SRX

I just got this new SRX100 just to add Dynamic VPN on to controls network.  I worked it out with the Web Manager and it set it up for me.  I can connect to the SRX100 with Pulse VPN but I do not get onto the network interface.  I new to this version as I am better with the SSG5.

We have a stadic IP on the SRX100 untrusted and I have local pc and controls on the trusted side.  The user name and password works but it only seems not to be routed anywere.  I like to route my VPN with in the 192.168.178.0/24.  But I get lost with IKE pool.  I tried to add a web manager base security policy but it will not let me pick a zone.

Software Version: JUNOS Software Release [12.1X46-D35.1]
Bios Version: 2.7

 

 

Please let me know I will be here for about 4-5 hours

 

THanks

 

Rob

 

You need to configure proxy-arp for the client addresses. This will allow the SRX to respond to arp requests made by other hosts for your dynamic VPN clients.

 

set security nat proxy-arp interface vlan.1 address 10.0.0.1/32 to 10.0.0.5/32

 

Other than that I can not see any issues with the configuration.

Thank you I did add your listed command and Commit.  Its still not working. I tryed to ping the 192.168.178.5 interface from my PC and got no responce when I connected to the VPN. 

 

HH.164.205.14 no responce

192.168.178.5 no responce

10.0.0.1 Got a reply which was me.

 

Maybe I should redo the IP pool to match the 192.168.178.1 interface?

 

So I redid the SRX100 using Firefox to the config we need below.

 

VPN through the internet to SRX100 to the Controls network 192.168.0.1 the Gtown network is my backdoor access to the SRX.

 

In the SRX100 I can ping 192.168.0.13 which is building ethernet card.  When I connect to the VPN I can not ping anything but the pool address it gave me.

 

Any help would be great.

 

 

 

 

## Last changed: 2016-11-24 13:04:30 GMT-8
version 12.1X46-D35.1;
system {
host-name VPN02;
time-zone GMT-8;
root-authentication {
encrypted-password "Vv.Vjt$ct.yTEhyj6s8Wj9NMlRDr1";
}
name-server {
205.171.3.65;
205.171.2.65;
208.67.222.222;
208.67.220.220;
}
name-resolution {
no-resolve-on-input;
}
services {
ssh;
web-management {
http {
interface fe-0/0/2.0;
}
https {
system-generated-certificate;
interface [ fe-0/0/0.0 fe-0/0/7.0 fe-0/0/2.0 ];
}
session {
idle-timeout 60;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server us.ntp.pool.org;
}
}
interfaces {
fe-0/0/0 {
unit 0 {
family inet {
address XX.164.205.14/29;
}
}
}
fe-0/0/2 {
unit 0 {
family inet {
address 192.168.0.1/24;
}
}
}
fe-0/0/7 {
unit 0 {
family inet {
address 192.168.178.5/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop XX.164.205.9;
}
}
protocols {
stp;
}
security {
ike {
policy ike_policy_startup_rvpn {
mode aggressive;
proposal-set standard;
pre-shared-key ascii-text "8gdLdsgoGDkPbsaUjkQz";
}
gateway gw_startup_rvpn {
ike-policy ike_policy_startup_rvpn;
dynamic {
hostname SRX-GW;
connections-limit 50;
ike-user-type group-ike-id;
}
external-interface fe-0/0/0.0;
xauth access-profile remote_access_profile;
}
}
ipsec {
policy ipsec_pol_startup_rvpn {
perfect-forward-secrecy {
keys group2;
}
proposal-set standard;
}
vpn startup_rvpn {
ike {
gateway gw_startup_rvpn;
ipsec-policy ipsec_pol_startup_rvpn;
}
}
}
dynamic-vpn {
access-profile remote_access_profile;
clients {
startup_rvpn_group {
remote-protected-resources {
0.0.0.0/0;
}
ipsec-vpn startup_rvpn;
user {
rcarongt;
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set nsw_srcnat {
from zone [ Controls Gtown ];
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone Internet to-zone Controls {
policy policy_startup_rvpn_Controls {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn startup_rvpn;
}
}
log {
session-init;
session-close;
}
}
}
}
from-zone Gtown to-zone Internet {
policy All_Gtown_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Controls to-zone Internet {
policy All_Controls_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Gtown to-zone Controls {
policy All_Gtown_Controls {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Controls to-zone Gtown {
policy All_Gtown_Controls {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone Gtown {
interfaces {
fe-0/0/7.0 {
host-inbound-traffic {
system-services {
ping;
https;
ssh;
}
}
}
}
}
security-zone Controls {
interfaces {
fe-0/0/2.0 {
host-inbound-traffic {
system-services {
ping;
http;
https;
ssh;
}
}
}
}
}
security-zone Internet {
interfaces {
fe-0/0/0.0 {
host-inbound-traffic {
system-services {
https;
ike;
}
}
}
}
}
}
}
access {
profile remote_access_profile {
client rcarongt {
firewall-user {
password "$bDw4aJGDkmfoaCtuOREwY2aUH6/tIEyQFtOBIle";
}
}
address-assignment {
pool startup_rvpn_add_pool;
}
}
address-assignment {
pool startup_rvpn_add_pool {
family inet {
network 192.168.0.0/24;
range startup-rvpn-range {
low 192.168.0.30;
high 192.168.0.35;
}
}
}
}
firewall-authentication {
web-authentication {
default-profile remote_access_profile;
}
}
}

