Hi All,
First of all, thank you for taking the time to read my post.
I seem to be having an issue on my SRX220H with moving my Dynamic VPN from my "trusted" zone to a more seperated zone, for obvious security reasons In my VPN_ZONE I have several site-to-site VPN's, where I can control my traffic between zones. Now I want to move my (working, no issues here) dynamic VPN from my LAN_ZONE to my VPN_ZONE. Users connecting via the dynamic VPN are getting an IP-address from the dynamic pool (LAN_DHCP-DYNAMIC), however they cannot reach resources in the LAN_DHCP-STATIC pool. Below an overview of the policies:
from-zone LAN_ZONE to-zone VPN_ZONE {
policy LAN_POLICY-TO-DYNAMIC_VPN {
description "POLICY TO ALLOW LAN TRAFFIC TO VPN ZONE";
match {
source-address LAN_DHCP-STATIC;
destination-address LAN_DHCP-DYNAMIC;
application any;
}
then {
permit;
count;
}
}
}
from-zone VPN_ZONE to-zone LAN_ZONE {
policy VPN_POLICY_FROM_DYNAMIC_VPN-TO-LAN {
description "POLICY TO ALLOW LAN_DHCP-DYNAMIC TRAFFIC";
match {
source-address LAN_DHCP-DYNAMIC;
destination-address LAN_DHCP-STATIC;
application any;
}
then {
permit;
count;
}
}
}
from-zone UNTRUST to-zone VPN_ZONE {
policy UNTRUST_POLICY-TO-VPN_ZONE {
description "POLICY TO ALLOW DYNAMIC-VPN TRAFFIC";
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn DYNAMIC-VPN_IPSEC-VPN;
}
}
log {
session-init;
session-close;
}
count;
}
}
}
from-zone UNTRUST to-zone LAN_ZONE {
inactive: policy UNTRUST_POLICY-TO-LAN_ZONE-FOR-DYNAMIC_VPN {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn DYNAMIC-VPN_IPSEC-VPN;
}
}
}
}
policy UNTRUST_POLICY-TO-LAN_ZONE {
description "POLICY TO DENY UNTRUSTED TRAFFIC";
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
session-close;
}
count;
}
}
}
The protected resources are set to both subnets, so from the clients perspective - they should be good to go.
show security dynamic-vpn clients DYNAMIC-VPN_CLIENTS
remote-protected-resources {
192.168.1.0/25;
192.168.1.128/25;
}
remote-exceptions {
0.0.0.0/0;
}
I created a file to verify the denied traffic, and it looks like this:
Nov 19 15:17:16 2017 SRX220 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 192.168.1.178/54498->192.168.1.3/6690 None 6(0) UNTRUST_POLICY-TO-LAN_ZONE UNTRUST LAN_ZONE UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny
Nov 19 15:17:23 2017 SRX220 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 192.168.1.178/54515->192.168.1.3/6690 None 6(0) UNTRUST_POLICY-TO-LAN_ZONE UNTRUST LAN_ZONE UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny
Nov 19 15:17:26 2017 SRX220 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 192.168.1.178/54515->192.168.1.3/6690 None 6(0) UNTRUST_POLICY-TO-LAN_ZONE UNTRUST LAN_ZONE UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny
Nov 19 15:17:32 2017 SRX220 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 192.168.1.178/54515->192.168.1.3/6690 None 6(0) UNTRUST_POLICY-TO-LAN_ZONE UNTRUST LAN_ZONE UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny
Nov 19 15:17:34 2017 SRX220 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 192.168.1.178/54527->192.168.1.3/6690 None 6(0) UNTRUST_POLICY-TO-LAN_ZONE UNTRUST LAN_ZONE UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny
Nov 19 15:17:43 2017 SRX220 last message repeated 2 times
Nov 19 15:17:50 2017 SRX220 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 192.168.1.178/54544->192.168.1.3/6690 None 6(0) UNTRUST_POLICY-TO-LAN_ZONE UNTRUST LAN_ZONE UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny
Nov 19 15:17:53 2017 SRX220 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 192.168.1.178/54544->192.168.1.3/6690 None 6(0) UNTRUST_POLICY-TO-LAN_ZONE UNTRUST LAN_ZONE UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny
Unless i'm overseeing something, the policies should be good? However it seems that the VPN still terminates in the LAN_ZONE rather than the VPN_ZONE. Do I need to reboot the node in order to let the termination happen in a different zone?
Any clues? Thanks in advance!
Best regards,
Dan