SRX

last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  VPN through existing interface

    Posted 04-09-2015 13:31

    Hello everyone,

     

    I'm trying to setup VPN on my SRX on existing interface ge-0/0/1. This interface is my management interface which is connected to the management switch and that's how I can access everything from my network.

     

    but during the configuration I get the warrning message:

     

    root@srx# commit check
[edit security zones security-zone lan]
  'interfaces ge-0/0/1.0'
    Interface ge-0/0/1.0 already assigned to another zone
error: configuration check-out failed

     

    and now... I would like to setup my VPN on the same IP range as my management (servers from .10 to 150 and VPN from 200 to 208)

     

    What I did:

    set security ike policy ike-dyn-vpn-policy mode aggressive
set security ike policy ike-dyn-vpn-policy proposal-set standard
set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text "***************************"
set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy
set security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn
set security ike gateway dyn-vpn-local-gw dynamic connections-limit 10
set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id
set security ike gateway dyn-vpn-local-gw external-interface ge-0/0/1.0
set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile
set security ipsec policy ipsec-dyn-vpn-policy proposal-set standard
set security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw
set security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy
set security policies from-zone internet to-zone lan policy dyn-vpn-policy match source-address any
set security policies from-zone internet to-zone lan policy dyn-vpn-policy match destination-address any
set security policies from-zone internet to-zone lan policy dyn-vpn-policy match application any
set security policies from-zone internet to-zone lan policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn
set security zones security-zone internet interfaces ge-0/0/1.0 host-inbound-traffic system-services ike
set security zones security-zone internet interfaces ge-0/0/1.0 host-inbound-traffic system-services https
set security zones security-zone internet interfaces ge-0/0/1.0 host-inbound-traffic system-services ping

     

    Is it possible to setup VPN on existing interface?

     

    My config:

    ## Last changed: 2015-04-06 22:09:53 BST
version 12.1X44-D35.5;
system {
    host-name srx;
    time-zone Europe/London;
    root-authentication {
        encrypted-password "******************************"; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    login {
        user access {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "*********************"; ## SECRET-DATA
            }
        }
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface [ vlan.0 ge-0/0/1.0 ];
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server 176.58.109.199;
    }
}
interfaces {
    ge-0/0/0 {
        description internet;
        unit 0 {
            family inet {
                address 5.2*.***.54/29;
            }
        }
    }
    ge-0/0/1 {
        description lan;
        unit 0 {
            family inet {
                address 10.0.1.1/24;
            }
        }
    }
    ge-0/0/2 {
        description DMZ;
        unit 0 {
            family inet {
                address 10.0.2.1/24;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 5.2*.***.53;
    }
}
protocols {
    stp;
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set lan-to-internet {
                from zone lan;
                to zone internet;
                rule lan-to-internet-r1 {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set dmz-to-internet {
                from zone DMZ;
                to zone internet;
                rule dmz-to-internet-r1 {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool dmz55 {
                address 10.0.2.2/32;
            }
            pool dmz56 {
                address 10.0.2.3/32;
            }
            pool dmz57 {
                address 10.0.2.4/32;
            }
            rule-set internet-to-dmz {
                from zone internet;
                rule internet-to-dmz-2-1 {
                    match {
                        destination-address 5.2*.***.55/32;
                        destination-port 80;
                        protocol [ tcp udp ];
                    }
                    then {
                        destination-nat pool dmz75;
                    }
                }
            }
        }
        proxy-arp {
            interface ge-0/0/0.0 {
                address {
                    5.2*.***.55/32;
                    5.2*.***.56/32;
                    5.2*.***.57/32;
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone lan to-zone internet {
            policy wan-to-internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
        }
        security-zone internet {
            interfaces {
                ge-0/0/0.0;
            }
        }
        security-zone lan {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone DMZ {
            interfaces {
                ge-0/0/2.0;
            }
        }
    }
}
access {
    profile dyn-vpn-access-profile {
        client vpn1 {
            firewall-user {
                password "*************************************"; ## SECRET-DATA
            }
        }
        client vpn2 {
            firewall-user {
                password "************************************"; ## SECRET-DATA
            }
        }
        address-assignment {
            pool dyn-vpn-address-pool;
        }
    }
    address-assignment {
        pool dyn-vpn-address-pool {
            family inet {
                network 10.0.1.200/29;
                xauth-attributes {
                    primary-dns 208.67.222.222/32;
                }
            }
        }
    }
    firewall-authentication {
        web-authentication {
            default-profile dyn-vpn-access-profile;
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