The VPN is working but I still can not ping any interface. The config is attached

Sorry I missed that fact that originally the pool was not in the same subnet as your interface i.e. 192.168.0/24. I see that now it is however you are still missing the proxy arp statements.

 

set security nat proxy-arp interface vlan.1 address 192.168.0.30/32 to 192.169.0.35/32

The command that you gave me will not work. IF the 192.168.0.0/24 would you want the pool to be the same sub-net? source { rule-set nsw_srcnat { from zone [ Controls Gtown ]; to zone Internet; rule nsw-src-interface { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } proxy-arp { interface vlan.1 { ## ## Warning: Interface must be defined under [interfaces] ## address { 192.168.0.30/32 to 192.168.0.35/32; } } } [edit] root@Gtown-VPN02# commit [edit security nat proxy-arp interface] 'vlan.1' Interface must be defined under [interfaces] error: commit failed: (statements constraint check failed) [edit] root@Gtown-VPN02# exit The configuration has been changed but not committed Exit with uncommitted changes? [yes,no] (yes) no

I see that you have changed your interface from vlan.1 to fe-0/0/2.0 and I did not notice when responding. The proxy ARP needs to be configured on the interface that needs to reply to the ARP requests. This is now fe-0/0/2.0 rather than vlan.1. It does state in the commit error message that vlan.1 does not exist.

 

The command would be:

 

set security nat proxy-arp interface fe-0/0/2.0 address 192.168.0.30/32 to 192.169.0.35/32

I added the command and commit

 

set security nat proxy-arp interface fe-0/0/2.0 address 192.168.0.30/32 to 192.169.0.35/32

 

I only can ping my self 192.168.0.32 I can not ping 192.168.0.1

 

My question The Proxy arp is

 

proxy-arp { interface fe-0/0/2.0 { address { 192.168.0.30/32 to 192.169.0.35/32;

 

This is on the "32" sub-net when my interface fe-0/0/2.0 in on the "24"subnet

 

fe-0/0/2 { unit 0 { family inet { address 192.168.0.1/24;

 

The VPN does connect but I only can ping my self.

 

here is the new config below.

I am sorry but I have given you a typo. I meant to say:

 

set security nat proxy-arp interface fe-0/0/2.0 address 192.168.0.30/32 to 192.168.0.35/32

 

not:

 

set security nat proxy-arp interface fe-0/0/2.0 address 192.168.0.30/32 to 192.169.0.35/32

 

I am surprised this caused a problem but I have just labbed it up and sure enough it stops it from working.

 

So, I have taken your configuration and of course I had to replace your passwords as I cannot read them. Apart from that the config is the same. I connected a device to fe-0/0/2 with IP address 192.168.0.200. I connected a router to the public address and a PC to another interface on that router with address 10.1.1.250. I did this so that the PC would not be directly connected to the SRX to give a more realistic scenario. The router has no knowledge of the 192.168.0.0/24 network. I have installed Pulse on the PC and was able to login with the password that I replaced yours with.

 

I am able to ping myself (.33), the default gateway (.1) and the other device (.200). I have attached the results.

