SRX Services Gateway
Highlighted
SRX Services Gateway

site to site vpn for policy-based issue

‎05-23-2016 12:13 AM

Hello,

 

I configure the policy-based VPN between to site A and Site B. Unfortunately, it have some issue for that. Site A' PC can ping/remote to site B' PC, but the site B' PC can't ping/remote to site A' PC.

 

The some details is below:

Site A :

SRX240 FW: 10.10.1.0/28

Checkpoint FW: 172.25.10.0/23 (under the SRX240)

PC: 172.25.10.104/23 (under the checkpoint)

 

Site B:

SRX100 FW: 192.168.8.0/24

PC:192.168.8.151/24

 

I checked the Checkpoint have access  route to 192.168.8.0/24. Could anyone help to solve the issue?!

 

Many Thanks!!! 

16 REPLIES 16
Highlighted
SRX Services Gateway

Re: site to site vpn for policy-based issue

‎05-23-2016 02:29 AM

Hello,

 

 

Please confirm if you have the security policies configured on site B and site A SRX firewall to allow the traffic initiated from site B to site A. if not then please configure the security policies on both the SRX accordingly.

 

For more information on configuring security policies on SRX to allow traffic in both the directions in policy based VPN please refer the following document:

 

http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/example/ipsec-policy-based-vpn-configuring...(Please refer Configuring security Polcies section)

Highlighted
SRX Services Gateway

Re: site to site vpn for policy-based issue

‎05-23-2016 03:12 AM

Hello, 

 

I confirmed the security policies on both SRX. But it doesn't work.  Do I need to configure NAT ?

 

Highlighted
SRX Services Gateway

Re: site to site vpn for policy-based issue

‎05-23-2016 03:24 AM

Hi ,

 

Can you apply flow trace on the site B srx and check if the correct security policy ( which has the ipsec-vpn called) is being used to allow the traffic. If some other security policy is being used then traffic will not be sent to the VPN but will be passed plain text.

 

Also check if there is any nat being involved in the process of initiating traffic from site B to site A

 

Regards

Hemant

Highlighted
SRX Services Gateway

Re: site to site vpn for policy-based issue

‎05-23-2016 03:45 AM

just one VPN connect to SITE A. and site B no any configure to NAT 

Attachments

Highlighted
SRX Services Gateway

Re: site to site vpn for policy-based issue

‎05-23-2016 05:12 AM

Hi,

 

Can you paste the config from both sites to the post.

Also can you run the flow traceoption from site B to site A and attach it to the post.

Please paste the output of the below command too:

 

>show security match-policies from-zone <zone> to-zone <zone> source-ip x.x.x.x destination-ip x.x.x.x protocol <protocol number> source-port 23234 destination-port <dport>

 

Regards

Hemant

Highlighted
SRX Services Gateway

Re: site to site vpn for policy-based issue

‎05-23-2016 09:34 PM

Hi, 

 

According to your command, I tired this: >show security match-policies from-zone internal to-zone internet source-ip 192.168.8.1 destination-ip 172.25.10.1 protocol tcp source-port 23234 destination-port 23234, but no any information display, Did I correct to type the command?!

Highlighted
SRX Services Gateway

Re: site to site vpn for policy-based issue

‎05-23-2016 11:35 PM

Hi,

Can you please cross check that the destination port on which traffic has been sent is 23234 ( I believe it should be a well know port like 80,443 , 22 etc depending upon your application) , unless the application you are trying to reach is a custom application.

 

Note: Use the destination port as the one defined in the security policy where ipsec-vpn has been called.

 

Regards

Hemant

Highlighted
SRX Services Gateway

Re: site to site vpn for policy-based issue

‎05-24-2016 05:53 AM

Hi Hemant, 

 

Sorry for late reply, I have no way to solve the issue. I upload the site B configure. Would you like to help me verify the setting ? Many thanks!!!

 

Best regards,

THE-O

 

Attachments

Highlighted
SRX Services Gateway

Re: site to site vpn for policy-based issue

‎05-24-2016 08:01 AM

Hello,

 

 

In the attached configuration from site B I do not see the any policies from zone internal to zone internet which is calling the VPN MM_MCO_VPN.

 

As you have the policy from zone internet to zone internal for vpn MM_MCO_VPN, similarly you also need to have the policy in the reverse direction from zone internal to to zone internet.

