ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

VPN Client Tunnel all traffic option does not work

a week ago

Hello,

I have a SSG5 and created VPN connection for the clients, with Shrew Soft client. Followed several tutorials and this one:

https://www.shrew.net/support/Howto_Juniper_SSG

Now I have a vpn working and I can access resources from my client.

However I wanted to tunnel all the traffic from the client. So in the VPN config of the Shrew Soft in the Policy tab I select "Obtain Topology Automatically or Tunnel All". 

After that the vpn connection is established, however no recources available (even per ping).

When connected without the tunnel all option, the VPN Trace tool shows the following in the Security Policies tab:

Dir IN - source 192.168.xxx.0/24 - destination 192.168.xxx.50/32 - type IPSEC

Dir OUT - source 192.168.xxx.50/32 - destination 192.168.xxx.0/24 - type IPSEC

but when connected with the "tunnel all" option enabled, the tab reads:

Dir IN - source 0.0.0.0/0 - destination 192.168.xxx.50/32 - type IPSEC

Dir OUT - source 192.168.xxx.50/32 - destination 0.0.0.0/0 - type IPSEC

What am I missing?

Thank you in advance for support!

4 REPLIES 4
ScreenOS Firewalls (NOT SRX)

Re: VPN Client Tunnel all traffic option does not work

Sunday

When you want all traffic via the tunnel you will also need to change this setting on the SSG side for the destination address to be everything 0.0.0.0/0 instead of your limited resource address previously.

Define the following parameters.

  • Name = vpnclient_inbound
  • Source Address
    • Address Book Entry = Dial-UP VPN
  • Destination Address
    • New Address = 10.1.2.0/24
  • Service = ANY
  • Application = None ( means ANY )
  • Action = Tunnel
  • Tunnel = vpnclient_tunnel [ Auto Key IKE vpn name ]

 

In addition, you will need to be sure that the pool addresses you created for the vpn client have a valid policy and nat policy to access the internet from the SSG.  So it needs to be in the range you already have an internet access and nat policy for, or you need to add a policy that provides that for the pool.

 

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: VPN Client Tunnel all traffic option does not work

Sunday

Thank you very much for the answer.

Before I test this solitions a few questions:

1. Does 10.1.2.0/24 mean 0. 0, 0. 0/0???

2. As for IP range, my internal network is /24 network. When connected wit vpn, the client receives /32 ip address. How is it then possible to have the same range, since dialup vpn does not offer it actually?

3. I know where to setup a policy, but where do you setup a nat policy on ssg? Or what is the difference between those in ssg setup?

Thank you in advance! Will test your solution today evening or tomorrow.

ScreenOS Firewalls (NOT SRX)

Re: VPN Client Tunnel all traffic option does not work

yesterday

Hi,

 

You can enable NAT under the 'Advacned' section of your policy.

Also, 'tunnel all' from a VPN client gets complicated wit a policy based VPN. I would suggest using a route based VPN (https://kb.juniper.net/InfoCenter/index?page=content&id=KB15272) to make the setup more flexible.

Regards,
Gokul
ScreenOS Firewalls (NOT SRX)

Re: VPN Client Tunnel all traffic option does not work

yesterday

Sorry for the confusion.  What I copied there is the specific step in the instructions you link to that you need to change to have the tunnel setup for all the traffic to go to the SSG instead of split tunnel.

 

The ip addresses represent the traffic you are sending to the SSG side of the connect their sample network you need to change to the all networks address. 10.1.2.0/24 in your configuration was changed to whatever you have for local resources. 0.0.0.0/0 means instead send all traffic to the SSG.

 

You client gets a /32 out of a pool configured on the SSG in the instructions you link the pool is 10.2.21.1-254.  Whatever you set this pool to is the address that will be going to the internet when the client is connected.

 

You create a policy then from this pool range zone to the untrust zone to allow inernet access.  and on the advanced tab enable source nat with the egress interface. 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home