 

On the SRX:

 

lab@VPN02> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
4330041 UP d1c336ecba409d6e 7e1c2b75f5fc1298 Aggressive 10.1.1.250

 

lab@VPN02> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<268173316 ESP:aes-cbc-128/sha1 2b233cd 2873/ 499951 - root 52740 10.1.1.250
>268173316 ESP:aes-cbc-128/sha1 1c0e4634 2873/ 499951 - root 52740 10.1.1.250

 

lab@VPN02> show security ike active-peer
Remote Address Port Peer IKE-ID XAUTH username Assigned IP
10.1.1.250 52740 rcarongtSRX-GW rcarongt 192.168.0.33

 

lab@VPN02> show security dynamic-vpn users
User: rcarongt , Number of connections: 1
Remote IP: 10.1.1.250
IPSEC VPN: startup_rvpn
IKE gateway: gw_startup_rvpn
IKE ID : rcarongtSRX-GW
IKE Lifetime: 28800
IPSEC Lifetime: 3600
Status: CONNECTED

 

In answer to your question regarding the use of /32 even though the network is a /24, this is because you are defining host addresses and not networks. I have also tried configuring it to /24 rather than /32 and it also seems to work but this is not the configuration I have seen from Juniper.

 

One more point - you may wish to change the configuration to reflect the following:

[edit]
lab@VPN02# show security dynamic-vpn
access-profile remote_access_profile;
clients {
startup_rvpn_group {
remote-protected-resources {
192.168.0.0/24;
}
remote-exceptions {
0.0.0.0/0;
}
ipsec-vpn startup_rvpn;
user {
rcarongt;
}
}
}

 

This will mean your client will only use the VPN to access the 192.168.0/24 network and will bypass the tunnel to access all other addresses, for example the Internet.

 

Again, apologies for the typo but I can confirm that if this is corrected, it should work.

 

I am working on it Now.

Take a look at this.

show security ike security-associations

root@Gtown-VPN02&gt; show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
2552859 UP 31c27858be295e76 7dac12de4ed2790f Aggressive XX.181.136.83

 

show security ipsec security-associations

root@Gtown-VPN02&gt; show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
&lt;268173320 ESP:aes-cbc-128/sha1 64a0030c 3255/ 500000 - root 2109 XX.181.136.83
&gt;268173320 ESP:aes-cbc-128/sha1 54f64592 3255/ 500000 - root 2109 XX.181.136.83

 

 

show security ike active-peer
root@Gtown-VPN02&gt; show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
2552859 UP 31c27858be295e76 7dac12de4ed2790f Aggressive XX.181.136.83

root@Gtown-VPN02&gt; show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
2552859 UP 31c27858be295e76 7dac12de4ed2790f Aggressive XX.181.136.83

root@Gtown-VPN02&gt; show security ike active-peer
Remote Address Port Peer IKE-ID XAUTH username Assigned IP
XX.181.136.83 2109 rcarongtSRX-GW rcarongt 192.168.0.34
192.168.0.34

show security dynamic-vpn users
root@Gtown-VPN02&gt; show security dynamic-vpn users
User: rcarongt , Number of connections: 1
Remote IP: XX.181.136.83
IPSEC VPN: startup_rvpn
IKE gateway: gw_startup_rvpn
IKE ID : rcarongtSRX-GW
IKE Lifetime: 28800
IPSEC Lifetime: 3600
Status: CONNECTED

root@Gtown-VPN02&gt; ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1): 56 data bytes
64 bytes from 192.168.0.1: icmp_seq=0 ttl=64 time=1.040 ms
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.379 ms

root@Gtown-VPN02% ping 192.168.0.13
PING 192.168.0.13 (192.168.0.13): 56 data bytes
64 bytes from 192.168.0.13: icmp_seq=0 ttl=128 time=12.079 ms
64 bytes from 192.168.0.13: icmp_seq=1 ttl=128 time=2.505 ms
64 bytes from 192.168.0.13: icmp_seq=2 ttl=128 time=2.406 ms
64 bytes from 192.168.0.13: icmp_seq=3 ttl=128 time=2.556 ms

root@Gtown-VPN02% ping 192.168.0.34
PING 192.168.0.34 (192.168.0.34): 56 data bytes
ping: sendto: Can't assign requested address
ping: sendto: Can't assign requested address
ping: sendto: Can't assign requested address
ping: sendto: Can't assign requested address

 

Still can't Ping from with in the VPN and from the SRX can't ping the pool address when connected

Thank you for helping

Dynamic VPN doesnot support reverse direction traffic.

you will not be able to access the connected client , but the client can access the resources.

 

Please ignore if I misunderstood the scenario.

At a glance everything looks good. Are you saying the client cannot ping any of the resources in the 192.168.0.0/24 network i.e. 192.168.0.13 & 192.168.0.1?

