SRX Services Gateway
Highlighted
SRX Services Gateway

setup dynamic vpn as non-split vpn tunnel

[ Edited ]
12.08.10   |  
‎12-08-2010 07:24 PM

Hi JNet experts,

 

I am trying to setup the dynamic vpn as non-split vpn.  All user traffics will forward through the vpn tunnel and then route to internet from the SRX.  Is it possible to do that?

 

Thanks,

 

rotearc

 

 

3 REPLIES
SRX Services Gateway

Re: setup dynamic vpn as non-split vpn tunnel

12.12.10   |  
‎12-12-2010 06:15 PM

I got it to work, it is quite interesting..  I have the vpn terminated at vpn zone, and I need to setup a NAT and firewall policy to allow from untrust zone to untrust zone.  Also, the remote resource is 0.0.0.0/0 in my case.

 

        from-zone untrust to-zone vpn {
            policy policy_in_wizard_dyn_vpn {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn wizard_dyn_vpn;
                        }
                    }
                }
            }
        }
        from-zone untrust to-zone untrust {
            policy stupid-vpn-poilicy {
                match {
                    source-address 10.10.3.248/29;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }

SRX Services Gateway

Re: setup dynamic vpn as non-split vpn tunnel

07.01.15   |  
‎07-01-2015 10:49 AM

What client were you using when you did this?

I'm on a path to do the same thing -- but isn't split tunneling decided on the client? (or am I to assume your example above has the SRX *AS* the client?)

Thanks,

 

 -Ben

SRX Services Gateway

Re: setup dynamic vpn as non-split vpn tunnel

07.06.15   |  
‎07-06-2015 09:20 AM

Nevermind -- I got it working.

I don't have a VPN zone -- so the setup is a little different.

To any other readers:

you need to:

  • Make your protected resources 0.0.0.0/0
  • Add a source nat rule for the IPs assigned to DVPN users (I have them go out a separate IP address than than the address assigned to the untrusted interface)
  • Add a policy from Zone Untrust to Zone Untrust  that allows the IPs assigned to the DVPN users to flow back out the untrusted interface
  • Add a Proxy ARP entry for the IP addresses both for the source NAT address (the external IP I used) on the untrust interface
    (and really, if this a is VPN user, they need a Proxy ARP entry for the internal network they are assigned to and want to talk with)

    now the users on DVPN can talk to internal and external hosts with no split tunneling.

 

Cheers.