Services Gateway

Re: SRX Dynamic VPN --- Cannot Make it Work at All

a week ago

Maybe not exactly what you are looking for, but here is how I configured the SRX1500 for the NCP client (Dynamic)

 

http://clivetechgeek.com/index.php/2018/04/13/srx1500-ncp-ipsec-vpn-remote-anywhere/