 

As mentioned by Suraj, you would not expect resources or even the SRX to be able to initiate a session to the client. All sessions are to be initiated by the client.

The VPN client 192.168.0.34 or 32 with in the pool can not ping anything but it's self. When I was connected with the VPN the srx could not ping the address pool.

Sent from my iPhone.

Here is what I found when I am connected to the SRX with in the VPN pool.  .

 

 

C:\Users\rob>ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::b045:e649:ce0
IPv4 Address. . . . . . . . . . . : 192.168.0.35
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :

 

 

C:\Users\rob>ping 192.168.0.1

Pinging 192.168.0.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.0.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Users\rob>ping 192.168.0.13

Pinging 192.168.0.13 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.0.13:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Here is another test when I connected to the VPN

 

C:\Users\rob>ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::b045:e649:ce09:99c0%51
IPv4 Address. . . . . . . . . . . : 192.168.0.31
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Ethernet adapter TGB No Tunnel:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : SSG5-Serial
Link-local IPv6 Address . . . . . : fe80::d507:9d76:dd42:bd34%7
IPv4 Address. . . . . . . . . . . : 192.168.177.60
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.177.1

Ping from the SRX

root@Gtown-VPN02% ping 192.168.0.31
PING 192.168.0.31 (192.168.0.31): 56 data bytes
ping: sendto: Can't assign requested address
ping: sendto: Can't assign requested address
ping: sendto: Can't assign requested address
ping: sendto: Can't assign requested address
ping: sendto: Can't assign requested address
ping: sendto: Can't assign requested address
ping: sendto: Can't assign requested address
ping: sendto: Can't assign requested address
^Z

This will not work. You cannot ping the client from SRX, that’s as per design of Dynamic VPN feature

Can you check if this is matching with your testing?
 
https://kb.juniper.net/InfoCenter/index?page=content&id=KB21800&actp=search&viewlocale=en_US

So if I am understanding this right from the doc that you sent. The client VPN can see the network resources but the network resources will not see the VPN users?



All I want to do is VPN into a network that host the building controls.

Thank
Rc

Sent from my iPhone.

Any specific reason not to use rstp instead of stp?
I noticed you defined:
dynamic-vpn {
access-profile remote_access_profile;
clients {
startup_rvpn_group {
remote-protected-resources {
0.0.0.0/0;

I suggest try this as part of the test configuration:

set security dynamic-vpn clients all remote-protected-resources 10.0.0.0/24
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn startup_rvpn
set security dynamic-vpn clients all user rcarongt
set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services ping
Do a "commit check" first.
If that config fails the check, enter rollbak 0 (return to candidate config) then instead of clients "all" use set security dynamic-vpn clients startup_rvpn_group
Like this:
set security dynamic-vpn clients startup_rvpn_group remote-protected-resources 10.0.0.0/24
set security dynamic-vpn clients startup_rvpn_group remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients startup_rvpn_group ipsec-vpn startup_rvpn
set security dynamic-vpn clients startup_rvpn_group user rcarongt

Also do a commit check
If either one check pass, then commit confirmed and test. It will rollback after 10 minutes (default) or commit confirmed 5 for applying config for 5 minutes only

Any specific reason not to use rstp instead of stp?

(I just did what the VPN wizard set up)

 

I suggest try this as part of the test configuration:

set security dynamic-vpn clients all remote-protected-resources 10.0.0.0/24

 

(You want me to replace my 192.168.0.0/24 and re-address the address pool to 10.0.0.0/24)

 

set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn startup_rvpn
set security dynamic-vpn clients all user rcarongt
set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services ping
Do a "commit check" first.
If that config fails the check, enter rollbak 0 (return to candidate config) then instead of clients "all" use set security dynamic-vpn clients startup_rvpn_group
Like this:
set security dynamic-vpn clients startup_rvpn_group remote-protected-resources 10.0.0.0/24
set security dynamic-vpn clients startup_rvpn_group remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients startup_rvpn_group ipsec-vpn startup_rvpn
set security dynamic-vpn clients startup_rvpn_group user rcarongt

Also do a commit check
If either one check pass, then commit confirmed and test. It will rollback after 10 minutes (default) or commit confirmed 5 for applying config for 5 minutes only

No. I am looking at the configuration you have. In anycase whereever the resources are located, you should add those networks. Lets say they are in 192.160/16 and 10/24, 172.16/16, then add them both and use remote-exceptions for 0/0

Change the stp to rstp. It is faster reconvergence.

