SRX Services Gateway
Highlighted
SRX Services Gateway

dynamic vpn srx not internet access

‎02-27-2020 10:34 PM

Hi All

 

I have a dynamic VPN configuration, and I can connect to my computer but can't access the internet, what's wrong?

 

Thanks,

 

my configuration

set security ike policy ike_pol_wizard_dyn_vpn mode aggressive
set security ike policy ike_pol_wizard_dyn_vpn proposal-set basic
set security ike policy ike_pol_wizard_dyn_vpn pre-shared-key ascii-text "$9$JdZDH.PTz3/UDCpOBcSoaZj.PfTzF69q.BIRcle"
set security ike gateway gw_wizard_dyn_vpn ike-policy ike_pol_wizard_dyn_vpn
set security ike gateway gw_wizard_dyn_vpn dynamic hostname RXS-SRX300
set security ike gateway gw_wizard_dyn_vpn dynamic connections-limit 50
set security ike gateway gw_wizard_dyn_vpn dynamic ike-user-type group-ike-id
set security ike gateway gw_wizard_dyn_vpn external-interface ge-0/0/0.0
set security ike gateway gw_wizard_dyn_vpn aaa access-profile remote_access_profile
set security ipsec policy ipsec_pol_wizard_dyn_vpn proposal-set basic
set security ipsec vpn wizard_dyn_vpn ike gateway gw_wizard_dyn_vpn
set security ipsec vpn wizard_dyn_vpn ike ipsec-policy ipsec_pol_wizard_dyn_vpn


set security dynamic-vpn access-profile remote_access_profile
set security dynamic-vpn clients wizard-dyn-group remote-protected-resources 192.168.0.0/16
set security dynamic-vpn clients wizard-dyn-group remote-protected-resources 10.10.10.0/24
set security dynamic-vpn clients wizard-dyn-group ipsec-vpn wizard_dyn_vpn
set security dynamic-vpn clients wizard-dyn-group user admin1
set security dynamic-vpn clients wizard-dyn-group user admin2


set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn match source-address any
set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn match destination-address any
set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn match application any
set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn then permit tunnel ipsec-vpn wizard_dyn_vpn

set access address-assignment pool dyn-vpn-address-pool family inet network 10.10.100.0/24
set access address-assignment pool dyn-vpn-address-pool family inet range Range-VPN-Test low 10.10.100.20
set access address-assignment pool dyn-vpn-address-pool family inet range Range-VPN-Test high 10.10.100.254
set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 192.168.0.11/32

 

4 REPLIES 4
Highlighted
SRX Services Gateway
Solution
Accepted by topic author tech_mvt
‎03-14-2020 06:08 PM

Re: dynamic vpn srx not internet access

‎02-28-2020 08:45 AM

tech,

 

Do you mean that you can connect via Pulse from your PC to the SRX and access subnets 192.168.0.0/16 and 10.10.10.0/24 but not the Internet via the Pulse connection?

 

If you want to reach Internet via the Pulse connection you need to configure a default-route under remote-protected-resource so that this default route in injected to the PC when it connects via DynVPN to the SRX:

 

set security dynamic-vpn clients wizard-dyn-group remote-protected-resources 0.0.0.0/0

 

Please mark my answer as the Solution if it applies.
Highlighted
SRX Services Gateway

Re: dynamic vpn srx not internet access

‎03-03-2020 08:07 AM

Hi, tech

 

Do you need more assistance?

 

Please mark my answer as the Solution if it applies.
Highlighted
SRX Services Gateway

Re: dynamic vpn srx not internet access

‎03-09-2020 08:36 AM

I'm having the same issue and I already have the command "set security dynamic-vpn clients all remote-protected-resources 0.0.0.0/0" configured.  I cannot ping even ping 1.1.1.1.

Highlighted
SRX Services Gateway

Re: dynamic vpn srx not internet access

‎03-10-2020 04:50 PM

I resolved this issue by using the commands below.  Hopefully this helps someone else out, too.

 

set security nat source rule-set remote-vpn-nat from zone untrust
set security nat source rule-set remote-vpn-nat to zone untrust
set security nat source rule-set remote-vpn-nat rule vpn-nat match source-address X.X.X.X/X <--- VPN Subnet Here
set security nat source rule-set remote-vpn-nat rule vpn-nat then source-nat interface
set security policies from-zone untrust to-zone untrust policy remote-vpn match source-address any
set security policies from-zone untrust to-zone untrust policy remote-vpn match destination-address any
set security policies from-zone untrust to-zone untrust policy remote-vpn match application any
set security policies from-zone untrust to-zone untrust policy remote-vpn then permit tunnel ipsec-vpn remote-vpn

Feedback