     



  • 2.  RE: VPN through existing interface
    Best Answer

     
    Posted 04-09-2015 13:45

    You are connecting from the "outside" world to setup your vpn lets say from you home internet connection ? Then the incomming interface to allow ESP/AH (IPsec) traffic will be your internet facing interface in your case that will be

    ge-0/0/0.0 which should be allowed instead of the ge-0/0/1.0 interface

     

    (You have already assigned the ge-0/0/1.0 interface to security zone lan, when you have assigned an interface to a security zone you first need to remove it from that zone before you can add it to an other security zone. This is why your commit failed)

     

    set security zones security-zone internet interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
    set security zones security-zone internet interfaces ge-0/0/0.0 host-inbound-traffic system-services https
    set security zones security-zone internet interfaces ge-0/0/0.0 host-inbound-traffic system-services ping

     

    See the below url's for some config examples howto setup dynamic vpn

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=TN7&actp=LIST

     

    http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/example/vpn-security-dynamic-example-configuring.html

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB14318&smlogin=true

     

    Hope this helps a bit

     

     



  • 3.  RE: VPN through existing interface

    Posted 04-09-2015 14:38

    Hi,

     

    Thank you for your help, I can understund everything apart this:

     

    1. Configure the security policy:
set security policies from-zone internet to-zone lan policy dyn-vpn-policy match source-address any
set security policies from-zone internet to-zone lan policy dyn-vpn-policy match destination-address any
set security policies from-zone internet to-zone lan policy dyn-vpn-policy match application any
set security policies from-zone internet to-zone lan policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn

2. Configure the IKE gateway:
set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy 
set security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn 
set security ike gateway dyn-vpn-local-gw dynamic connections-limit 10 
set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id 
set security ike gateway dyn-vpn-local-gw external-interface ge-0/0/0.0 
set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile

     

    So:

    1. Configure the security policy - I have to setup a policies from the untrusted zone (internet) to the trusted zone (which is my LAN) ? So I have specifed the LAN to ge-0/0/1.0 so it should applied the rules to my management lan?

    2. Configure the IKE gateway - Here I have to configure the IKE gateway, but can I do it on the existing interface? last time commit check failed because I assigned dyn-vpn-local-gw to the existing interface - so should I do

     

    set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy 
set security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn 
set security ike gateway dyn-vpn-local-gw dynamic connections-limit 10 
set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id 
set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile

     without

     

    set security ike gateway dyn-vpn-local-gw external-interface ge-0/0/0.0

     

     Could you possibly explain it to me please?



  • 4.  RE: VPN through existing interface

     
    Posted 04-09-2015 22:29

    Hi,

     

    1. You apply security policies always on the security zones. So if you have ge-0/0/1.0 added to zone lan (according to your config you have)the policies will be applied.

     

    2. You need to set your ge-0/0/0.0 as your vpn external-interface so you need to set the config rule below

    set security ike gateway dyn-vpn-local-gw external-interface ge-0/0/0.0

     

    Going back to the commit you did before that failed you used ge-0/0/1.0 as external-interface.  (see my paste form the commit you did earlier)

     

    root@srx# commit check
    [edit security zones security-zone lan]
      'interfaces ge-0/0/1.0'
        Interface ge-0/0/1.0 already assigned to another zone
    error: configuration check-out failed