Test it out temporarily with the commit confirmed command.

Verify the IKE Phase 1 established.
>show security ike security-associations
Verify that the remote clients and the IP addresses assigned to them are using XAuth.
>show security ike active-peer
Verify the IPSEC Phase 2 established.
>show security ipsec security-associations
Verify the connection and the negotiated parameters.
>show security dynamic-vpn users

If it does not work, then set up basic datapath debug, to see exactly where it is failing

Here is the testing the VPN when connected

 

Verify the IKE Phase 1 established.

>show security ike security-associations

root@Gtown-VPN02> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
2552869 UP 44c3efcf9e5874d4 fd389b0512031635 Aggressive 50.181.136.83

 

Verify that the remote clients and the IP addresses assigned to them are using XAuth.

>show security ike active-peer

e-peer
Remote Address Port Peer IKE-ID XAUTH username Assigned IP
50.181.136.83 1886 rcarongtSRX-GW rcarongt 192.168.0.31

 

Verify the IPSEC Phase 2 established.

>show security ipsec security-associations

root@Gtown-VPN02> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<268173329 ESP:aes-cbc-128/sha1 cfcac6f5 3497/ 500000 - root 1886 50.181.136.83
>268173329 ESP:aes-cbc-128/sha1 5e4705de 3497/ 500000 - root 1886 50.181.136.83

Verify the connection and the negotiated parameters.

>show security dynamic-vpn users

root@Gtown-VPN02> show security dynamic-vpn users
User: rcarongt , Number of connections: 1
Remote IP: 50.181.136.83
IPSEC VPN: startup_rvpn
IKE gateway: gw_startup_rvpn
IKE ID : rcarongtSRX-GW
IKE Lifetime: 28800
IPSEC Lifetime: 3600
Status: CONNECTED

I just read through the follow up and saw you had changed the address pool. Do not set the address pool for the Dynamic vpn clients to be the same as the protected resources. Keep it what it was or at least different.

After you establish the vpn connection and run ipconfig, do you see the Ethernet adapterJuniper Network Agent Virtual Adapter?
If yes, then use the IP assigned in the following test
Set up the security flow traceoptions:
Does the resource (192.168/16 network) you are attempting to connect to after the vpn has been established, have route back to network address that the clients get (10/24 network) their IP address)
# set security flow traceoptions file flow-debug
# set security flow traceoptions flag basic-datapath
# set security flow traceoptions packet-filter client-1 source-prefix <client virtual adapter IP address> destination-prefix <protected resource IP address>
#set security flow traceoptions packet-filter server-1 source-prefix <protected resource IP address> destination-prefix <client virtual adapter IP address>
# commit
run some test, then view the log "flow-debug"

 

Run a traceroute from the protected network to the ip of the dynamic vpn client. that may be where the problem lies.

BTW can you attach the curent config now so we can clearly see the config?

I see a lot of changes. You need to keep the vpn pool assignment different from the controls network. Do this for me and at the top of the hierarchy, run this command.
#show security | display set | save new-sec-config
then copy the contents of the file new-sec-config and paste in the attachment and it will be easier to modify it using the set commands.
Which you can then use # load set terminal and paste it in the config. REMEMBER to replace the variables where you mask the real IP address etc if required!!!!

Here is the ethernet

 

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::b045:e649:ce09:99c0%51
IPv4 Address. . . . . . . . . . . : 192.168.0.31
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : SSG5-Serial
Link-local IPv6 Address . . . . . : fe80::d507:9d76:dd42:bd34%7
IPv4 Address. . . . . . . . . . . : 192.168.177.60
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.177.1

 

 

I did #show security | display set | save new-sec-config and it came back as

 

root@Gtown-VPN02# show security | display set | save new-sec-config
Wrote 72 lines of output to 'new-sec-config'

 

But that is it I am using putty remotly.

I think there is problem with the pulse client. The Ethernet adapterJuniper Network Agent Virtual Adapter is not present. Weird. You may have to create a case with Juniper. Try and reinstall the pulse client, reboot the pc and test again.

You can enable ftp and copy the file or view it using >file show new-sec-config and copy the contents. Did you try to run a trace route from one of the devices in Controls to the vpn client address?

Here is a question were would I download another Pulse client

 

 

Ok here is the file.

