SRX Services Gateway
Highlighted
SRX Services Gateway

VPN through existing interface

‎04-09-2015 01:30 PM

Hello everyone,

 

I'm trying to setup VPN on my SRX on existing interface ge-0/0/1. This interface is my management interface which is connected to the management switch and that's how I can access everything from my network.

 

but during the configuration I get the warrning message:

 

root@srx# commit check
[edit security zones security-zone lan]
  'interfaces ge-0/0/1.0'
    Interface ge-0/0/1.0 already assigned to another zone
error: configuration check-out failed

 

and now... I would like to setup my VPN on the same IP range as my management (servers from .10 to 150 and VPN from 200 to 208)

 

What I did:

set security ike policy ike-dyn-vpn-policy mode aggressive
set security ike policy ike-dyn-vpn-policy proposal-set standard
set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text "***************************"
set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy
set security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn
set security ike gateway dyn-vpn-local-gw dynamic connections-limit 10
set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id
set security ike gateway dyn-vpn-local-gw external-interface ge-0/0/1.0
set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile
set security ipsec policy ipsec-dyn-vpn-policy proposal-set standard
set security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw
set security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy
set security policies from-zone internet to-zone lan policy dyn-vpn-policy match source-address any
set security policies from-zone internet to-zone lan policy dyn-vpn-policy match destination-address any
set security policies from-zone internet to-zone lan policy dyn-vpn-policy match application any
set security policies from-zone internet to-zone lan policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn
set security zones security-zone internet interfaces ge-0/0/1.0 host-inbound-traffic system-services ike
set security zones security-zone internet interfaces ge-0/0/1.0 host-inbound-traffic system-services https
set security zones security-zone internet interfaces ge-0/0/1.0 host-inbound-traffic system-services ping

 

Is it possible to setup VPN on existing interface?

 

My config:

## Last changed: 2015-04-06 22:09:53 BST
version 12.1X44-D35.5;
system {
    host-name srx;
    time-zone Europe/London;
    root-authentication {
        encrypted-password "******************************"; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    login {
        user access {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "*********************"; ## SECRET-DATA
            }
        }
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface [ vlan.0 ge-0/0/1.0 ];
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server 176.58.109.199;
    }
}
interfaces {
    ge-0/0/0 {
        description internet;
        unit 0 {
            family inet {
                address 5.2*.***.54/29;
            }
        }
    }
    ge-0/0/1 {
        description lan;
        unit 0 {
            family inet {
                address 10.0.1.1/24;
            }
        }
    }
    ge-0/0/2 {
        description DMZ;
        unit 0 {
            family inet {
                address 10.0.2.1/24;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 5.2*.***.53;
    }
}
protocols {
    stp;
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set lan-to-internet {
                from zone lan;
                to zone internet;
                rule lan-to-internet-r1 {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set dmz-to-internet {
                from zone DMZ;
                to zone internet;
                rule dmz-to-internet-r1 {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool dmz55 {
                address 10.0.2.2/32;
            }
            pool dmz56 {
                address 10.0.2.3/32;
            }
            pool dmz57 {
                address 10.0.2.4/32;
            }
            rule-set internet-to-dmz {
                from zone internet;
                rule internet-to-dmz-2-1 {
                    match {
                        destination-address 5.2*.***.55/32;
                        destination-port 80;
                        protocol [ tcp udp ];
                    }
                    then {
                        destination-nat pool dmz75;
                    }
                }
            }
        }
        proxy-arp {
            interface ge-0/0/0.0 {
                address {
                    5.2*.***.55/32;
                    5.2*.***.56/32;
                    5.2*.***.57/32;
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone lan to-zone internet {
            policy wan-to-internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
        }
        security-zone internet {
            interfaces {
                ge-0/0/0.0;
            }
        }
        security-zone lan {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone DMZ {
            interfaces {
                ge-0/0/2.0;
            }
        }
    }
}
access {
    profile dyn-vpn-access-profile {
        client vpn1 {
            firewall-user {
                password "*************************************"; ## SECRET-DATA
            }
        }
        client vpn2 {
            firewall-user {
                password "************************************"; ## SECRET-DATA
            }
        }
        address-assignment {
            pool dyn-vpn-address-pool;
        }
    }
    address-assignment {
        pool dyn-vpn-address-pool {
            family inet {
                network 10.0.1.200/29;
                xauth-attributes {
                    primary-dns 208.67.222.222/32;
                }
            }
        }
    }
    firewall-authentication {
        web-authentication {
            default-profile dyn-vpn-access-profile;
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