 

Policy you already have in the configuration on site B:-

set security policies from-zone Internet to-zone Internal policy MCO_MM_VPN match source-address MCO_LAN_Seg
set security policies from-zone Internet to-zone Internal policy MCO_MM_VPN match destination-address local-net
set security policies from-zone Internet to-zone Internal policy MCO_MM_VPN match application any
set security policies from-zone Internet to-zone Internal policy MCO_MM_VPN then permit tunnel ipsec-vpn MM_MCO_VPN
set security policies from-zone Internet to-zone Internal policy MCO_MM_VPN then log session-init
set security policies from-zone Internet to-zone Internal policy MCO_MM_VPN then log session-close

 

Policy that you need to add in the configruation on site B:-

 

set security policies from-zone Internal to-zone Internet policy MCO_MM_VPN-1 match source-address MCO_LAN_Seg
set security policies from-zone Internal to-zone Internet policy MCO_MM_VPN-1 match destination-address local-net
set security policies from-zone Internal to-zone Internet policy MCO_MM_VPN-1 match application any
set security policies from-zone Internal to-zone Internet policy MCO_MM_VPN-1 then permit tunnel ipsec-vpn MM_MCO_VPN
set security policies from-zone Internal to-zone Internet policy MCO_MM_VPN-1 then permit tunnel pair-policy MCO_MM_VPN
set security policies from-zone Internal to-zone Internet policy MCO_MM_VPN-1 then log session-init
set security policies from-zone Internal to-zone Internet policy MCO_MM_VPN-1 then log session-close

 

Also you need to add the below command more to the already existing policy:-

set security policies from-zone Internet to-zone Internal policy MCO_MM_VPN then permit tunnel pair-policy MCO_MM_VPN-1

 

Similarly if the revers policy to allow this traffic is not configured on site A as well then you need to configure on site A as well.

 

The currenlty existing policies will allow traffic only when it is initiated from site A to site B as you are seeing. But once the above is configured the vice versa traffic should also work.

 

Thanks,
Pulkit Bhandari

Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. Smiley Happy

 

Highlighted
SRX Services Gateway

Re: site to site vpn for policy-based issue

‎05-25-2016 02:06 AM

Hi,

 

Sorry, site B can't still ping to Site A. please let me the NAT is need to config or not?!

 

Many Thanks!!!

Attachments

Highlighted
SRX Services Gateway
Solution
Accepted by topic author THE-O
‎05-30-2016 12:17 AM

Re: site to site vpn for policy-based issue

‎05-25-2016 02:39 AM

I can not see your address book but you need to move your source NAT policy up. Something like:

 

insert security nat source rule-set NAT_Internet rule Source_NO_NAT before rule Source_NAT_Trust_Any

 

Thsi is because the source NAT is performed before the policy match so the source address of the packet will no longer match the source address of the policy that directs traffic through the VPN tunnel.

JNCIE-ENT #552, JNCSP-ENT, JNCIP-SEC, JNCIP-SP, JNCIP-DC, JNCDS-DC, JNCDS-SEC, JNCDS-SP, CCNP, CCDA
Highlighted
SRX Services Gateway

Re: site to site vpn for policy-based issue

‎05-26-2016 05:05 AM

Hi,

 

add the NAT but still not working. Do you have any suggest ?!

Highlighted
SRX Services Gateway

Re: site to site vpn for policy-based issue

‎05-26-2016 05:06 AM

Could you please attach the config again now that you have made the change?

JNCIE-ENT #552, JNCSP-ENT, JNCIP-SEC, JNCIP-SP, JNCIP-DC, JNCDS-DC, JNCDS-SEC, JNCDS-SP, CCNP, CCDA
Highlighted
SRX Services Gateway

Re: site to site vpn for policy-based issue

‎05-27-2016 12:31 AM

Hi, 

 

Could I set source NAT or Destination NAT?

 

Enclosed the Site B config.

Attachments

Highlighted
SRX Services Gateway

Re: site to site vpn for policy-based issue

‎05-27-2016 04:39 AM

I have had a look through and cannot see a problem with the config. The only thing is you do not need to put fe-0/0/0 thru fe-0/0/3 into a security zone as they a layer 2 interfaces and you have put the vlan interface into the zone. I dont think this would cause your problem though. The only thin I can suggest is that you attach the config of site A also and I will have a look through that but I am away for a few days.

JNCIE-ENT #552, JNCSP-ENT, JNCIP-SEC, JNCIP-SP, JNCIP-DC, JNCDS-DC, JNCDS-SEC, JNCDS-SP, CCNP, CCDA
Highlighted
SRX Services Gateway

Re: site to site vpn for policy-based issue

‎05-30-2016 12:19 AM

It's some missing setting for my mistake. Smiley Sad

 

Thanks for all your help!!!

Feedback