 

root@Gtown-VPN02> file show new-sec-config
set security ike policy ike_policy_startup_rvpn mode aggressive
set security ike policy ike_policy_startup_rvpn proposal-set standard
set security ike policy ike_policy_startup_rvpn pre-shared-key ascii-text "$9$8gdLdsgoGDkPbsaUjkQz"
set security ike gateway gw_startup_rvpn ike-policy ike_policy_startup_rvpn
set security ike gateway gw_startup_rvpn dynamic hostname SRX-GW
set security ike gateway gw_startup_rvpn dynamic connections-limit 50
set security ike gateway gw_startup_rvpn dynamic ike-user-type group-ike-id
set security ike gateway gw_startup_rvpn external-interface fe-0/0/0.0
set security ike gateway gw_startup_rvpn xauth access-profile remote_access_profile
set security ipsec policy ipsec_pol_startup_rvpn perfect-forward-secrecy keys group2
set security ipsec policy ipsec_pol_startup_rvpn proposal-set standard
set security ipsec vpn startup_rvpn ike gateway gw_startup_rvpn
set security ipsec vpn startup_rvpn ike ipsec-policy ipsec_pol_startup_rvpn
set security dynamic-vpn access-profile remote_access_profile
set security dynamic-vpn clients startup_rvpn_group remote-protected-resources 192.168.0.0/24
set security dynamic-vpn clients startup_rvpn_group remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients startup_rvpn_group ipsec-vpn startup_rvpn
set security dynamic-vpn clients startup_rvpn_group user rcarongt
set security dynamic-vpn clients all remote-protected-resources 10.0.0.0/24
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn startup_rvpn
set security dynamic-vpn clients all user rcarongt
set security flow traceoptions file flow-debug
set security flow traceoptions flag basic-datapath
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set nsw_srcnat from zone Controls
set security nat source rule-set nsw_srcnat from zone Gtown
set security nat source rule-set nsw_srcnat to zone Internet
set security nat source rule-set nsw_srcnat rule nsw-src-interface match source-address 0.0.0.0/0
set security nat source rule-set nsw_srcnat rule nsw-src-interface match destination-address 0.0.0.0/0
set security nat source rule-set nsw_srcnat rule nsw-src-interface then source-nat interface
set security nat proxy-arp interface fe-0/0/2.0 address 192.168.0.30/32 to 192.168.0.35/32
set security policies from-zone Internet to-zone Controls policy policy_startup_rvpn_Controls match source-address any
set security policies from-zone Internet to-zone Controls policy policy_startup_rvpn_Controls match destination-address any
set security policies from-zone Internet to-zone Controls policy policy_startup_rvpn_Controls match application any
set security policies from-zone Internet to-zone Controls policy policy_startup_rvpn_Controls then permit tunnel ipsec-vpn startup_rvpn
set security policies from-zone Internet to-zone Controls policy policy_startup_rvpn_Controls then log session-init
set security policies from-zone Internet to-zone Controls policy policy_startup_rvpn_Controls then log session-close
set security policies from-zone Gtown to-zone Internet policy All_Gtown_Internet match source-address any
set security policies from-zone Gtown to-zone Internet policy All_Gtown_Internet match destination-address any
set security policies from-zone Gtown to-zone Internet policy All_Gtown_Internet match application any
set security policies from-zone Gtown to-zone Internet policy All_Gtown_Internet then permit
set security policies from-zone Controls to-zone Internet policy All_Controls_Internet match source-address any
set security policies from-zone Controls to-zone Internet policy All_Controls_Internet match destination-address any
set security policies from-zone Controls to-zone Internet policy All_Controls_Internet match application any
set security policies from-zone Controls to-zone Internet policy All_Controls_Internet then permit
set security policies from-zone Gtown to-zone Controls policy All_Gtown_Controls match source-address any
set security policies from-zone Gtown to-zone Controls policy All_Gtown_Controls match destination-address any
set security policies from-zone Gtown to-zone Controls policy All_Gtown_Controls match application any
set security policies from-zone Gtown to-zone Controls policy All_Gtown_Controls then permit
set security policies from-zone Controls to-zone Gtown policy All_Gtown_Controls match source-address any
set security policies from-zone Controls to-zone Gtown policy All_Gtown_Controls match destination-address any
set security policies from-zone Controls to-zone Gtown policy All_Gtown_Controls match application any
set security policies from-zone Controls to-zone Gtown policy All_Gtown_Controls then permit
set security zones security-zone Gtown interfaces fe-0/0/7.0 host-inbound-traffic system-services ping
set security zones security-zone Gtown interfaces fe-0/0/7.0 host-inbound-traffic system-services https
set security zones security-zone Gtown interfaces fe-0/0/7.0 host-inbound-traffic system-services ssh
set security zones security-zone Controls interfaces fe-0/0/2.0 host-inbound-traffic system-services ping
set security zones security-zone Controls interfaces fe-0/0/2.0 host-inbound-traffic system-services http
set security zones security-zone Controls interfaces fe-0/0/2.0 host-inbound-traffic system-services https
set security zones security-zone Controls interfaces fe-0/0/2.0 host-inbound-traffic system-services ssh
set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services ping

