vSRX
vSRX

Dynamic VPN Issue - No Default Gateway Assigned

‎03-07-2019 02:57 PM

Hello,

I have created a dynamic VPN on a VSRX instance hosted in AWS.  I am able to connect to the VPN using the NCP client, but I don't get a default gateway.

Here's my IKE gateway (specifying the access profile):

gateway Corios-VPN-IKE-GW {
ike-policy Corios-VPN-IKE-Pol;
dynamic {
user-at-hostname "itadmins@coriosgroup.com";
connections-limit 2;
ike-user-type shared-ike-id;
}
dead-peer-detection;
local-identity inet XXX.XXX.XXX.XXX;
external-interface ge-0/0/1.0;
aaa {
access-profile ad01-cg-radius;
}
version v1-only;
tcp-encap-profile NCP;
}

 

Here's the access profile:

profile ad01-cg-radius {
authentication-order radius;
address-assignment {
pool Corios-VPN;
}
radius {
authentication-server 10.1.10.7;
accounting-server 10.1.10.7;
}
radius-server {
10.1.10.7 {
port 1815;
secret "REDACTED"; ## SECRET-DATA
timeout 15;
retry 2;
source-address 10.132.0.85;
routing-instance vpn_gateway;
}
}
accounting {
order radius;
accounting-stop-on-failure;
accounting-stop-on-access-deny;
}
}

 

And here's my DHCP pool:

address-assignment {
pool Corios-VPN {
family inet {
network 10.132.3.0/24;
range address_range {
low 10.132.3.10;
high 10.132.3.100;
}
dhcp-attributes {
name-server {
10.129.1.11;
10.129.2.11;
}
router {
10.132.3.1;
}
}
xauth-attributes {
primary-dns 10.129.1.11/32;
secondary-dns 10.129.2.11/32;
}
}
}
}

 

I can connect and receive an IP address, but I don't have a default route assigned:

Unknown adapter Local Area Connection:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::e45f:629:6728:11f9%11
IPv4 Address. . . . . . . . . . . : 10.132.3.20
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :

 

Thanks in advance for any help on this.

5 REPLIES 5
vSRX

Re: Dynamic VPN Issue - No Default Gateway Assigned

[ Edited ]
‎03-07-2019 07:10 PM

Traffic selectors configured on the SRX Series device and the NCP client determine the client traffic that is sent through the IPsec VPN tunnel. 

Eg:- 

set security ipsec vpn RA_VPN traffic-selector NO-SPLIT local-ip 0.0.0.0/0
set security ipsec vpn RA_VPN traffic-selector NO-SPLIT remote-ip 0.0.0.0/0

Reference: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-remote-access-vpns-with-...

 

Please check the route table on your PC after the vpn is connected:

route print

ipconfig /all

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
vSRX

Re: Dynamic VPN Issue - No Default Gateway Assigned

‎03-08-2019 08:26 AM

Thank you for getting back to me Nellikka.

I have a traffic selector on the VPN:

 

[edit security ipsec vpn Corios-VPN]
ec2-user@VSRX2# show
bind-interface st0.9;
ike {
gateway Corios-VPN-IKE-GW;
ipsec-policy Corios-VPN-IPSEC-Pol;
}
traffic-selector TS1 {
local-ip 0.0.0.0/0;
remote-ip 0.0.0.0/0;
}

 

Here's the routing table on my Windows machine.  Please note that I have an ethernet connection in 10.1.11.0/24.

 

PS C:\Users\dramage> route print
===========================================================================
Interface List
11...02 00 4a 5d e8 b0 ......NCP Secure Client Virtual NDIS6.20 Adapter
18...b4 6b fc d1 03 ee ......Intel(R) Dual Band Wireless-AC 8265
12...b4 6b fc d1 03 ef ......Microsoft Wi-Fi Direct Virtual Adapter
3...b6 6b fc d1 03 ee ......Microsoft Wi-Fi Direct Virtual Adapter #2
4...10 65 30 4d c4 14 ......Intel(R) Ethernet Connection (4) I219-LM
7...b4 6b fc d1 03 f2 ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.1.11.1 10.1.11.146 35
0.0.0.0 128.0.0.0 10.132.3.23 10.132.3.22 257
10.1.11.0 255.255.255.0 On-link 10.1.11.146 291
10.1.11.0 255.255.255.0 10.132.3.23 10.132.3.22 257
10.1.11.146 255.255.255.255 On-link 10.1.11.146 291
10.1.11.255 255.255.255.255 On-link 10.1.11.146 291
10.132.3.22 255.255.255.255 On-link 10.132.3.22 257
52.37.18.20 255.255.255.255 10.1.11.1 10.1.11.146 291
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
128.0.0.0 128.0.0.0 10.132.3.23 10.132.3.22 257
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 10.1.11.146 291
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 10.132.3.22 257
255.255.255.255 255.255.255.255 On-link 10.1.11.146 291
===========================================================================

 

 

vSRX

Re: Dynamic VPN Issue - No Default Gateway Assigned

‎03-08-2019 11:02 AM

I've just had somethign of an "a-ha" moment and realized that I'm gettig a /32 subnet mask assigned:

 

Unknown adapter Local Area Connection:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::e45f:629:6728:11f9%11
IPv4 Address. . . . . . . . . . . : 10.132.3.10
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :

 

I fired up Wireshark, and I can see the /32 mask being assigned.  I don't see a router as one of the options sent, but that's a bit of a moot point given the subnet mask.

vSRX
Solution
Accepted by topic author dramage
‎03-12-2019 01:03 PM

Re: Dynamic VPN Issue - No Default Gateway Assigned

‎03-08-2019 01:11 PM

IP address with /32 subnet mask is an expected behavior. There is no point in assigning /24 subnet mask for a point to point tunnel interface. There is no need to assign ip address on st0.9 interface in this case and you can simply remove the configured /24 address. From the official documention: "When an IP address is assigned from an external RADIUS server or a local address pool, an IP address with a 32-bit mask is passed to the NCP Exclusive Remote Access Client. After the tunnel is established, auto route insertion (ARI) automatically inserts a static route to the remote client’s IP address so that traffic from behind the SRX Series device can be sent into the VPN tunnel to the client’s IP address" (https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-remote-access-vpns-with-...)

Instead of configuring a default route(0/0), NCP installs two /1 networks in the clients routing table, which are equivalent to default route. Because best route is calculated based on longest prefix match (/1 > /0) traffic will match NCP routes and will go via tunnel. So everything is working as expected. Are you facing any issue other than this default gateway not displaying?

 

0.0.0.0 128.0.0.0 10.132.3.23 10.132.3.22 257
....
128.0.0.0 128.0.0.0 10.132.3.23 10.132.3.22 257

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
vSRX

Re: Dynamic VPN Issue - No Default Gateway Assigned

‎03-08-2019 02:43 PM

The lack of a default route is a red herring.  I'm good to go.