ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

VPN Client Tunnel all traffic option does not work

‎04-15-2019 03:14 AM

Hello,

I have a SSG5 and created VPN connection for the clients, with Shrew Soft client. Followed several tutorials and this one:

https://www.shrew.net/support/Howto_Juniper_SSG

Now I have a vpn working and I can access resources from my client.

However I wanted to tunnel all the traffic from the client. So in the VPN config of the Shrew Soft in the Policy tab I select "Obtain Topology Automatically or Tunnel All". 

After that the vpn connection is established, however no recources available (even per ping).

When connected without the tunnel all option, the VPN Trace tool shows the following in the Security Policies tab:

Dir IN - source 192.168.xxx.0/24 - destination 192.168.xxx.50/32 - type IPSEC

Dir OUT - source 192.168.xxx.50/32 - destination 192.168.xxx.0/24 - type IPSEC

but when connected with the "tunnel all" option enabled, the tab reads:

Dir IN - source 0.0.0.0/0 - destination 192.168.xxx.50/32 - type IPSEC

Dir OUT - source 192.168.xxx.50/32 - destination 0.0.0.0/0 - type IPSEC

What am I missing?

Thank you in advance for support!

13 REPLIES 13
ScreenOS Firewalls (NOT SRX)

Re: VPN Client Tunnel all traffic option does not work

‎04-21-2019 07:22 AM

When you want all traffic via the tunnel you will also need to change this setting on the SSG side for the destination address to be everything 0.0.0.0/0 instead of your limited resource address previously.

Define the following parameters.

  • Name = vpnclient_inbound
  • Source Address
    • Address Book Entry = Dial-UP VPN
  • Destination Address
    • New Address = 10.1.2.0/24
  • Service = ANY
  • Application = None ( means ANY )
  • Action = Tunnel
  • Tunnel = vpnclient_tunnel [ Auto Key IKE vpn name ]

 

In addition, you will need to be sure that the pool addresses you created for the vpn client have a valid policy and nat policy to access the internet from the SSG.  So it needs to be in the range you already have an internet access and nat policy for, or you need to add a policy that provides that for the pool.

 

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: VPN Client Tunnel all traffic option does not work

‎04-21-2019 11:46 PM

Thank you very much for the answer.

Before I test this solitions a few questions:

1. Does 10.1.2.0/24 mean 0. 0, 0. 0/0???

2. As for IP range, my internal network is /24 network. When connected wit vpn, the client receives /32 ip address. How is it then possible to have the same range, since dialup vpn does not offer it actually?

3. I know where to setup a policy, but where do you setup a nat policy on ssg? Or what is the difference between those in ssg setup?

Thank you in advance! Will test your solution today evening or tomorrow.

ScreenOS Firewalls (NOT SRX)

Re: VPN Client Tunnel all traffic option does not work

‎04-22-2019 12:20 AM

Hi,

 

You can enable NAT under the 'Advacned' section of your policy.

Also, 'tunnel all' from a VPN client gets complicated wit a policy based VPN. I would suggest using a route based VPN (https://kb.juniper.net/InfoCenter/index?page=content&id=KB15272) to make the setup more flexible.

Regards,
Gokul
ScreenOS Firewalls (NOT SRX)

Re: VPN Client Tunnel all traffic option does not work

‎04-22-2019 03:05 AM

Sorry for the confusion.  What I copied there is the specific step in the instructions you link to that you need to change to have the tunnel setup for all the traffic to go to the SSG instead of split tunnel.

 

The ip addresses represent the traffic you are sending to the SSG side of the connect their sample network you need to change to the all networks address. 10.1.2.0/24 in your configuration was changed to whatever you have for local resources. 0.0.0.0/0 means instead send all traffic to the SSG.

 

You client gets a /32 out of a pool configured on the SSG in the instructions you link the pool is 10.2.21.1-254.  Whatever you set this pool to is the address that will be going to the internet when the client is connected.