Here is the info on Junos Pulse

 

Junos Pulse 5.0.3.44983
Junos Pulse 802.1X Connection Method 5.0.3.44983
Junos Pulse Connection Manager 5.0.3.44983
Junos Pulse Connection Store Service 5.0.3.44983
Junos Pulse EAP Service 5.0.3.44983
Junos Pulse Integration Service 5.0.3.44983
Junos Pulse Gateway Connection Method 8.0.3.44983
Junos Pulse User Interface 5.0.3.44983
Juniper Network Agent 5.50.3.44249
Juniper Networks TDI Filter Driver 8.0.3.44983
Junos Pulse Core Service 5.0.3.44983
Junos Pulse TNC Client 8.0.3.44983
Junos Pulse Tunnel Manager 5.0.3.44983
Junos Pulse VPN Connection Method 5.0.3.44983

This should work. Please verify that it works.

....
set interfaces fe-0/0/0 unit 0 family inet address x.y.z.14/29
set interfaces fe-0/0/1 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan1
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan1
set interfaces fe-0/0/6 unit 0 family inet address P.G.0.1/24
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan2
set interfaces vlan unit 1 family inet address P.G.178.5/24
set interfaces vlan unit 2 family inet address P.G.0.1/24
set routing-options static route 0.0.0.0/0 next-hop x.y.z.9
set protocols stp
set security ike policy dyn-ike-pol mode aggressive
set security ike policy dyn-ike-pol proposal-set standard
set security ike policy dyn-ike-pol pre-shared-key ascii-text "password"
set security ike gateway dyn-vpn-gateway ike-policy dyn-ike-pol
set security ike gateway dyn-vpn-gateway dynamic hostname dyn-VPN
set security ike gateway dyn-vpn-gateway dynamic connections-limit 5
set security ike gateway dyn-vpn-gateway dynamic ike-user-type group-ike-id
set security ike gateway dyn-vpn-gateway external-interface fe-0/0/0.0
set security ike gateway dyn-vpn-gateway xauth access-profile dyn--vpn-profile
set security ipsec policy dyn-ipsec-pol proposal-set standard
set security ipsec vpn private-2-dyn-vpn ike gateway dyn-vpn-gateway
set security ipsec vpn private-2-dyn-vpn ike ipsec-policy dyn-ipsec-pol
set security dynamic-vpn access-profile dyn--vpn-profile
set security dynamic-vpn clients all remote-protected-resources P.G.0.0/24
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn private-2-dyn-vpn
set security dynamic-vpn clients all user remote-vpn-client1
set security nat source rule-set nsw_srcnat from zone private-2
set security nat source rule-set nsw_srcnat from zone private-1
set security nat source rule-set nsw_srcnat to zone Internet
set security nat source rule-set nsw_srcnat rule nsw-src-interface match source-address 0.0.0.0/0
set security nat source rule-set nsw_srcnat rule nsw-src-interface match destination-address 0.0.0.0/0
set security nat source rule-set nsw_srcnat rule nsw-src-interface then source-nat interface
set security nat proxy-arp interface fe-0/0/6.0 address P.G.0.100/32 to P.G.0.105/32
set security policies from-zone private-1 to-zone Internet policy All_private-1_Internet match source-address any
set security policies from-zone private-1 to-zone Internet policy All_private-1_Internet match destination-address any
set security policies from-zone private-1 to-zone Internet policy All_private-1_Internet match application any
set security policies from-zone private-1 to-zone Internet policy All_private-1_Internet then permit
set security policies from-zone private-2 to-zone Internet policy All_private-2_Internet match source-address any
set security policies from-zone private-2 to-zone Internet policy All_private-2_Internet match destination-address any
set security policies from-zone private-2 to-zone Internet policy All_private-2_Internet match application any
set security policies from-zone private-2 to-zone Internet policy All_private-2_Internet then permit
set security policies from-zone private-1 to-zone private-2 policy All_private-1_private-2 match source-address any
set security policies from-zone private-1 to-zone private-2 policy All_private-1_private-2 match destination-address any
set security policies from-zone private-1 to-zone private-2 policy All_private-1_private-2 match application any
set security policies from-zone private-1 to-zone private-2 policy All_private-1_private-2 then permit
set security policies from-zone private-2 to-zone private-1 policy All_private-1_private-2 match source-address any
set security policies from-zone private-2 to-zone private-1 policy All_private-1_private-2 match destination-address any