 

3 REPLIES 3
Highlighted
SRX Services Gateway
Solution
Accepted by topic author MSEngineers
‎08-26-2015 01:27 AM

Re: VPN through existing interface

‎04-09-2015 01:45 PM

You are connecting from the "outside" world to setup your vpn lets say from you home internet connection ? Then the incomming interface to allow ESP/AH (IPsec) traffic will be your internet facing interface in your case that will be

ge-0/0/0.0 which should be allowed instead of the ge-0/0/1.0 interface

 

(You have already assigned the ge-0/0/1.0 interface to security zone lan, when you have assigned an interface to a security zone you first need to remove it from that zone before you can add it to an other security zone. This is why your commit failed)

 

set security zones security-zone internet interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone internet interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone internet interfaces ge-0/0/0.0 host-inbound-traffic system-services ping

 

See the below url's for some config examples howto setup dynamic vpn

 

http://kb.juniper.net/InfoCenter/index?page=content&id=TN7&actp=LIST

 

http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/example/vpn-security-dynamic-example-confi...

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB14318&smlogin=true

 

Hope this helps a bit

 

 

Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------
Highlighted
SRX Services Gateway

Re: VPN through existing interface

‎04-09-2015 02:37 PM

Hi,

 

Thank you for your help, I can understund everything apart this:

 

1. Configure the security policy:
set security policies from-zone internet to-zone lan policy dyn-vpn-policy match source-address any
set security policies from-zone internet to-zone lan policy dyn-vpn-policy match destination-address any
set security policies from-zone internet to-zone lan policy dyn-vpn-policy match application any
set security policies from-zone internet to-zone lan policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn

2. Configure the IKE gateway:
set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy 
set security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn 
set security ike gateway dyn-vpn-local-gw dynamic connections-limit 10 
set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id 
set security ike gateway dyn-vpn-local-gw external-interface ge-0/0/0.0 
set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile

 

So:

1. Configure the security policy - I have to setup a policies from the untrusted zone (internet) to the trusted zone (which is my LAN) ? So I have specifed the LAN to ge-0/0/1.0 so it should applied the rules to my management lan?

2. Configure the IKE gateway - Here I have to configure the IKE gateway, but can I do it on the existing interface? last time commit check failed because I assigned dyn-vpn-local-gw to the existing interface - so should I do

 

set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy 
set security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn 
set security ike gateway dyn-vpn-local-gw dynamic connections-limit 10 
set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id 
set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile

 without

 

set security ike gateway dyn-vpn-local-gw external-interface ge-0/0/0.0 

 

 Could you possibly explain it to me please?

Highlighted
SRX Services Gateway

Re: VPN through existing interface

‎04-09-2015 10:28 PM

Hi,

 

1. You apply security policies always on the security zones. So if you have ge-0/0/1.0 added to zone lan (according to your config you have)the policies will be applied.

 

2. You need to set your ge-0/0/0.0 as your vpn external-interface so you need to set the config rule below

set security ike gateway dyn-vpn-local-gw external-interface ge-0/0/0.0

 

Going back to the commit you did before that failed you used ge-0/0/1.0 as external-interface.  (see my paste form the commit you did earlier)

 

root@srx# commit check
[edit security zones security-zone lan]
  'interfaces ge-0/0/1.0'
    Interface ge-0/0/1.0 already assigned to another zone
error: configuration check-out failed

 

Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------