SRX240 dynamic-vpn routing problem

last person joined: yesterday

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

Back to discussions

Expand all | Collapse all

SRX240 dynamic-vpn routing problem

Jump to Best Answer

1. SRX240 dynamic-vpn routing problem

Recommend

Erdem

Posted 04-15-2015 07:46

Hi,
I have a Problem with the Routing for Dynamic-VPN on SRX240.

I've set up the dynamic-vpn as described at http://www.juniper.net/documentation/en_US/junos12.1/topics/example/vpn-security-dynamic-example-configuring.html.

When connecting with Pulse-Client I can reach every host inside the Trusted Zones (e.g. 172.18.10.22).
But I have to route a connection to an host outside the Trusted Zone in the Internet (e.g. 80.81.245.x) over the VPN-Tunnel, so the outside .
That is not working.
As mentioned in some Documentations I'va already added the outside-Net to remote-protected-resources:

remote-protected-resources {
            172.18.10.0/24;
            80.81.245.0/24;
        }

At the VPN-Client the Route is set to Route over the VPN-Adapter (e.g. 192.168.101.117).
So the Routing to 80.81.245.0 goes over the VPN-Tunnel. But I don't see what is missing, so that the traffic is Routed outside.

I think there something like a Source-NAT missing for the VPN-Net (192.168.101.0).
But I don't know how to set this up. Can anyone please help?

I've added the dynamic-VPN-Configuration below.

For better understanding of the Configuration:

OfficeNet = 172.18.10.0/24
OfficeGuest = 192.168.10.0/24
TeleNet = 192.168.11.0/24

Complete dynamic-vpn-Configuration:

profile remote_access_profile {
    client client1 {
        firewall-user {
            password "**********************"; ## SECRET-DATA
        }
    }
    client client2 {
        firewall-user {
            password "**********************"; ## SECRET-DATA
        }
    }
    address-assignment {
        pool startup_rvpn_add_pool;
    }
}
address-assignment {
    pool startup_rvpn_add_pool {
        family inet {
            network 192.168.101.0/24;
            range startup-rvpn-range {
                low 192.168.101.1;
                high 192.168.101.100;
            }
            xauth-attributes {
                primary-dns 172.18.10.254/32;
            }
        }
    }
}
firewall-authentication {
    web-authentication {
        default-profile remote_access_profile;
    }
}

policy ike_pol_wizard_dyn_vpn {
    mode aggressive;
    proposal-set standard;
    pre-shared-key ascii-text "**********************"; ## SECRET-DATA
}
policy ike_policy_startup_rvpn {
    mode aggressive;
    proposal-set standard;
    pre-shared-key ascii-text "**********************"; ## SECRET-DATA
}
gateway gw_startup_rvpn {
    ike-policy ike_policy_startup_rvpn;
    dynamic {
        hostname SRX-GW;
        connections-limit 50;
        ike-user-type group-ike-id;
    }
    external-interface ge-0/0/0.0;
    xauth access-profile remote_access_profile;
}


user@wall# show security ipsec

vpn-monitor-options;
policy ipsec_pol_wizard_dyn_vpn {
    perfect-forward-secrecy {
        keys group5;
    }
    proposal-set standard;
}
policy ipsec_pol_startup_rvpn {
    perfect-forward-secrecy {
        keys group2;
    }
    proposal-set standard;
}
vpn startup_rvpn {
    ike {
        gateway gw_startup_rvpn;
        ipsec-policy ipsec_pol_startup_rvpn;
    }
}


@wall# show security policies

from-zone Internet to-zone OfficeNet {
    policy policy_startup_rvpn_OfficeNet {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn startup_rvpn;
                }
            }
        }
    }
}
from-zone Internet to-zone OfficeGuest {
    policy policy_startup_rvpn_OfficeGuest {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn startup_rvpn;
                }
            }
        }
    }
}
from-zone Internet to-zone TeleNet {
    policy policy_startup_rvpn_TeleNet {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn startup_rvpn;
                }
            }
        }
    }
}
from-zone OfficeNet to-zone Internet {
    policy All_OfficeNet_Internet {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone OfficeGuest to-zone Internet {
    policy All_OfficeGuest_Internet {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone TeleNet to-zone Internet {
    policy All_TeleNet_Internet {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone OfficeNet to-zone OfficeGuest {
    policy All_OfficeNet_OfficeGuest {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone OfficeGuest to-zone OfficeNet {
    policy All_OfficeNet_OfficeGuest {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone OfficeNet to-zone TeleNet {
    policy All_OfficeNet_TeleNet {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone TeleNet to-zone OfficeNet {
    policy All_OfficeNet_TeleNet {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone OfficeGuest to-zone TeleNet {
    policy All_OfficeGuest_TeleNet {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone TeleNet to-zone OfficeGuest {
    policy All_OfficeGuest_TeleNet {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone Internet to-zone Internet {
    policy Internet_any {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}


@wall# show security zones
security-zone OfficeNet {
    interfaces {
        vlan.0 {
            host-inbound-traffic {
                system-services {
                    ping;
                    https;
                    ssh;
                }
            }
        }
    }
}
security-zone OfficeGuest {
    interfaces {
        vlan.4 {
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
        }
    }
}
security-zone TeleNet {
    interfaces {
        vlan.5 {
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
        }
    }
}
security-zone Internet {
    interfaces {
        ge-0/0/0.0 {
            host-inbound-traffic {
                system-services {
                    https;
                    ike;
                    ping;
                    ssh;
                }
            }
        }
    }
}



@wall# show security dynamic-vpn
access-profile remote_access_profile;
clients {
    all {
        remote-protected-resources {
            172.18.10.0/24;
            80.81.245.0/24;
        }
        remote-exceptions {
            0.0.0.0/0;
        }
        ipsec-vpn startup_rvpn;
        user {
            client1;
            client2;
        }
    }
}

Best regards,
Steven

2. RE: SRX240 dynamic-vpn routing problem
Best Answer

0 Recommend
rsuraj
Posted 04-15-2015 10:08

Reply Reply Privately
You are right, source nat rule is required. Can you try the below config.

set security nat source rule-set Test from-zone Internet
set security nat source rule-set Test to-zone Internet
set security nat source rule-set Test rule Test match source-address 192.168.101.0/24
set security nat source rule-set Test rule Test match destination-address 80.81.245.0/24
set security nat source rule-set Test rule Test then source-nat interface
commit
3. RE: SRX240 dynamic-vpn routing problem

0 Recommend
Erdem
Posted 04-15-2015 13:10

Reply Reply Privately
Hi,

thank you very much , that worked for me!

A little correction in your code for other readers:

set security nat source rule-set Test from zone Internet
set security nat source rule-set Test to zone Internet

Thanks,
Steven
4. RE: SRX240 dynamic-vpn routing problem

0 Recommend
rsuraj
Posted 04-15-2015 23:19

Reply Reply Privately
Thank you Steven 🙂

SRX

SRX240 dynamic-vpn routing problem

Erdem04-15-2015 07:46

rsuraj04-15-2015 10:08Best Answer

Erdem04-15-2015 13:10

rsuraj04-15-2015 23:19

1. SRX240 dynamic-vpn routing problem

2. RE: SRX240 dynamic-vpn routing problem Best Answer

3. RE: SRX240 dynamic-vpn routing problem

4. RE: SRX240 dynamic-vpn routing problem

2. RE: SRX240 dynamic-vpn routing problem
Best Answer