set security policies from-zone private-2 to-zone private-1 policy All_private-1_private-2 match application any
set security policies from-zone private-2 to-zone private-1 policy All_private-1_private-2 then permit
set security policies from-zone Internet to-zone private-2 policy allow-remote-access-private-2 match source-address any
set security policies from-zone Internet to-zone private-2 policy allow-remote-access-private-2 match destination-address any
set security policies from-zone Internet to-zone private-2 policy allow-remote-access-private-2 match application any
set security policies from-zone Internet to-zone private-2 policy allow-remote-access-private-2 then permit tunnel ipsec-vpn private-2-dyn-vpn
set security policies from-zone private-2 to-zone private-2 policy allow-c-2-c match source-address any
set security policies from-zone private-2 to-zone private-2 policy allow-c-2-c match destination-address any
set security policies from-zone private-2 to-zone private-2 policy allow-c-2-c match application any
set security policies from-zone private-2 to-zone private-2 policy allow-c-2-c then permit
set security policies from-zone private-1 to-zone private-1 policy allow-g-2-g match source-address any
set security policies from-zone private-1 to-zone private-1 policy allow-g-2-g match destination-address any
set security policies from-zone private-1 to-zone private-1 policy allow-g-2-g match application any
set security policies from-zone private-1 to-zone private-1 policy allow-g-2-g then permit
set security zones security-zone private-1 interfaces vlan.1 host-inbound-traffic system-services ping
set security zones security-zone private-1 interfaces vlan.1 host-inbound-traffic system-services https
set security zones security-zone private-1 interfaces vlan.1 host-inbound-traffic system-services ssh
set security zones security-zone private-1 interfaces fe-0/0/1.0 host-inbound-traffic system-services all
set security zones security-zone private-2 interfaces vlan.2 host-inbound-traffic system-services ping
set security zones security-zone private-2 interfaces vlan.2 host-inbound-traffic system-services https
set security zones security-zone private-2 interfaces vlan.2 host-inbound-traffic system-services ssh
set security zones security-zone private-2 interfaces fe-0/0/6.0 host-inbound-traffic system-services all
set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services ping
set access profile dyn--vpn-profile client remote-vpn-client1 firewall-user password "password"
set access profile dyn--vpn-profile address-assignment pool dyn--pool
set access address-assignment pool dyn--pool family inet network P.G.0.0/24
set access address-assignment pool dyn--pool family inet range dynamic-range low P.G.0.100
set access address-assignment pool dyn--pool family inet range dynamic-range high P.G.0.105
set access address-assignment pool dyn--pool family inet xauth-attributes primary-dns A.C.D.65/32
set access firewall-authentication web-authentication default-profile dyn--vpn-profile
set vlans vlan1 vlan-id 3
set vlans vlan1 l3-interface vlan.1
set vlans vlan2 vlan-id 4
set vlans vlan2 l3-interface vlan.2
.........

Yes that did work.  Thank you for your help.

deactivate  security flow traceoptions

then view the log file for why the vpn traffic is not working. This time I really suspect it is routing from the protected network. But we should get information from the debug log. 

I entered these commands

 

set security dynamic-vpn clients all remote-protected-resources 10.0.0.0/24
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn startup_rvpn
set security dynamic-vpn clients all user rcarongt
set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services ping

 

root@Gtown-VPN02# commit
commit complete

 

I working on your other post.  Config as attachment

Remember : set security dynamic-vpn clients all remote-protected-resources 10.0.0.0/24
10/24 represents the protected resources where the controls are located. Add more or change it if it is not part of the network you are trying to reach. I am going to look at you config in a minute

when you connect via vpn, what IP address do you get?

>show rout 192.168.178.0/24, where is the next hop interface? do you have a route to that network?

I connect to the VPN pool address's

Thanks

Rc

Sent from my iPhone.