 

You create a policy then from this pool range zone to the untrust zone to allow inernet access.  and on the advanced tab enable source nat with the egress interface. 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: VPN Client Tunnel all traffic option does not work

[ Edited ]
‎04-23-2019 12:33 PM

Thank you for your patience.

Making progress.

ad. 1. I corrected my policy according to your advice. So now the configuration is:

Untrust to Trust

  • Name = vpnclient_inbound
  • Source Address
    • Address Book Entry = Dial-UP VPN
  • Destination Address
    • New Address = 0.0.0.0/0
  • Service = ANY
  • Application = None ( means ANY )
  • Action = Tunnel
  • Tunnel = vpnclient_tunnel [ Auto Key IKE vpn name ]
  • NAT enabled

Now when connecting with the "tunnel all" option I can access local network resources, but access to the internet does not work. Neither does pinging the internet.

 

ad. 2. As for ip pool, I know what address you are talking about. My point is that when I create a pool, I have no option of specyfying whether this pool can be /24 or /32. That is what I am asking and that is what I need, since my internal network is /24. When vpn pool is always /32, I will not be able to connect to /24 internal network (or am I mistaken???) without any special settings, I guess.

Thank you!

ScreenOS Firewalls (NOT SRX)

Re: VPN Client Tunnel all traffic option does not work

‎04-23-2019 05:20 PM

For the ip address pool you are entering a range of addresses.

 

These addresses are used on the client at connect time and will be the source address of those internet requests that are not currently working.

 

So we need to create a policy with source nat interface from all the possible addresses you put there to any untrust address with source nat interface enabled on the policy.

 

You need to create an address object with a subnet that covers every possible address in the pool.  Then use this as the source on that policy.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: VPN Client Tunnel all traffic option does not work

[ Edited ]
‎04-23-2019 11:58 PM

That is exactly what I did. I created an address with the whole range actually of the adresses from my pool.

Created a policy. Enabled NAT. Still nothing.

To clarify: my pool for the vpn is 192.168.12.50-192.168.12.55

My address with the name "VPN" is 192.168.12.0/32

Created a policy, what I am not 100% sure of is from which to which zone it should be.

So created 

Trust to Untrust

  • Name = blank
  • Source Address
    • Address Book Entry = VPN
  • Destination Address
    • Address Book Entry = Any
  • Service = ANY
  • Application = None ( means ANY )
  • Action = Permit (or should it be tunnel???)
  • NAT enabled (source translation)

Still no go.

ScreenOS Firewalls (NOT SRX)

Re: VPN Client Tunnel all traffic option does not work

‎04-24-2019 03:03 AM

The zone for the pool addresses will be the same zone used for the local side of your VPN policy where you changed the address to 0.0.0.0/0.  The internet side is usually called untrust.

 

To clarify: my pool for the vpn is 192.168.12.50-192.168.12.55

My address with the name "VPN" is 192.168.12.0/32

 

Your address object for the pool then would be 192.168.12.48/29  - this covers from 48-55 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: VPN Client Tunnel all traffic option does not work

‎04-24-2019 03:56 AM

What would it be then for 192.168.11.50-192.168.11.55?

Also 192.168.11.48/29?

ScreenOS Firewalls (NOT SRX)

Re: VPN Client Tunnel all traffic option does not work

‎04-24-2019 04:09 AM

Yes that is correct.  You can google subnet calculator to find only where the boundaries are for any particular range of addresses.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: VPN Client Tunnel all traffic option does not work

‎04-24-2019 04:18 AM

Then it still does not work. Only local network is available.

ScreenOS Firewalls (NOT SRX)

Re: VPN Client Tunnel all traffic option does not work

‎04-24-2019 05:32 PM

Try using the built in address dial up as the source in the internet access trust to untrust policy with nat.

 

Also try changing the order of the policies on the list in the trust to untrust policy list

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: VPN Client Tunnel all traffic option does not work

‎04-25-2019 12:18 AM

If I use the "Dial up vpn" address in the source entry (I guess that is what you mean), I get a message "Dialup-VPN must use IPSEC or L2TP in policy".

I have the policy on top.